Our cybersecurity advice section provides comprehensive information about the latest online security threats – not only the threats from unfiltered spam emails, but also the risks present on the Internet from malvertising and vulnerable websites onto which malware exploit kits may have been loaded by cybercriminals.
We also provide advice on the precautions that can be taken to heighten cybersecurity defenses and mitigate the risk of inadvertently downloading an infection. The message throughout all of our cybersecurity advice is to protect your network and WiFi systems with an email spam filter and web content control solution.
The biggest cybersecurity risk for businesses in the United States is employee negligence, according to a recent Shred-It survey of 1,000 small business owners and C-suite executives.
The findings of the survey, detailed in its North America State of the Industry Report, show the biggest cybersecurity risk for businesses is human error such as the accidental loss of data or devices containing sensitive company information.
84% of C-Suite executives and 51% of small business owners said employee negligence was the biggest cybersecurity risk for their business. 42% of small business owners and 47% of C-suite executives said employee negligence was the leading cause of cybersecurity breaches.
Employees are the Biggest Cybersecurity Risk for Businesses in the United States
Employees often cut corners in order to get more done in their working day and take considerable security risks. Even though laptop computers can contain highly sensitive information and allow an unauthorized individual to gain access to a work network, around a quarter of U.S employees leave their computer unlocked and unattended. Documents containing sensitive information are often left unattended in full view of individuals who are not authorized to view the information.
The risks taken by employees are greater when working remotely, such as in coffee shops or at home. 86% of executives and SBOs said remote workers were much more likely to cause data breaches.
88% of C-suite executives and 48% of small business owners said they have implemented flexible working models that allow their employees to spend at least some of the week working off site. A survey conducted on behalf of the Switzerland-based serviced office provider IWG suggests that globally, 70% of workers spend at least one day a week working remotely, while 53% work remotely for at least half of the week.
Adoption of these flexible working practices is increasing, although cybersecurity policies are not being implemented that specifically cover remote workers. Even though a high percentage of workers are spending at least some of the week working remotely, the Shred-It survey shows that more than half of SMBs do not have policies in place for remote workers.
One of the most important ways that business owners and executives can improve their cybersecurity posture is through employee training, especially for remote workers. The provision of security awareness training will help to ensure that workers are aware of the organization’s policies and procedures and are taught security best practices.
However, the survey suggests training is often inadequate or in some cases nonexistent. 78% of surveyed C-suite executives and small business owners said they only provided information security training on policies and procedures once a year. Considering the risk, training needs to be far more frequent. Employees cannot be expected to retain all the information provided in a training session for the entire year. Training should cover the use of strong passwords, locking devices when they are not in use, never leaving portable devices unattended in public areas, safe disposable of electronic and physician data, and Wi-Fi security. Refresher training should be provided at least every six months.
Policies and procedures need to be developed specifically for remote workers, which cover the practices which must be adopted when working outside the office. With so many workers now spending more time working off-site, the probability of portable electronic devices being lost or stolen is greatly increased.
Businesses must ensure they maintain an accurate inventory of all devices used to access their network and implement appropriate security measures to ensure the loss or theft of those devices does not result in a data breach.
Increased use of insecure WiFi networks poses a major problem, greatly increasing the chance of a malware or ransomware download. Appropriate technologies should be implemented to protect remote workers’ devices from malicious software. TitanHQ can help in this regard.
WebTitan Cloud, TitanHQ’s 100% cloud-based web filtering solution can block malware and ransomware downloads and carefully control the websites that remote workers can access on their company-issued and BYOD devices, regardless of where the individual is located: on or off-site.
For more information on WebTitan and how it can protect your remote workers and improve your security posture, contact the TitanHQ team today for further information.
Regardless of the size of your business, the most effective security measure to deploy to block threat actors from gaining access to your servers, workstations, and data is a hardware firewall. A hardware firewall will ensure your digital assets are well protected, but how should your firewall be configured for optimal network security? If you follow network segmentation best practices and set up firewall security zones you can improve security and keep your internal network isolated and protected from web-based attacks.
What is Network Segmentation?
As the name suggests, network segmentation is the practice of dividing a computer up into smaller segments, and by doing so, you separate systems and applications from each other. If there are systems that have no interaction with each other, there is no need for them to be on the same network. If they are, it just makes it easier for a hacker to gain access to everything if the perimeter defenses are breached. Network segmentation can also help to boost performance. With fewer hosts on each subnet, local traffic is minimized. It can also improve monitoring capabilities and helps IT teams identify suspicious behavior.
Network Segmentation Security Benefits
There are many benefits to be gained from network segmentation, of which security is one of the most important. Having a totally flat and open network is a major risk. Network segmentation improves security by limiting access to resources to specific groups of individuals within the organization and makes unauthorized access more difficult. In the event of a system compromise, an attacker or unauthorized individual would only have access to resources on the same subnet. If access to certain databases in the data center must be given to a third party, by segmenting the network you can easily limit the resources that can be accessed, it also provides greater security against internal threats.
Network Segmentation Best Practices
Most businesses have a well-defined network structure that includes a secure internal network zone and an external untrusted network zone, often with intermediate security zones. Security zones are groups of servers and systems that have similar security requirements and consists of a Layer3 network subnet to which several hosts connect.
The firewall offers protection by controlling traffic to and from those hosts and security zones, whether at the IP, port, or application level.
There are many network segmentation examples, but there is no single configuration that will be suitable for all businesses and all networks, since each business will have its own requirements and functionalities. However, there are network segmentation best practices that should be followed. We have outlined these and firewall DMZ best practices below.
Suggested Firewall Security Zone Segmentation
In the above illustration we have used firewall security zone segmentation to keep servers separated. In our example we have used a single firewall and two DMZ (demilitarized) zones and an internal zone. A DMZ zone is an isolated Layer3 subnet.
The servers in these DMZ zones may need to be Internet facing in order to function. For example, web servers and email servers need to be Internet facing. Because they face the internet, these servers are the most vulnerable to attack so should be separated from servers that do not need direct Internet access. By keeping these servers in separate zones, you can minimize the damage if one of your Internet facing servers is compromised.
In the diagram above, the allowed direction of traffic is indicated with the red arrows. As you can see, bidirectional traffic is permitted between the internal zone and DMZ2 which includes the application/database servers, but only one-way traffic is permitted between the internal zone and DMZ1, which is used for the proxy, email, and web servers. The proxy, email, and web servers have been placed in a separate DMZ to the application and database servers for maximum protection.
Traffic from the Internet is allowed by the firewall to DMZ1. The firewall should only permit traffic via certain ports (80,443, 25 etc.). All other TCP/UDP ports should be closed. Traffic from the Internet to the servers in DMZ2 is not permitted, at least not directly.
A web server may need to access a database server, and while it may seem a good idea to have both of these virtual servers running on the same machine, from a security perspective this should be avoided. Ideally, both should be separated and placed in different DMZs. The same applies to front end web servers and web application servers which should similarly be placed in different DMZs. Traffic between DMZ1 and DMZ2 will no doubt be necessary, but it should only be permitted on certain ports. DMZ2 can connect to the internal zone for certain special cases such as backups or authentication via active directory.
The internal zone consists of workstations and internal servers, internal databases that do not need to be web facing, active directory servers, and internal applications. We suggest Internet access for users on the internal network to be directed through an HTTP proxy server located in DMZ 1.
Note that the internal zone is isolated from the Internet. Direct traffic from the internet to the internal zone should not be permitted.
The above configuration provides important protection to your internal networks. In the event that a server in DMZ1 is compromised, your internal network will remain protected since traffic between the internal zone and DMZ1 is only permitted in one direction.
By adhering to network segmentation best practices and using the above firewall security zone segmentation you can optimize network security. For added security, we also recommend using a cloud-based web filtering solution such as WebTitan which filters the Internet and prevents end users from accessing websites known to host malware or those that contravene acceptable usage policies.
Loapi malware is a new Android malware variant that is capable of causing permanent damage to Android smartphones.
The new malware variant was recently discovered by researchers at Kaspersky Lab. In contrast to many new malware variants that operate silently and remain on the device indefinitely, Loapi malware infections can be short-lived. Kaspersky performed a test on an Android phone and discovered that within two days the phone had been destroyed.
The aim of the malware is not sabotage. Destruction of the device is just collateral damage that results from the intense activity of the malware. Loapi malware performs a wide range of malicious functions simultaneously, including some processor-intensive activities that cause the device to overheat, causing irreparable damage.
In the test, over the two days, the constant activity caused the device to overheat and the battery to bulge; deforming the device and its cover.
The researchers said Loapi malware is likely no other malware variant they have seen, and the researchers have seen plenty. Loapi malware was called a ‘jack of all trades’ due to its extensive capabilities. The malware is used to mine the cryptocurrency Monero, a processor-intensive process. The malware uses processing power of infected devices to create new coins. While the mining process is less intensive than for Bitcoin, it still takes its toll.
Additionally, the malware allows infected devices to be used in DDoS attacks, making constant visits to websites to take down online services. The malware is used to spam advertisements, and bombards the user with banners and videos
The malware will silently subscribe to online services, and if they require text message confirmation, that is also handled by the malware. The malware gains access to SMS messages and can send text messages to any number, including premium services. Text messages are used to communicate with its C2 server. Messages are subsequently deleted by the malware to prevent detection by the user, along with any text message confirmations of subscriptions to online services. Kaspersky Lab researchers note that the malware attempted to access more than 28,000 URLs in the two days of the test.
Any apps that are installed on the device that could potentially affect the functioning of the malware are flagged with a false warning that the app contains malware, telling the user to uninstall them. The user will be bombarded with these messages until the app is uninstalled, while other security controls prevent the user from uninstalling the malware or deactivating its admin privileges.
There is little the malware cannot do. The researchers point out that the only function that Loapi does not perform is spying on the user, but since the modular malware can be easily updated, that function could even be added.
While conclusive proof has not been obtained, Kaspersky Lab strongly suspects the malware is the work of the same cybercriminal operation that was behind Podec malware.
So how is Loapi malware distributed? Kaspersky notes that as is common with other Android malware variants, it is being distributed by fake apps on third-party app stores, most commonly disguised as anti-virus apps. A fake app for a popular porn website has also been used. Additionally, fake adverts have been detected that promote these fake apps, with more than 20 separate locations discovered to be pushing the malware.
The malware has not yet been added to the Google Play store, so infections can be prevented by always using official app stores.
A malware threat called LockCrypt ransomware is being used in widespread attacks on businesses in the United States, United Kingdom, and South Africa. While ransomware is commonly spread via spam email, this campaign spreads the file-encrypting malware via remote desktop protocol brute force attacks.
The LockCrypt ransomware attacks were first detected in June this year, but over the past few months the number of attacks has increased significantly, with October seeing the highest number of attacks so far this year.
LockCrypt ransomware is a relatively new malware variant, having first been seen in June 2017. Once infected, users will be unable to access their files. This ransomware variant uses RSA-2048 and AES-256 cryptopgraphy, which makes it virtually impossible to recover files without paying the ransom demand if a viable backup does not exist. To make recovery more difficult, LockCrypt ransomware also deletes Windows Shadow Volume copies. Encrypted files are given the .lock extension.
The ransom payment for this campaign is considerable – typically between 0.5 and 1 Bitcoin per encrypted server. That’s between $3,963 and $7,925 per compromised server; however, since the same login credentials are often used for RDP access on multiple servers, once one password is correctly guessed, it can be used to access multiple servers and deploy LockCrypt ransomware. One of the Bitcoin addresses used by the attackers shows one company paid a ransom of $19,000 to recover files on three of its servers.
Once access to a server is gained, ransomware is deployed; however, the attackers are manually interacting with compromised servers. AlientVault security researcher, Chris Doman, reported that for one company, in addition to deploying ransomware, the attackers “manually killed business critical processes for maximum damage.” All non-core processes on an infected server are killed.
The attacks do not appear to be targeted, instead they are randomly conducted on business servers. Businesses that are most likely to have ransomware installed are those that have failed to use complex passwords for RDP access. While it may be tempting to set an easy-to-remember password, this plays into the hands of attackers.
Other security controls such as two-factor authentication can reduce the risk from this type of attack, as can rate limiting to prevent the number of failed attempts a user can make before their IP address is temporarily – or permanently – blocked.
An additional control that system administrators can apply is to white-list certain IP addresses to restrict RDP access to authorized individuals. If that is not practical, disallowing RDP connections over the Internet from abroad can help to prevent these attacks.
While implementing controls to prevent RDP brute force attacks is vital, most ransomware variants are spread via spam email, and to a lesser extent via exploit kits and drive-by downloads. Comprehensive security defenses must therefore be deployed to reduce the risk of ransomware attacks.
Email may be the primary vector used in phishing attacks, but the second quarter of 2017 has seen a massive increase in malvertising phishing attacks.
Malvertising is the term given to malicious adverts, which are often displayed on high-traffic websites via third party advertising networks. These adverts are used to direct web visitors to malicious websites, oftentimes sites containing exploit kits that probe for vulnerabilities and silently download ransomware and other malware.
These malware attacks increased between 2015 and 2016, with the total number of malvertising attacks rising by 136%. Demonstrating how quickly the threat landscape changes, between Q1 and Q2, 2017 there was a noticeable decline in malicious advert-related exploit kit and malware attacks. Exploit kit redirects fell by 24% and malware-related adverts fell by almost 43%, according to a recent study released by RiskIQ.
However, the study shows there was a massive increase in malvertising phishing attacks with cybercriminals changing their tactics. Phishing-related adds increased by 131% in Q2, 2017, but between 2015 and 2016, malvertising phishing attacks increased by a staggering 1,978%.
The websites that these adverts direct users to often promise a free gift in exchange for taking part in a survey. Genuine market research firms tend not to offer large incentives for taking part in surveys, or when they do offer an incentive, participants are entered into a draw where they stand a chance of winning a prize. When gifts are offered, to all participants it is a warning sign that all may not be as it seems. That said, many people still fall for the scams.
The aim of the surveys is to obtain sensitive information such as bank account information, Social Security numbers, usernames, passwords and personal information. The information can be used for a wide range of nefarious purposes. It is not only personal information that is sought. Cybercriminals are keen to gain access to corporate email accounts for the data they contain and to use them to send phishing emails.
When phishing attacks occur through corporate email accounts it can seriously tarnish a company’s reputation and may result in litigation if insufficient controls have been implemented to prevent such attacks from occurring.
Businesses can protect against malicious adverts and websites by implementing a web filter. A web filter can be configured to block third party adverts as well as the malicious websites that users are directed to, thus minimizing the risk of web-based malware and phishing attacks.
Many businesses are now choosing to filter the website content that their employees access purely for security reasons, although there are many other benefits to be gained from content filtering. Web filters can help employers curb cyberslacking, control bandwidth usage, and reduce legal liability.
With the cost of DNS-based content filtering low and potentially high losses from the failure to control Internet access, it is no surprise that so many businesses are now choosing to regulate what employees can do online at work.
To find out more about the full range of benefits of web filtering and to take advantage of a free trial of WebTitan, the leading web filtering solution for businesses, contact the TitanHQ today.
Why should businesses invest heavily in technology to detect ransomware attacks when a ransom payment may only be between $500 and $1,000? While that is what cybercriminals are charging as a ransom, the cost of a ransomware attack is far higher than any ransom payment. In fact, the ransom is often one of the lowest costs of a ransomware attack that businesses must cover.
The ransom payment may seem relatively small, although the latest ransomware variants are capable of spreading laterally, infecting multiple computers, servers and encrypting network shares. The ransom payment is multiplied by the number of devices that have been infected.
The Cost of a Ransomware Attack Can Run to Millions of Dollars
When businesses suffer ransomware attacks, the attackers often set their ransoms based on the perceived ability of the organization to pay. In 2016, Hollywood Presbyterian Medical Center was forced to pay a ransom of $19,000 to unlock its infection. When the San Francisco Muni was infected, hackers demanded $50,000 for the keys to unlock its payment system. In June 2017, South Korean web host Nayana agreed to pay $1 million for the keys to unlock the encryption of its 53 Linux servers and 3,400 customer websites.
These ransom payments are high, but the ransom is only one cost of a ransowmare attack. The biggest cost of a ransomware attack is often the disruption to business services while files are taken out of action. Systems can be taken out of action for several days, bringing revenue generating activities to an abrupt stop. One Providence law firm experienced downtime of three months following a ransomware attack, even though the $25,000 ransom was paid. Lawyers were stopped from working, causing a loss in billings of an estimated $700,000.
In heavily regulated industries, notifications must be sent to all individuals whose information has been encrypted, and credit monitoring and identity theft services often need to be provided. When hundreds of thousands of users’ data is encrypted, the cost of printing and mailing notifications and paying for credit monitoring services is substantial.
Once an attack has been resolved, networks need to be analyzed to determine whether any other malware has been installed or backdoors created. Cybersecurity experts usually need to be brought in to conduct forensic analyses. Then ransomware defenses need to be improved and new security systems purchased. The total cost of a ransomware attack can extend to hundreds of thousands or millions of dollars.
Ransomware is Here to Stay
As long as ransomware attacks are profitable, the threat will not go away. The use of ransomware-as-a-service allows ransomware developers to concentrate on creating even more sophisticated ransomware variants and stay one step ahead of security researchers and antivirus companies.
Anonymous payment methods make it hard for law enforcement to discover the identities of ransomware developers, and since those individuals are usually based overseas, even if they are identified, bringing them to justice is problematic.
Ransomware developers are constantly changing tactics and are developing new methods of attack. The coming months and years are likely to see major changes to how ransomware is used, and the systems that are attacked.
Ransomware attacks mostly target Windows systems, although new variants have already been developed to encrypt Mac and Linux files. Security experts predict there will also be an increase in ransomware variants targeting Macs as Apple’s market share increases, while website attacks are becoming more common. When a website is attacked, all site files, pages, and images are encrypted to prevent access. For an e-commerce business, the attacks can be devastating.
Ransomware attacks on mobile devices are now commonplace, with screen-lockers and file-encryptors used. Screen locking ransomware prevents users from accessing any apps or functions rendering the device unusable. File encrypting variants encrypt all data stored on the device. These ransomware variants are most commonly packaged with apps sold in unofficial app stores. Risk can be substantially reduced by only downloading files from official app stores and ensuring all apps are kept up to date.
Given the increase in attacks and the massive increase in new ransomware variants, businesses must improve their defenses, block the common attack vectors, backup all data, and constantly monitor for indicators of compromise.
Tips for Preventing a Ransomware Attack
Ensure users only have access to data and network drives necessary for them to perform their jobs.
Backup devices should be disconnected when backups have been performed.
Keep operating systems, software applications, and plugins up to date and fully patched.
Block access to websites known to host exploit kits using a web filter such as WebTitan.
Implement a spam filtering solution to prevent malicious emails from reaching inboxes.
Provide regular, ongoing training to all staff on the risks of ransomware and phishing.
Segment your network and restrict administrator rights.
To ensure a swift recovery from a ransomware attack, make sure you:
Create multiple backups of all files, websites, and systems.
Create three backups on two different media and store one copy offsite.
Develop a ransomware response plan that can be implemented immediately when an attack is suspected.
The Neptune Exploit kit is being used to turn computers into cryptocurrency miners, with traffic directed to the exploit kit using a hiking-themed malvertising campaign.
Exploit kit activity has fallen this year, although these web-based attacks still pose a significant threat. Exploit kits are web-based toolkits that probe browsers and plugins for vulnerabilities that can be exploited to download malware. Simply visiting a website hosting an exploit kit is all it takes for malware to be silently downloaded.
Protecting against exploit kit attacks requires browsers, plugins and extensions to be kept 100% up to date. However, even updated browsers can be vulnerable. Exploit kits can also include exploits for zero-day vulnerabilities that have not yet been patched.
Acceptable usage policies can help organizations to prevent exploit kit attacks, although website visitors are often redirected to malicious sites from legitimate websites. One of the main ways this happens is the use of malvetisements. Many high traffic websites include advertising blocks that display third-party adverts. The advertising networks serve adverts which are displayed on member sites, with the site owners earning money from ad impressions and click throughs.
While the advertising networks have measures in place to vet advertisers, oftentimes cybercriminals succeed in submitting malicious adverts. Those adverts are then pushed out and displayed on legitimate websites. Clicking one of those malicious adverts will see the user directed to a webpage hosting the exploit kit.
Exploit kits are used to download Trojans, ransomware and other malicious code, although the Neptune exploit kit is being used to download cryptocurrency miners. Infection will see computers’ processing power used to mine the Monero cryptocurrency. Infection will result in the infected computer’s resources being hogged, slowing down the performance of the machine.
The latest Neptune exploit kit campaign uses hiking club-related adverts to drive traffic to landing pages hosting the Neptune exploit kit, which in turn uses HTML and Flash exploits to download malware. These adverts closely mimic genuine domains. FireEye reports that one such campaign mimics the genuine website highspirittreks[.]com using the domain highspirittreks[.]club. Other campaigns offer a service to convert Youtube videos to MP3 files. The imageryused in the adverts is professional and the malvertising campaigns are likely to fool many web surfers.
The exploits used in the latest campaign are all old, therefore, protecting against attacks simply requires plugins and browsers to be updated. The main exploits take advantage of flaws in Internet Explorer – CVE-2016-0189, CVE-2015-2419, CVE-2014-6332 – and Adobe Flash – CVE-2015-8651, CVE-2015-7645.
Having a computer turned into a cryptocurrency miner may not be the worst attack scenario, although exploit kits can rapidly switch their payload. Other exploit kits are being used to deliver far more damaging malware, which will be downloaded silently without the user’s knowledge. Consequently, organizations should take precautions.
In addition to prompt patching and updating of software, organizations can improve their defences against exploit kits by implementing a web filtering solution such as WebTitan.
WebTitan can be configured to block all known malicious sites where drive-by downloads take place and can prevent malvertisements from directing end users to webpages hosting these malicious toolkits.
To find out more about WebTitan and how it can improve your organization’s security posture, contact the TitanHQ team today.
India’s Central Board of Secondary Education is urging all CBSE affiliated schools to take action to improve safety for students, including implementing school web filtering technology to keep students safe online.
The Internet is home to an extensive range of potentially harmful material that can have a major impact on young developing minds. Parents can take action to keep their children safe at home by using parental control filters. However, students must receive similar or greater levels of protection while at school.
School web filtering technology can prevent students from deliberately or accidentally viewing obscene material such as pornography, child pornography or images of child abuse and other categories of potentially harmful website content. CBSE has warned school boards that when students access this material it is “detrimental to themselves, their peers and the value system.” School web filtering technology should also be implemented to prevent students from engaging in illegal activities online via school IT devices.
CBSE affiliates schools have been advised to develop guidelines for safe Internet use and make this information available to students and display the rules prominently. However, without school web filtering technology, these policies would be easy to ignore. A technological solution ensures students wishing to engage in illegal activities online, or view harmful website content, will be prevented from doing so.
Prevention is only one aspect of Internet control. Schools should also set up a monitoring system to discover when individuals are attempting to bypass Internet usage policies. A web filtering solution should therefore have the capability to generate reports of attempted accessing of prohibited material to allow schools to take action. Schools have also been advised to sensitise parents about safety norms and even go as far as suggesting disciplinary action be taken when children are discovered to have attempted to access inappropriate material.
While many school systems around the world have implemented school web filtering technology, CBSE is advising affiliated schools in India to go one step further and restrict Internet content by age groups. Schools should set filtering controls by user groups and restrict access to age-inappropriate websites. Web filtering solutions such as WebTitan allows controls to be easily set for different user groups. The solution can be used to set separate filtering controls for staff and students of differing ages with ease.
Other Internet controls that have been suggested include the rapid blocking usernames/passwords when children leave school, using antivirus solutions to reduce the risk of malware infections, using firewalls to prevent cyberattacks and the theft of children’s sensitive information, and for staff to avoid posting images and videos of their students online.
School Web Filtering Technology from TitanHQ
The benefits of implementing school web filtering technology are clear, but choosing the most cost-effective controls can be a challenge.
Appliance based web filters involve a significant initial cost, there is ongoing maintenance to consider, the need for on-site IT support in many cases, and as the number of Internet users increases, hardware upgrades may be necessary.
TitanHQ offers a more cost-effective and easy to manage solution – The 100% cloud-based web filter, WebTitan.
WebTitan Cloud and WebTitan Cloud for WiFi makes filtering the internet a quick and easy process. There is no need for any hardware purchases or software installations. To start filtering the Internet and protecting students from harmful web content, all that is required is to point your DNS to WebTitan. Once that simple change has been made you can be filtering the Internet in minutes.
Both solutions can be easily configured to block different categories of website content, such as pornography, file sharing websites, gambling and gaming websites and other undesirable website content. The solutions support blacklists, allowing phishing and malware-infected sites to be easily blocked along with all webpages identified by the Internet Watch Foundation as containing images of child abuse and child pornography.
These powerful web filtering solutions require no software updates or patching. All updates are handled by TitanHQ. Once acceptable Internet usage policies have been set via the intuitive web-based control panel, maintenance only requires occasional updates such as adding legitimate webpages to whitelists. Even blacklists are updated automatically.
If you are keen to implement school web filtering technology for the first time or are unhappy with your current provider, contact the TitanHQ team today and register for your no-obligation free trail and see the benefits of WebTitan for yourself before making a decision about a purchase.
Law firm hacking incidents are up and recent attacks have shown cybersecurity best practices for law firms are not being adhered to. Unless cybersecurity defenses are improved, it is too easy for hackers to gain access to sensitive data.
Cybercriminals have their sights firmly set on lawyers, or more specifically, the treasure trove of highly sensitive data stored on their computers and networks. Data that in the wrong hands could be used for blackmail.
Clients share highly sensitive information with their legal teams. Lawyers store company secrets, employment contracts and PII, banking details, financial projections, medical records, and naturally information about current and future lawsuits. All of this information is highly valuable to hackers and can be used for blackmail, sold to competitors, or used for all manner of nefarious purposes. It is therefore no surprise that hackers want to attack law firms and that they are increasingly doing just that.
Cyberattacks are not only about stealing data. It can also be lucrative to prevent lawyers from gaining access to their clients’ files. Ransomware attacks on law firms can result in sizable payments for the keys to unlock the encryption.
For the most part, malware and ransomware attacks on law firms are entirely preventable. Simply adopting standard cybersecurity best practices for law firms will prevent the majority of attacks.
One recent ransomware attack on a Providence law firm resulted in a ransom payment of $25,000 being made to the attackers to regain access to the firm’s data. The incident is also a good example of how damaging those attacks can be. Even though payment was made, the law firm lost access to its files for three months, essentially preventing the firm from conducting any business. Lost billings alone cost the firm around $700,000.
Malware and ransomware attacks on law firms are common, although they are underreported for obvious reasons. One incident that was covered in the press was the malware attack on DLA Piper. The attack involved NotPetya, the wiper malware that caused chaos for many organizations around the globe in June. DLA Piper lost access to its data causing huge losses. Losses that are likely to be in the millions.
Part of the problem, especially for smaller law firms, is the high cost of cybersecurity protections. Many law firms simply do not have the budget to cover the cost. They cannot afford to hire skilled cybersecurity professionals to protect their computers and networks, scan for security vulnerabilities and patch and update software. However, the good news is that adopting standard cybersecurity best practices for law firms does not cost big bucks, but it will help firms improve their security posture.
The DLA Piper cyberattack shows that it is not only small law firms that are not following cybersecurity best practices for law firms. Microsoft issued a patch to fix the vulnerability that was exploited by both WannaCry and NotPetya more than two months before the attacks occurred. If the firm had patched promptly, the attack would have been prevented.
Protecting against all cyberattacks is not straightforward, especially with the number of connected devices now used by law firms. However, by adopting the cybersecurity best practices for law firms below and it is possible to reduce risk to an acceptable level.
Cybersecurity Best Practices for Law Firms
Adopting these cybersecurity best practices for law firms will make it harder for hackers to break through defenses and for simple errors to result in costly data breaches.
Conduct weekly checks of all software to ensure the latest versions are installed and check for patches and apply them promptly
Ensure that ALL sensitive data is backed up using the 3-2-1 approach. 3 copies of data, on two types of media, with one copy stored securely off site
Ensure all staff undergo security awareness training covering phishing, social engineering and other threats
Develop a password policy that requires the use of strong passwords. Enforce password changes regularly
Consider encryption for all sensitive data
Use two-factor authentication
Use an advanced spam filtering solution to reduce spam and block malicious messages
Employ a next-generation firewall
Ensure all computers are running supported operating systems and are set to update automatically
Implement a web filtering solution to block access to all sites known to host malware and exploit kits and to block links to phishing websites
Develop a data breach response plan – When a breach occurs, fast action can greatly reduce the damage caused
Engage the services of a third-party security firm to conduct risk analyses to identify vulnerabilities and perform penetration tests
Consider outsourcing cybersecurity to a managed service provider that will ensure systems, software and security are effectively managed and all vulnerabilities are addressed
Consider cybersecurity insurance – Only 23% of law firms have purchased cybersecurity insurance according to Logicforce.
Confidence in cyber response plans doesn’t appear to be lacking according to a new study conducted by Deloitte. However, that does not mean organizations are prepared for cyberattacks when they occur. The survey revealed that while confidence is high and IT professionals believe they are well prepared to deal with attacks, their cyber response plans may not be effective.
The only way to determine whether cyber response plans will function as planned is to conduct regular tests. If plans are not tested, organizations will not be able to determine with any degree of certainty, if their plans will be effective.
As the recent Ponemon Institute Cost of a Data Breach study confirmed, the ability to respond quickly to a data breach can reduce breach resolution costs considerably. For that to happen, a response plan must have been developed prior to the breach being experienced and that plan must be effective.
The Deloitte study revealed that 76% of business executives were confident that in the event of a cyberattack they would be able to respond quickly and implement their cyberattack response policies. Yet, the study also revealed that 82% of respondents had not tested their response plans in the past year. They had also not documented their plans with business stakeholders in the past year.
A lot can change in a year. New software solutions are implemented, configurations change as do personnel. Only regular testing will ensure that plans work and staff know their roles when an attack occurs.
Cyberattack simulations are a useful tool to determine how attack response plans will work in practice. As is often the case, plans look great on paper but often fail when put in place. Running simulations every 6 months will help to ensure that a fast and effective response to a cyberattack is possible. However, the survey showed that only 46% of respondents conduct simulations twice a year or more frequently.
A data breach can have dire consequences for a company. The study showed that many companies are most concerned about disruptions to business processes as a result of a cyberattack, although loss of trust and tarnishing of a brand should be of more concern. When a data breach is experienced, customers often choose to take their business elsewhere resulting in a considerable loss of revenue. A fast and efficient breach response can help restore faith in a brand and reduce the churn rate.
If you want to reduce the impact of a data breach and reduce costs, it is essential for cyber response plans to be developed and tested. With the volume of cyberattacks now occurring, it is highly probable that those plans will need to be implemented. By then it will be too late to determine whether they are effective. That could prove extremely costly.
A recent insider threat intelligence report from Dtex has revealed the vast majority of firms have employees bypassing security controls put in place to limit Internet activity. Those controls may simply be policies that prohibit employees from accessing certain websites during working hours, or in some cases, Internet filtering controls such as web filtering solutions.
Dtex discovered during its risk assessments on organizations that 95% of companies had employees that were using virtual private networks (VPNs) to access the Internet anonymously, with many installing the TOR browser or researching ways to bypass security controls online. The researchers discovered that in some cases, employees were going as far as installing vulnerability testing tools to bypass security controls.
Why Are Employees Bypassing Security Controls?
Employees bypassing security controls is a major problem, but why is it happening?
The report indicates 60% of attacks involve insiders, with 22% of those attacks malicious in nature. During the first week of employment and the final week before an employee leaves, there is the greatest chance of data theft. 56% of organizations said they had discovered potential data theft during those two weeks. During these times there is the greatest risk of employees attempting to bypass security controls for malicious reasons.
In many cases, VPNs and anonymizers are used to allow employees to access websites without being tracked. Many companies have policies in place that prohibit employees from accessing pornography in the workplace. Similar policies may cover gaming and gambling websites and other categories of website that serve no work purpose. Some employees choose to ignore those rules and use anonymizers to prevent their organization from having any visibility into their online activities.
The report indicates 59% or organizations had discovered employees were accessing pornographic websites at work. There are many reasons why companies prohibit the accessing of pornography at work. It is a drain of productivity, it can lead to the development of a hostile working environment, and from a security standpoint, it is a high-risk activity. Pornographic websites are often targeted by cybercriminals and used to host malware. Visiting those sites increases the risk of silent malware downloads. 43% of companies said they had found out some employees had been using gambling sites at work, another high-risk category of website and a major drain of productivity.
While employees are provided with email accounts, many are choosing to access web-based accounts such as Gmail. Dtex found that 87% of employees were using web-based email programs on work computers. Not only does this present a security risk by increasing the probability of malware being downloaded, it makes it harder for employers to identify data theft. Dtex says “By completely removing data and activity from the control of corporate security teams, insiders are giving attackers direct access to corporate assets.”
Lack of Control and Visibility
Many companies are unaware that they have employees bypassing security controls because they lack visibility into what is happening on end points. Shadow IT can be installed without the organization’s knowledge, including VPN’s and hacking tools, but what can be done to stop employees bypassing security controls?
Security software can be installed to allow organizations to closely monitor the types of activities that are taking place on work computers. This can allow action to be taken to reduce insider threats. Organizations should also block the use of VPN’s and anonymizers to ensure they have more visibility into employee’s online activities.
One of the easiest ways to block the use of VPNs and anonymizers is to use a web filtering solution. Web filters are increasingly used as a way of preventing productivity losses during the working day. Web filtering solutions can be configured to block specific sites or categories of website.
A web filter, such as WebTitan, can be configured to block access to anonymizer websites, along with other websites that are prohibited under organization’s acceptable use policies.
Some employees find the controls overly restrictive and search for ways to bypass those controls. Organizations should carefully consider what websites and types of websites are blocked. Excessively restrictive controls over personal Internet access can prompt employees to try to bypass security controls. Allowing some personal use may be preferable.
One solution, possible with WebTitan, is to ease restrictions on Internet access by using time controls. To prevent falls in productivity, web filters can be applied during working hours, yet relaxed at other times such as lunch breaks. By allowing some personal Internet use, there is less incentive for employees to attempt to bypass security controls.
WebTitan also produces access logs to allow organizations to carefully monitor online user activity and take action against the individuals discovered to be violating company policies. Automatic reports can also be generated to allow organizations to take more timely action.
Monitoring employee Internet access and installing solutions to provide visibility into end point activity allows organizations to reduce the risk of insider threats and stop employees from engaging in risky behavior.
Bitdefender has developed a free Bart ransomware decryptor that allows victims to unlock their files without paying a ransom.
Bart Ransomware was first detected in June 2016. The ransomware variant stood out from the many others due to its ability to encrypt files even without an Internet connection. Most ransomware variants rely on a connection to their command and control server to generate public-private key pairs; however, Bart ransomware does not. Only the decryption process requires an Internet connection to transfer the ransom payment and receive the decryption key.
Bart ransomware posed a significant threat to corporate users. Command and control center communications could potentially be blocked by firewalls preventing encryption of files. However, without any C&C contact, corporate users were at risk.
Bart ransomware was believed to have been developed by the gang behind Locky and the Dridex banking Trojan. Bart ransomware shared a significant portion of code with Locky, was distributed in the same manner and used a ransom message very similar to that used by Locky.
As with Locky, Bart ransomware encrypted a wide range of file types. While early versions of the ransomware variant were fairly unsophisticated, later versions saw flaws corrected. Early versions of the ransomware variant blocked access to files by locking them in password-protected zip files.
The initial method of locking files was ‘cracked’ by AVG, although only by guessing the password using brute force methods. In order for the brute force method to work, a copy of an encrypted file along with its unencrypted original was required. In later versions of the ransomware, the use of zip files was dropped and AVG’s decryption technique was rendered ineffective. The encryption process used in the later versions was much stronger and the ransomware had no known flaws.
Until Bitdefender developed the latest Bart Ransomware decryptor, victims had two choices – recover encrypted files from backups or pay the attackers’ ransom demand.
Fortunately, Bitdefender was able to create a Bart Ransomware decryptor from keys supplied by Romanian police which were obtained during a criminal investigation. The Bart ransomware decryptor was developed by Bitdefender after collaborating with both the Romanian police and Europol.
From April 4, 2017, the Bart ransomware decryptor has been made available for free download from the No More Ransom website. If your files have been encrypted by ransomware, it is possible to tell if the culprit is Bart from the extension added to encrypted files. Bart uses the .bart, .perl, or bart.zip extensions.
Bart ransomware may be believed to have links to Locky, although there is no indication that keys have been obtained that will allow a Locky ransomware decryptor to be developed. The best form of defense against attacks is blocking spam emails to prevent infection and ensuring backups of all sensitive data have been made.
The FBI has issued a cybersecurity warning for healthcare providers on the use of FTP servers. FTP servers should have authentication controls in place to ensure only authorized individuals can access stored data. However, when FTP servers are in anonymous mode, access can be gained with a generic username and password. In some cases, access is possible without a password.
The usernames that provide access could be as simple as ‘FTP’ or ‘anonymous’ and lists of usernames can be easily found on the Internet. Cycling through a short list of possible usernames is likely to take seconds or minutes at the most and access to stored data can be gained without any hacking skills. Data stored on an anonymous FTP server could be accessed by anyone.
The FBI cybersecurity warning for healthcare providers cites research conducted by the University of Michigan in 2015 that shows the scale of the problem. The study revealed there are more than one million FTP servers in use around the world that allow anonymous access. Any data stored on those servers could be freely accessed by the public. Should those FTP servers contain sensitive data such as protected health information, it could easily be stolen and used for malicious purposes.
Firewalls and other perimeter defenses serve to protect networks and EHRs from cyberattacks, yet FTP servers could be a gaping hole in an organization’s defenses. Many healthcare providers use FTP servers to allow data to be easily shared with business associates and other healthcare entities. Yet, if authentication controls are not used they are a data breach waiting to happen.
The FBI has warned all medical and dental organizations to ensure that no sensitive data are stored on anonymous FTP servers and advises healthcare organizations to check if their servers are running in anonymous mode. Smaller organizations without the resources of large healthcare systems are more likely to have overlooked this vulnerability; although checks should be performed by all healthcare organizations.
The cybersecurity warning for healthcare providers explains the risks extend beyond the theft of sensitive data. If access to the servers can be gained, FTP servers could be used to store illegal material. Healthcare organizations may have cybersecurity solutions in place to monitor for data being exfiltrated, but not data that are being uploaded. Hacking tools could be uploaded to the servers or they could be used to share illegal content.
If FTP servers must be run in anonymous mode, healthcare organizations should ensure the servers only contain data that is publicly available.
At a recent cybersecurity conference, Director of the FBI, James B. Comey, has given valuable ransomware advice for healthcare providers to help them tackle the growing threat of attack. Comey confirmed that ransomware is now the biggest cybersecurity threat for the healthcare industry. Healthcare providers must be prepared for an attack and be able to respond quickly to limit the harm caused.
Ransomware is used to encrypt files and databases to prevent the victim from accessing essential data. Since healthcare providers need access to patient health information in order to provide medical services, healthcare providers are being extensively targeted. If data access is essential, victims are more likely to pay ransom demands.
However, Comey explained that ransoms should never be paid. If a ransom is paid, this only encourages cybercriminals to attack more businesses. The payment of a ransom sends a message to other cybercriminals that the attacks are profitable.
Ransomware can be sent randomly via spam email or distributed by malicious websites. Cybercriminals also install ransomware once access to a computer system has been gained and data have been exfiltrated. Tackling the problem involves implementing a range of cybersecurity defenses to prevent attacks and ensuring data can be recovered and business processes can continue if ransomware is installed.
In the case of the latter, data backups are essential. All critical data should be backed up on a daily basis at a minimum. Data backups can also be encrypted by ransomware, so it is essential that backup devices are not left connected to computers or servers. Data should ideally also be backed up in the cloud.
One of the best pieces of ransomware advice for healthcare providers is to prepare for an attack now. Healthcare organizations should not wait until a ransomware infection occurs to decide how to respond. Not only should policies be developed that can be implemented immediately following a ransomware attack, business continuity plans must be tested prior to a disaster occurring. The same goes for backups. Many organizations have been attacked with ransomware only to discover that they have been unable to restore their data due to a corrupted backup file.
At the conference, there were many security professionals offering ransomware advice for healthcare providers, although when it comes to prevention there is no silver bullet. A range of ransomware defenses should be deployed to prevent email and web-borne attacks.
Cybersecurity solutions should be implemented to prevent malicious emails from being delivered to end users. Spam filtering solutions are one of the best defenses against email-borne threats as they block the majority of malicious emails from being delivered to end users. Cybersecurity solutions should also be implemented to prevent web-borne attacks. Web filters block malicious websites from being visited and can be configured to prevent downloads of malicious and suspicious files. Endpoint security solutions should also be considered. They can rapidly detect downloads of malicious files and prevent malicious software from being installed.
Employees must also be informed of the risk of attack and trained to be more cyber aware. Training should be reinforced with exercises to test whether cybersecurity training has been effective. Individuals can then be singled out and provided with further training as necessary.
Comey explained to attendees at the Boston Conference on Cybersecurity that the key to combating cybercrime is collaboration. Cybercrime has escalated in recent years and the problem is not going to be beaten by organizations acting independently. Collaboration between law enforcement organizations and companies across all industries is essential. Comey said all new cyberthreats and details of cyberattacks should be shared with the FBI.
A new fileless malware has been detected that uses DNS to receive commands and send information to the attackers’ command and control server. The stealthy communication method together with the lack of files written to the hard drive makes this new malware threat almost impossible to spot.
The attack method, termed DNSMessenger, starts with a phishing email, as is the case with many of the new malware threats now being detected. The host is infected via a malicious Word document.
Opening the Word document will display a message informing the user that the document has been protected using McAfee Secure. The user is required to enable content to view the document; however, doing so will call a VBA function that defines the Powershell command and includes the malicious code. As is the case with other forms of fileless malware, since no files are written to the hard drive during the infection process, the threat is difficult to detect.
Fileless malware are nothing new, in fact they are becoming increasingly common. What makes this threat unique is the method of communication it uses. The malware is able to receive commands via the DNS – which is usually used to look up Internet Protocol addresses associated with domain names. The malware sends and received information using DNS TXT queries and responses.
DNS TXT records are commonly used as part of the controls organizations have in place to identify phishing emails and verify the sender of a message – Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC).
The attackers can send commands to the malware via DNS TXT queries and the malware can send the attackers the output of the commands via the same channel. Even if an organization has blocked outbound DNS for unapproved servers, the malware will still be able to communicate with the attackers C2 infrastructure.
While many organizations inspect the contents of web traffic, relatively few inspect the content of DNS requests. The malware is therefore likely to operate unnoticed. Further, the Cisco Talos team that detected the malware reports that only 6/54 AV engines detected the threat, although ClamAV did identify the file as malicious.
Cybercriminals are constantly looking for new methods of bypassing security controls and infecting end users. However, since this threat is delivered via email, that is the point at which it is easiest to block. Infection also requires macros to be enabled. If macros are blocked, the malware will not be executed. Otherwise, since the DNS communications between the malware and the attackers differs from standard DNS communications, inspecting DNS content should enable security professionals to identify infection.
Following a massive increase in ransomware attacks, security experts have called for ransomware protection for universities to be augmented
Ransomware: A Major Threat to Universities the World Over
Ransomware has become one of the biggest data security threats. The healthcare industry has been extensively targeted, as have the financial services, manufacturing, telecoms, and just about every other industry sector. Now, attacks are being conducted on higher education establishments with increased vigor.
Universities are attractive targets. They store vast quantities of data. Researchers, teaching staff, and students alike need access to data on a daily basis. Without access, all work grinds to a halt. That means ransom demands are likely to be paid.
Secondly, universities use thousands of computers and have tens of thousands of users. Cybersecurity defenses may be good, but with so many individuals with access to Internet facing computers, protecting against targeted attacks on those individuals is a major challenge. Staff and students are being actively targeted as they are the weak links in the security chain.
Then there is the issue of academic freedom. While many industries have implemented web filtering solutions to limit the websites that can be visited by staff and students, many universities have been reluctant to restrict Internet access.
In a similar vein, university networks tend to be more open than in the business world for example. Businesses tend to severely restrict access to networks. If an attack occurs, the damage is very limited. Open networks tend to result in huge numbers of files and devices being encrypted if an attacker breaks through the security perimeter.
Ransomware Protection for Universities Clearly Lacking
The number of university ransomware attacks that have been reported by institutions in the United States and Canada in 2016 has reached alarming levels. Many of those universities have been forced to pay the ransom demands to restore access to files.
Last year, the University of Calgary was forced to pay $16,000 to restore access after a ransomware attack. Carleton University was also attacked with ransomware, as was Los Angeles Valley College. According to a Newsweek report in August last year, two thirds of British universities had been attacked with ransomware. Queen’s University in Belfast, Northern Ireland, was one of those attacked. A ransom had to be paid to recover data. One university in the United Kingdom – Bournemouth University – experienced 21 ransomware attacks in the space of 12 months. The list goes on and on.
Malware is also a problem. The University of Alberta discovered a malware infection on 304 computers. A keylogger had been installed which recorded details of all information entered on infected computers, including login details.
It is unsurprising given the extent to which universities are being attacked that there have been numerous calls for ransomware protection for universities to be improved. But how can ransomware protection for universities actually be improved without causing major disruption to staff and students or overly restricting data access?
How Can Ransomware Protection for Universities be Improved?
Universities, like all organizations, must develop a strategy to prevent ransomware attacks and deal with them when they occur. Protections need to be improved to prevent attacks, technology needs to be employed to detect ransomware infections quickly, and policies and procedures must be developed so rapid action can be taken when attacks occur. Rapid action can greatly reduce the harm caused.
No university wants to overly restrict Internet access, but the use of a web filter is strongly recommended. Rather than blocking access to valuable information, an advanced web filtering solution such as WebTitan can be applied to restrict access to malicious websites and to block malware downloads. WebTitan has highly granular controls which allow restrictions to be put in place to prevent ransomware infections, without overblocking website content. Furthermore, Internet access controls can be easily set for different user groups.
At the very least, universities should apply web filtering controls to prevent the accessing of websites that are known to contain malware and should not rely on their anti-virus solution to provide this service.
It is also essential for controls to be applied to the email system to block emails containing malicious links and attachments. SpamTitan blocks 99.97% of spam emails and 100% of known malware using two anti-virus engines for extra protection. SpamTitan not only blocks incoming spam, but also performs scans of outgoing mail to prevent the spread of infections between end users.
Antivirus and anti-malware solutions should also be used and updated automatically. Intrusion detection systems should also be considered to ensure that infections are rapidly identified.
Good patch management policies are also essential to ensure vulnerabilities are not allowed to persist. Applying patches and software updates promptly reduces the risk of vulnerabilities being exploited.
Even with technologies in place, staff and students should be educated about the risk of cyberattacks, phishing, malware and ransomware. Best practices should be distributed via email to all staff and students along with information about any specific cyberthreats.
Unfortunately, unless ransomware protection for universities is greatly improved, the attacks are likely to continue. Cybercriminals view higher education institutions as soft and potentially highly lucrative targets. It is up to universities to take appropriate action to prevent malware and ransomware attacks.
Poor cybersecurity practices exist at many US organizations, which are allowing hackers and other cybercriminals to gain access to corporate networks, steal data, and install malware and ransomware. Businesses can implement highly sophisticated cybersecurity defenses, but even multi-million-dollar cybersecurity protections can be easily bypassed if poor cybersecurity practices persist.
This month we have seen two reports issued that have highlighted one of the biggest flaws in cybersecurity defenses in US enterprises. Poor password hygiene.
The purpose of passwords is to prevent unauthorized access to sensitive data, yet time and again we have seen data breaches occur because of end users’ poor choice of passwords and bad password practices.
Earlier this month, SplashData released its annual report on the worst passwords of 2016. The report details the top 25 poorly chosen passwords. This year’s report showed that little had changed year on year. Americans are still very bad at choosing strong passwords.
Top of this year’s list of the worst passwords of 2016 were two absolute howlers: 123456 and password. Number three and four were no better – 12345 and 12345678. Even number 25 on the list – password1 – would likely only delay a hacker by a few seconds.
Another study also highlighted the extent to which Americans practice poor password hygiene. Pew Research asked 1,040 US adults about their password practices. 39% of respondents said they used the same passwords – or very similar passwords – for multiple online accounts, while 25% admitted to using very simple passwords because they were easier to remember. 56% of 18-29-year-old respondents said that they shared their passwords with other individuals, while 41% of all respondents said they shared passwords with family members.
The results of this survey were supported by later research conducted by Telsign, who found a very blasé attitude to online security among U.S. citizens. Although 80% of respondents admitted to being concerned about online security (and half of those claimed to have had an online account hacked in the past year), 73% of respondents´ online accounts are guarded by duplicate passwords and 54% of respondents use five or fewer passwords across their entire online life.
While the Pew Research and Telsign surveys did not specifically apply to businesses, these poor password practices are regrettably all too common. Passwords used for corporate accounts are recycled and used for personal accounts, and poor password choices for company email accounts and even network access are common. Although two factor authentication is not a solution to the problem of poor personal cybersecurity practices, only 38% of U.S. companies use it to protect their networks from poor corporate cybersecurity practices.
Poor Cybersecurity Practices That Leave Organizations Open to Cyberattacks
Unfortunately, poor cybersecurity practices persist in many organizations. IT departments concentrate on implementing sophisticated multi-layered defenses to protect their networks and data from hackers, yet are guilty of failing to address some of the most basic cybersecurity protections.
The failure to address the following poor cybersecurity practices at your organization will leave the door wide open, and hackers are likely to be quick to take advantage.
More than 4,100 data breaches of more than 500 records were reported by organizations in the United States in 2016*. Many of those data breaches could have been avoided if organizations had eradicated their poor cybersecurity practices.
Some of the main cybersecurity mistakes made by US companies include:
Not conducting a comprehensive, organization-wide risk assessment at least every 12 months
The failure to enforce the use of strong passwords
Not providing employees with a password manager to help them remember complex passwords
The continued use of unsupported operating systems such as Windows XP
Failure to apply patches and updates promptly
Not restricting the use of administrator accounts
Failure to adequately monitor devices for shadow IT
Failure to block macros from running automatically
Giving employees unnecessary access to data systems and networks
Not providing employees with cybersecurity awareness training
Not instructing employees on the safe handling of personally identifiable information
Failure to conduct anti-phishing simulation exercises
Failure to notify new employees and vendors of IT security policies and procedures before data access is provided
Not revising and updating IT security policies and procedures at least every six months
Failure to change default logins on networked devices
Failure to encrypt data on portable storage devices
Allowing employees full, unfettered access to the Internet
Failure to implement a spam filter to block malicious email messages
Failure to monitor applications with access to data
There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm.
However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO.
Web Filters in Libraries are Not Only About Internet Control
This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action.
What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware.
Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment.
Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted.
Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen.
The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only alternative in cases of ransomware infections. To wipe its entire system and reinstall files from backups. That is not a quick process. It could take weeks; certainly days.
The ransom payment may be avoided, but removing the infection will still result in considerable costs being incurred. Then there is the impact the attack has had on patrons of the city’s libraries. The library system is primarily used by poor and disadvantaged individuals. According to library spokesperson Jen Hatton, “For many of our patrons, we’re their only access to the internet.” Hatton also said, “This is their only access to a computer. Some of them have a smartphone, but they don’t have a data plan. They come in and use the Wi-Fi.”
It is not clear how the infection occurred, although there are two main ways that ransomware is installed: Malicious spam email messages and by visiting malicious websites. Both of these attack vectors can be blocked if appropriate software is installed.
Web Filters in Libraries are an Important Ransomware Defense
A spam filter can be used to filter out malicious messages. Those messages contain attachments, which if opened, infect computers or download ransomware. User interaction is required. If the messages are quarantined and not delivered to users’ inboxes, infection can be prevented.
The use of web filters in libraries is therefore not just about limiting access to inappropriate and harmful website content. Web filters in libraries are an important cybersecurity protection that can help to ensure that, come what may, patrons will still be able to access the Internet and borrow books.
If you use a computer, you are at risk of having your device infected with malware; however, listed below are some useful tips for preventing malware infections.
Unfortunately, signature-based anti-malware software is far less effective at preventing infections than in years gone by. Malware developers are now using a wide range of strategies and techniques to prevent traditional anti-malware solutions from detecting and blocking infections.
Rely on anti-malware or anti-virus software alone and sooner or later you may find your device has been compromised, your keystrokes are being logged, and your – or your organization’s – data are being stolen.
However, there are some straightforward strategies that you can adopt to prevent malware infections and keep your computer, and your network, malware-free.
10 Tips for Preventing Malware Infections
Backup Your data
OK, a data backup will not prevent a malware infection, but it can help you recover if your computer is infected with ransomware or if your data are corrupted as a result of an infection – or removal of malware. The only way to recover from some infections is to wipe out your system and restore it from a previously known safe point. You must therefore have a safe point that you can use. Nightly backups should be performed. You only then stand to lose 24 hours of data at most.
Keep your malware definitions up to date
Anti-malware software may not be as effective as it once was, but you do need to give it a fighting chance. If you do not keep your definitions 100% up to date you are asking for trouble. This may sound obvious, but many organizations delay updating malware definitions for forget to set software to update automatically on all devices.
Never click on links or open email attachments from unknown senders
Cybercriminals target employees as it is far easier to gain access to a corporate network if an employee bypasses their organization’s defences and installs malware. All it takes is for one employee to install malware for attackers to gain a foothold in a network. Ensure that all employees receive anti-phishing training and have at least basic IT security skills. Most data breaches start with a phishing email.
Ensure operating systems and software are patched promptly
Operating systems, firmware, and all software must be kept up to date. As soon as patches are released, cybercriminals will be reverse engineering them to uncover the vulnerabilities. Don’t delay applying patches. Good patch management policies are essential for preventing malware infections.
Watch out for shadow IT
Downloading pirated software is an excellent way to infect computers with malware. Pirated software is often bundled with malware, spyware, and all manner of nasties. Block the running of executables and keygens if practical. Only install software from trusted sources. As an additional check, before installing software, check the software provider’s MD5 hash against your copy. If it’s a match, install. If not, delete.
Take care with USB drives
Not all malware comes via the web or email. USB drives can easily introduce malware. Make sure your anti-malware solution is configured to automatically scan USB drives before granting system access and never plug in a drive from an unknown source.
Perform regular malware scans
Having anti-virus and anti-malware software will not necessarily mean your system is protected. Full system scans should still be performed. Some infections can slip under the radar. A full scan should be performed at least once a month.
Keep abreast of the latest malware trends
You may have limited time, but it is important to keep abreast of the latest attack trends, cyberattacks, data breaches, and threat reports. Check the warnings from US-CERT, and monitor websites such as DarkReading, CIO, CISO, and The Register. A little research goes a very long way.
Keep mobile devices protected
Mobiles can easily be used to introduce malware onto networks to which they connect. Mobiles are often used on unprotected Wi-Fi hotspots, and the devices are increasingly being targeted by hackers. Ensure security software is installed on mobile devices and security settings on phones are active.
Use a firewall, web, and Wi-Fi filtering
A firewall is essential tool for preventing malware infections, although businesses should consider purchasing a next generation firewall device. Next generation firewalls combine a traditional firewall with other network device filtering functionalities. Web and Wi-Fi filtering solutions are also important. By filtering the Internet, it is possible to prevent drive-by malware downloads and carefully control the risks that employees take.
Cybercriminals have embraced ransomware and have been increasingly targeting businesses, yet many business leaders are unsure how to prevent ransomware attacks. Consequently, the risk from ransomware is not being effectively managed, and that may prove costly.
Ransomware is a form of malware that is capable of encrypting files on local machines, network drives, and servers. Any computer that is connected to the Internet can potentially be infected. Even without internet access, files may be encrypted if a computer is networked. The latest ransomware variants are capable of spreading laterally within a network and encrypting the data on hundreds of devices.
Files required for critical business processes may be encrypted and made inaccessible. A successful attack can result in a company’s operations grinding to a halt. A healthcare ransomware attack can result in patients’ health information becoming inaccessible. An attack on a pharmaceutical company may result in files necessary for drug manufacture being locked, which could affect the quality of products. Lawyers offices may lose essential client information. Few businesses could continue to operate at their full potential during a ransomware attack.
The loss of files can prove extremely expensive, far less than the cost of any ransom payment. Many companies therefore are left with little alternative but to pay the ransom demand. Ransom payments are actually made surprisingly frequently. According to a recent study conducted by IBM, 70% of businesses that experienced a ransomware infection ended up paying the attackers to supply the keys to unlock their data. Half of those businesses paid more than $20,000 while 20% paid more than $40,000.
Even when the ransom is paid there is no guarantee that a viable key will be supplied to unlock the encryption. Files may therefore be lost forever. One healthcare organization in the United States recently discovered that files can all too easily be lost forever. Three months after ransomware was installed on one of its servers and critical patient health information was encrypted, Desert Care Family and Sports Medicine has still not been able to unlock the encryption nor access its patients’ data.
It is essential to learn how to prevent ransomware attacks and to implement appropriate defenses not only to stop attackers from installing ransomware, but to ensure a system is put in place that will allow data to be recovered without having to resort to paying a ransom.
Recovering from a ransomware attack can be extremely expensive. Ransom payments can be extortionate. Business can be lost while systems are taken out of action. Even applying keys that have been supplied by attackers can be long winded. Each encrypted device has its own key, and those keys must be applied very carefully. A forensic analysis is also important after a ransomware attack to search for backdoors that may have added, as well as to determine if data have been stolen. Additional protections then need to be put in place to prevent future attacks from occurring.
How to Prevent Ransomware Attacks
The first and most important step to take will not prevent ransomware attacks, but it will help you to recover from a ransomware attack promptly without having to resort to paying the ransom. Recovery will depend on you having a viable backup of your data. Total file recovery may not be possible, but it should be possible to recover the vast majority of your files.
For that to be possible, you must ensure that all files on all devices and network drives are backed up. That includes all removable drives such as flash drives. Backup files must be stored on a non-networked drive, in the cloud, or ideally on an air-gapped device – One that is unplugged as soon as the backup is performed. Multiple backups should ideally be made with one copy stored in the cloud and one on a detachable storage device. You should always store backups in multiple files. If one becomes corrupted, you will not lose all of your data.
Avoid the use of administrator accounts with extensive privileges as far as is possible. If an administrator account is required, use it and then change to a guest account with limited privileges. This will reduce the damage caused if the user’s machine is infected.
Ensure that all software is kept up to date and your organization employs good patch management practices. In particular, ensure browser and plugin updates are applied promptly. Vulnerabilities can all too easily be exploited and used to download ransomware.
If plugins are not required, remove them. Adobe Flash in particular, but also Java and Silverlight. If required, they should require activating individually as and when needed.
Ensure employees’ computers are configured to show file extensions. If full file extensions are displayed, it is easier to identify potentially malicious files with double extensions.
Ensure macros are disabled on all devices. At the very least, ensure macros do not run automatically.
Disable Remote Desktop Protocol (RDP) on all devices unless it is absolutely essential.
A web filter can be used to prevent end users from visiting malicious websites where ransomware can be downloaded. A web filter can also block malicious third party adverts (malversting).
End users should be instructed never to open files from unknown senders or to click on links contained in emails unless 100% sure that the links are genuine.
The use of a spam filter is strongly advisable. The spam filter should be configured to aggressively block threats. Executable file attachments should also be automatically quarantined.