When it Comes to Cybersecurity, Take a Good Look in the Mirror

Recently, we participated on a webinar panel – What You Need to Know about the FFIEC Cybersecurity Assessment Tool – where audience members were asked the following question:

How would you rate your organizations’ cybersecurity maturity level today?

Possible options (taken directly from the FFIEC CAT) for the attendees were:

  1. Baseline – meets the legal minimum; compliance-driven objectives
  2. Evolving – risk-driven objectives in place; cybersecurity formally assigned and broadened beyond protection of customer info
  3. Intermediate – detailed, formal processes with consistent controls; risk management integrated into business strategies
  4. Advanced – formally assigned throughout the business; automation and continuous improvement
  5. Innovative – cutting edge practice potentially extending beyond firm

Interestingly, a majority of attendees put their organizations’ cybersecurity maturity level at “Evolving”.

There are two ways to look at this:

  1. The pessimist would say that organizations have a long way to go still with protecting information (the regular stream of data breach headlines back this up).
  2. A more positive outlook is that through real self-assessment, understanding where we are and where we need to reach is a good thing.

Many folks who aren’t in cybersecurity and/or don’t follow cyber-related news have an enormous false sense of security. People are too trusting and too curious. Cybercriminals know this and use it to their advantage. So it’s good to see that as security professionals many are taking a good hard look in the mirror and recognizing where we are at. Now the question becomes what do you do/where do you go from here?

Clearly doing the same thing over and over again isn’t working. Cybersecurity is not a technical problem, it’s a business problem in a technical venue. Cybersecurity should and can be viewed in the same way other parts of the business are run.

Another important self-assessment to make is knowing you cannot defend everything perfectly. There simply are not enough resources or budget to do so. Shifting from a reactionary mindset to proactive, data-driven intelligence approach can help you focus on your biggest cyber risk areas.

Look at data, analyze it, understand trends and make decisions. This approach is relied upon to run other areas of the business – it’s what business intelligence is all about. And it can be applied to cyber risk mitigation. The business and IT security sides of the house need to work together and look at cyber from a risk perspective. What are your high value targets (what would a “bad guy” go after and why?)? Then what vulnerabilities and threats are out there that apply to your targets?

Looking at your cybersecurity program and your risk posture through this lens can help you unearth big problems that are coming or identify active threats to your sensitive information and brand. An organization’s appetite for risk is fluid – when all is quiet on the cyber front, there is typically less urgency. That urgency level increases significantly if an organization is breached. But waiting for all hell to break loose isn’t usually a good strategy from a risk management perspective.

In spring, we’re told to change our batteries in the smoke detectors as a precaution. I’d suggest we take a step back and take an honest look in the mirror to see where we’re at from a security perspective and how we can use threat intelligence to drive more effective risk mitigation decisions.

Podcast: Big Breaches, Badlock Revealed and More Class-Action Updates

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 66: Big Breaches, Badlock Revealed and More Class-Action Updates:

A hacking group leaked data from the Philippines’ Commission on Elections, which impacts 55 million registered voters. National Childbirth Trust announced a breach affecting 15,000 new and expecting parents. Several more W-2 related breaches made headlines. An FDIC employee accidentally walked out with 44,000 customers’ information. CoinWallet announced plans to shut down its services following a cyber incident. On the advisory front, the details of the Badlock bug were finally revealed, there was a new evolution in Locky ransomware, more phishing attacks were discovered, malvertising hit Dutch websites, and Windows XP, which has not had support for two years, is still being widely used. The week also saw legal developments regarding Mossack Fonseca, Sony Pictures, Wendy’s, and more. Finally, four radio stations found themselves broadcasting some strange content after being hacked.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

WEB HOSTING PROVIDER TO MAJOR SPORTS LEAGUES, MEDIA AND ENTERTAINMENT COMPANIES BREACHED BY ALPHALEON

This real-life case study will contain some info, but not all – to protect individuals’ personally identifiable information – as well as our intelligence collection sources – with our goal of highlighting the importance of having visibility into your supply chain cyber risks. In the beginning of April 2016 SurfWatch Labs threat intelligence analysts uncovered a breach into web hosting provider Invision Power Services, whose customers include some professional sports leagues as well as major media and entertainment companies.

The actor, going by the name AlphaLeon, is associated with both the AlphaBot and Thanatos trojans – early strains of these pieces of malware appear to date back to early 2015. AlphaLeon has been known to sell access to these trojans on the dark web. While the actor has not been a seller for very long, the group’s experience and presence indicates they have been active in this space for more than five years – including multiple dark web and open web forums.

After discovering information related to the latest activity of this actor, we alerted Invision Power Services (IPS) who had not yet detected this compromise. We worked with them to validate that the actor appeared to have established a presence within the managed hosting environment that Invision Power Services operated via Amazon Web Services (AWS).

It is our understanding that IPS is still working through their own internal investigation into the incident and additional information may be uncovered, but it appears that the initial cause of the compromise was most likely the result of unpatched software. AlphaLeon indicated that this access, which affected multiple high level brands, would allow them to install Exploit Kits with the purpose of infecting users visiting these sites with their trojan. This would grow the group’s botnet further, which would in turn be sold via various underground markets. The trojan appears to be capable of:

  • Stealing banking credentials and bitcoins
  • Gaining (and selling) webcam access
  • Delivering ransomware
  • Sending spam
  • Stealing gaming credentials
  • Distributed Denial of Service

As of the date of this post it does not appear that AlphaLeon has initiated this specific campaign.

This case study highlights three primary things:

  1. This is a classic case of supply chain risk management. Invision Power Services is a supplier to some of the largest brands. These companies entrusted their web hosting provider to perform a reasonable service based on whatever contractual agreements were in place. Even if the impacted companies are not at fault, they still have their own customers and their brand and reputation to protect. If you are going to outsource a service that has cyber risk tied to it, you are outsourcing a portion of your brand and reputation in some way shape or form and you need to keep some eyeballs on that supply chain.
  2. Having a dark web intel capability is an important component of your overall cybersecurity efforts. In this situation, a bad actor was observed in a dark web forum. This source was key to gaining intel that was not available through normal open channels. The dark web is certainly not the only source you should be pulling from in your intel efforts, but it is an important area for which you should have a collection capability.
  3. The intel process works. SurfWatch Labs analysts observed discussions that concerned us, we notified the victim hosting provider, they confirmed the issue and started to react. That is what is supposed to happen.

As you outsource capabilities to other vendors, your cyber risk exposure expands. Make sure you cast a wide net in regards to your intelligence collection capabilities. It is critical to understand this and to keep a watchful eye on not only your internal environment, but that of the vendors you do business with.

Gone Phishing in Q1 2016

We’re already a quarter of the way through 2016, and a clear trend is the rise of social engineering. Based on the cyber event data that we’ve collected, roughly 25% of all targets can be tied to a social engineering attack. This is the highest percent we’ve seen since the beginning of 2015, and over the last 6 months the share of social engineering attacks have doubled.

2016-04-04_ITT_socialengineering

Just a few examples of common social engineering practices include:

  • Phone calls from a “Microsoft customer support representative” who needs remote access to your computer to fix an issue
  • Leaving an infected USB stick in a parking lot that when found and inserted into a computer by an unsuspecting person, malware/spyware is dropped onto the machine

However, the largest percentage of social engineering attacks (25%+) revolve around different types of phishing. While email is the most common delivery method, phishing attempts are made through text messages, Facebook, etc.

Over the weekend I received several phishing emails from individuals I know. These emails weren’t spoofed to make it look like they were coming from people I know, but actually sent from their email accounts without their knowledge.

The emails were both related to a “signed document” that needed my attention — except I had no previous knowledge any e-docs to sign should be coming my way. Of course, that’s because they should not have been coming at all.

Having been in the security industry as long as I have, I am cautious (or some would say paranoid) — especially compared to friends and family who say they “get it,” but don’t really. Even still, these emails came from legit addresses from people within my circle, and the content within the emails also looked reasonable. Luckily, I knew better, but many don’t.

Here are some quick security tips to consider when it comes to phishing attacks:

  1. Watch out for spoofed email addresses. Confirm the sender of the email is an address you recognize/know. Don’t just check the name in the “From” field, but actually look at the email address. This tip would not have made a difference in the instance above, but it is still a good way to catch a phishing email.
  2. Do not blindly trust links within an email. Banks and credit cards are usually pretty good about directing you to type in the url to go to their homepage and how to navigate to a specific place if necessary, as opposed to including links in their communications to you. This is a good practice to follow with any emails that include links. In my situation the links sent looked like DocuSign links, with familiar DocuSign branding and all. But it was missing the security code. Links can also be spoofed, so make sure you know what it is you are clicking on before you click.
  3. If you have any questions, pick up the phone. Is a vendor asking you to provide information or is a contact of yours asking you to click on a link? Questioning it is good. Call the vendor or individual and have them confirm.

Social engineering is one of the trickiest types of attacks to prevent because it plays on human nature and less on technology. Looking at the intel so far in 2016, the bad guys are going back to a tried and true method for gaining access to sensitive information. Be aware and think before you click.

Talking Cyber-Terrorism and ISIS with Morgan Wright

U.S. Cyber Command has its “first wartime assignment” in the fight against ISIS, Secretary of Defense Ashton Cater told an audience at the Center for Strategic and International Studies last Tuesday. That cyber fight includes techniques to disrupt the group’s ability to communicate, organize and finance its operations.

On the same day, head of U.S. Cyber Command Admiral Michael Rogers told the Senate Armed Services Committee that among his biggest fears are the possibility of groups like ISIS manipulating electronic data records, impacting critical infrastructure such as the electrical grid or air traffic control systems, and using cyber tools “as a weapons system.”

The week’s news capped off a period of increasing discussion around cyberwarfare and cyber-terrorism.

It’s an issue that organizations need to be aware of, said cybersecurity and counter-terrorism expert Morgan Wright, who discussed the topic on this week’s Cyber Chat podcast.

“It is a different animal,” Wright said. “Companies really need to understand the implication of the difference between just cybercrime and cyber-terrorism because it will make a difference in how you respond.”

The Cyber-Terrorism Threat

The December 2015 cyber-attack in Ukraine, which affected electricity for 225,000 customers, was unique in that it’s the first confirmed attack to take down a power grid. In addition, just last month the U.S. officially charged an Iranian with access to a computer control system for New York’s Bowman Avenue Dam. Luckily, a gate on the dam had been disconnected for maintenance issues; otherwise, the hacker could have operated and manipulated the gate, authorities said.

Wright agreed with other experts that the BlackEnergy malware used in the Ukraine attack is a bigger issue than other often-cited critical infrastructure threats such as Stuxnet.

“It’s in this country, and we talk about it but we don’t really take it seriously,” Wright said. “[BlackEnergy] could actually be a terrorist — a cyber-terrorism — type of tactic. … Let’s say that a group like Al-Qaeda or ISIS gets ahold of this and they decide they want to take out part of our power grid.”

But it’s not just critical infrastructure operators who need to be concerned about cyber-terrorism, he added. Organizations, particularly those with ties to often-targeted states such as Israel, need to be aware of those risks.

Businesses need to examine their geopolitical footprint, Wright said. Where are you operating, what types of things may be impacted if you are targeted by some of these organizations, and how can you better prepare to defend against those potential threats?

The Researchers Who Cried Wolf?

There have been a few headline-grabbing events tied to cyberwar and cyber-terrorism, but when compared to traditional cybercrime events, the former threat can appear rather sparse.

When asked about fatigue or backlash from researchers warning of these types of threats, Wright attributed the problem to lack of imagination.

“Plots can take years to develop,” he said. “What I tell people is that just because you can’t imagine it happening right now doesn’t mean it’s not being worked on — it’s not being plotted for.”

As an example he highlighted the recent cybersecurity issues facing the automobile industry. Years before, he said people accused him of fear mongering for bringing up those very issues.

“Now the entire automotive industry is up in arms,” he said.”Guess what? Three years ago they couldn’t imagine that happening, and for 15 years the automotive industry did absolutely nothing.”

In the end though, although cyber-terrorism motivations may be different from cybercrime, the defense is similar.

“You still respond to it. You still prepare. Only later do the motivations really make a difference in terms of what could we have done detect this or prevent this.”

Listen to the full conversation with Morgan Wright for more about cyber-terrorism, the threat of groups like ISIS and his cybersecurity “rules of the road”:

About the Podcast
In an interview last week, U.S. Secretary of Defense Ashton Carter confirmed he had given U.S. Cyber Command its first wartime assignment and that the team would start launching online attacks against ISIS. The announcement comes after several months of news and debate about the issue of cyber-terrorism.

On today’s cyber chat we talk with cyber-terrorism expert Morgan Wright, who has nearly two decades in state and local law enforcement and has previously taken on roles such as a senior advisor for the U.S. State Department Anti-terrorism Assistance Program. We talk about the threat of cyber-terrorism, recent attacks against critical infrastructure, and how groups such as ISIS are impacting the cyber threat landscape.

Why Do People Hate Passwords?

The password: love it or loathe it, this concept and practice have been a cornerstone of basic security for a long time. After covering cybercrime for the last few years, I have come to the conclusion that people hate passwords.

Let’s examine that – why do people hate passwords?

“I think people hate passwords because it’s something else to remember – and something else to forget,” said Aaron Bay, Chief Analyst for SurfWatch Labs. “The need to protect ourselves, and our information, has snowballed into this large, terrible thing we have in place now. Hardware and software have been developed to combat it, but there is still the problem of now someone else is in control of your access.”

Bay points to the compromise of the RSA’s SecureID and the recent vulnerability found in the password management program KeePass to further explain the complications of passwords.

“In 2011, the RSA SecureID was compromised, and the thousands of organizations – including the U.S. Government – that relied on their tokens were now at risk. The password manager KeePass recently had a flaw discovered that allowed attackers to steal passwords directly from the database. These are two examples where these beneficial systems have failed. It is safe to say that these systems, and others, will fail again at some point in the future.”

Without using programs to help with the process of utilizing strong passwords, the practice can be daunting. Listeners of the SurfWatch Cyber Risk Roundup who are familiar with our “Funny Story of the Week” have heard us talk about bad password practices. While some of the most common passwords are viewed in a humorous nature – “123456” tops the charts every year – there is a real security concern with this trend.

The Password Reuse Problem

The main problem is one of volume. Websites, work accounts, devices, iPhone or Android apps, and even credit cards all require passwords or pins. As a result of people reusing passwords, a number of companies have made headlines for cyber incidents, despite the fact they weren’t actually breached.

  • Amazon: “We discovered a list of email addresses and passwords posted online. While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites. … We recommend that you choose a password that you have never used with any website.”
  • United Airlines: “We recently learned that an unauthorized party attempted to access your MileagePlus account with usernames and passwords obtained from a third-party source. These usernames and passwords were not obtained as a result of a United data breach and United was not the only company where attempts were made.”
  • Uber: “We investigated and found no evidence of a breach. … This is a good opportunity to remind people to use strong and unique usernames and passwords and to avoid reusing the same credentials across multiple sites and services.”
  • Dropbox: “Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox.”

“Password reuse is very common and more often than not leads to additional compromises when peoples’ passwords are exposed in the latest data breach,” Bay said, adding that each website having slightly different requirements also makes it harder for users to create unique passwords they can remember. “We not only have to remember the different passwords, when we have to change our passwords we have to remember the rules and make sure the new password doesn’t break them.”

I think everyone understands that remembering passwords can be a hassle. Some people attempt to circumvent this step and simply write the password down next to their work terminals, but that completely negates the point of a password as it is now in view for everyone to see. If you don’t think your co-workers are capable of utilizing your password for malicious purposes – as well as a practical joke – don’t be fooled. Several experts and reports have indicated that insider activity is one of the leading threats organizations face in combating cybercrime. According to SailPoint’s 7th Annual Market Pulse Survey, “1 in 5” employees share their passwords and login information with members of their team.

“Compounding the problem, 56% of respondents admitted to some level of daily password reuse for the corporate applications they access, with as many as 14% of employees using the same password across all applications,” the survey found.

Moving Beyond Passwords?

What are the alternatives to passwords? Last year, Yahoo decided to create an option for users that would allow them to log into their accounts without using a password. Instead of a password, a link would be sent via text message to a user’s phone that would validate their access.

There is also the popular topic of biometrics. In a recent example, the U.K. bank Atom launched a biometric authentication tool that utilizes a customer’s face and voice instead of a password for validation. The option to use a password still exists and the new biometric method remains as an option for customers.

Biometrics seem to be a trend around the validation process, but passwords remain the  authentication option at this time.

“Biometrics is now being regarded as ‘the next big thing’ to use to protect us,” Bay said. “When Apple introduced the fingerprint reader into the iPhone, biometrics were thrust into the public view. Millions of people, basically overnight, now had a fingerprint reader.”

Bay said the fingerprint readers do work and, for the most part, are secure.

“Is it perfect, not hardly. Is it the best we have, unsure. Is it better than many other implementations, yes, without a doubt. However, it still relies on hardware and software to be perfect. Unfortunately, history has shown that is not possible.”

Whether you like passwords or not, until a better, proven solution replaces this validation method it is imperative that your passwords are secure. This message needs to be communicated and driven home to employees – even if they hate passwords.

Talking MedStar, Ransomware and Healthcare with Arbor Networks’ Dan Holden

On Monday, March 28, MedStar Health was hit with a variant of ransomware known as Samas or “samsam.” The healthcare provider, which operates 10 hospitals and employs more than 30,000 people, quickly shut down all system interfaces. Communicating and scheduling became difficult. Staff reverted to paper records. Some patients had to be turned away.

Thus began a week of national attention as news outlets documented frustrated patients and employees, and a debate ensued around potential security flaws within MedStar.

“The issue with ransomware is of course now you’re talking about not availability, you’re talking about the data,” said Dan Holden, Director of Arbor Networks’ Security Engineering and Response Team, on our recent Cyber Chat podcast. “It is so critical, especially to these recent attacks — these hospitals. They can’t do anything without patient data or without documentation.”

Although MedStar was able to restore services without paying the 45-bitcoin ransom (around $19,000), the wide-reaching impact on business operations can make the decision to pay ransoms difficult for many providers, Holden said.

“It just puts them in an impossible situation,” he said. “In some cases you have to pay it because you simply are not able to recover any other way.”

Warnings About Samas and JBoss

Everything could have been avoided with a simple patch to update vulnerabilities found in a JBoss application server, according to the Associated Press. MedStar refuted the AP’s assertions that it ignored multiple urgent warnings dating back to 2007; however, the AP stands by its reporting.

The FBI warned of Samas, the very ransomware that appears to have hit MedStar, on March 25 — just days before the healthcare provider’s systems were impacted. The bureau first alerted organizations to Samas on February 18.

As Reuters reported,  “The FBI said that investigators have since found that hackers are using a software tool dubbed JexBoss to automate discovery of vulnerable JBOSS systems and launch attacks, allowing them to remotely install ransomware on computers across the network.”

A Decade of Ransomware

Holden said ransomware attacks have risen considerably in 2016, a point echoed by SurfWatch Labs as well as an FBI agent at a recent talk.

“It’s likely,” the agent said, “that this will be the decade of ransomware.”

So far in 2016, the healthcare sector has been a major focus of that trend.

“What we’re seeing is the attackers chasing the soft underbelly if you will of the various verticals,” Holden said. “There’s a big, big difference between a Fortune 100 company and everyone else in their ability to defend themselves and respond. And that’s certainly the situation these hospitals are in. It’s going to take some time for them to properly defend and be able to respond to these things.”

Part of the issue is that the ransomware threat is different than other types of cyber threats organizations have spent years defending against.

“The investment model is potentially a little bit different there,” Holden said. “That’s why perhaps it’s so interesting right now.”

He added: “Detecting doesn’t get you anything. You either have to prevent or you have to respond. The moment you’ve detected it, it’s already too late.”

Listen to the full conversation with Arbor Networks’ Dan Holden about ransomware in the healthcare sector below:

About the Podcast
Last week MedStar Health, which operates 10 hospitals and more than 250 outpatient medical centers in the Washington region, suffered a ransomware attack that disrupted their operations and put them front in center in the fight against cybercrime.

On Friday we spoke with Dan Holden, Director of ASERT, Arbor’s Security Engineering and Response Team. We chatted about how healthcare organizations are being impacted by ransomware, where that threat is headed, and how organizations can keep themselves safe.