Previously threat analysts were only worried about ransomware, now they must worry about the ransomware actors exfiltrating data: turning around and locking us out of our own system, and then threatening to sell our information if we don’t pay. And they do sell data if the victims don’t comply. Sites like Klep exist to sell data.
Why do they do this? For one, it’s safe for the bad actors. The countries that harbor these threat actors will not prosecute if they don’t harm anything within their own country. In Russia, for instance, where many of the threat actors attacking the U.S. reside, threat actor’s software can check the localization of a computer, and if it resides in any of the former soviet states, the software will automatically uninstall itself. They know better than to do business in their own backyard. But they can attack the United States all they want, and they will never face prosecution. So, it is a safe crime for them.
As far as money goes, just to give you an idea, is a company called Darkside. It was in the news recently. The FBI blamed it for carrying out a ransomware attack on Colonial Pipeline, which crippled fuel delivery across the Southeastern United States. Darkside made $17 Million in seven months. It’s very profitable. Darkside began as a software company that provided services. Revel makes even
more than that.
It’s an easy business. Darkside took all the work out of creating ransomware. You can go on to a webpage, order your ransomware software, customize it for the environment you need it for, create it, and deploy it. You don’t even need to know how to write ransomware.
Tools stolen from government hacking teams are used to commit these crimes. Equation Group, the hacking arm of the National Security Administration had malware code stolen by another hacking group called The Shadow Brokers and is now being used to commit crimes globally. As these tools have been stolen and released it makes things so much easier for the criminals.
From 2018-2019 ransomware attacks increased by 300 percent in the United States. In the first nine months of 2020 it has increased an additional 400 percent.
The other thing to keep in mind is that for those under a regulated environment such as HIPAA, PCI, ITAR, and FERPA, it really doesn’t matter. Ransomware equals a breach. And breach means disclosure. These are the things we try to avoid.
One of the biggest attack points we are seeing is VPN. This year alone, VPN attacks have increase over 2,000 percent. The number one way these threat actors are getting into corporations is by attacking people’s less secure home networks. Ultimately your security is no better than the end point. For example, the Colonial Pipelines breach came because of a compromised username and password for a user’s home VPN. The threat actors got ahold of it, and they did $5 million dollars in ransomware damage, plus the subsequent security costs to the company in mitigating future attacks.
Another scary example occurred at the Oldsmar Water Treatment Plant in Florida. According to federal investigators an outdated version of Windows and a weak cybersecurity network allowed hackers to access the water system and momentarily tamper with the water supply.
So, what can you do? Use system hardening.
What is system hardening? These are steps you can take to make your cyber security system more secure than what a default installation provides. You may be surprised that most systems are insecure by default for the sake of user convenience. Many companies want to make their software easy to use and easy to set up. But that doesn’t make it secure.
For example, by default Microsoft Windows does not have the password lockout turned on. You need to go in and manually set it so that hackers can’t just “brute force” their way into your system. By default, it does not have password history turned on. So even if you tell it to change the password every thirty days, your old password will still work unless you turn on password history. As your passwords keep changing, you are only adding more opportunities for hackers to guess a password.
These are the types of security measures you need to harden.
Anti-Malware and Anti-Virus
This should be mandatory and set to automatically update. Scans should also run automatically. Likewise, they need endpoint protection and intrusion protection. They need to do a certain amount of firewall and exfiltration. They just can’t let anything go out the door.
If you are running in a domain where you have control over all the endpoints, you can investigate installing a central managed server where all the definitions are downloaded to it and then pushed out. Completely take it out of the hands of the agents or end users. This is a pain but cleaning up after a ransomware attack is far worse. The average cost of cleaning up after a ransomware attack is around $1.2 to 1.5 million.
Do not allow agents to browse the internet freely. Create and maintain whitelists or required internet sites.
Companies put a lot of time and effort into securing what is on the outside trying to get in, but they don’t put the same energy into securing what’s inside trying to get out. Many companies hinge everything on the hacker never getting in. But there are multiple ways they can, and once inside what security plans do you have in place?
Focus on inside to out as much as you would outside to in. You must assume they will get in. This is what the hackers are relying on. That once they can get in, they can exfiltrate the data without any barriers. Therefore, your inside to outside rules must be well defined and only allow outgoing traffic that is necessary.
Updates and Patches
You must apply all high and critical updates within thirty days of release to maintain security compliance. For example, the NotPetya virus caused $10 billion in damages because users did not apply a critical patch. If you are running in a domain, it is highly recommended that you use the Windows Server Update Service. The WannaCry virus was launched out of North Korea and was successful because nobody heeded the warnings from NotPetya and did not patch. This sort of security laziness is the initial cause or shortcoming of many system breaches. Do not delay these patches.
And if Windows releases a patch outside of their normal patch cycle you should apply it immediately. If they feel it’s critical enough to offer it outside of their normal patch cycle, then you can be sure the virus is bad. They only do that when things are critical.
Vulnerability scanning is an inspection of the potential points of exploit on a computer or network to identify security holes. A vulnerability scan detects and classifies system weaknesses in computers, networks, and communications equipment and predicts the effectiveness of countermeasures. Some places where you can have this done are
www.OpenVAS.org and www.tenable.com.
Other Best Practices
Rename the default administrator and disable the account. Do not make it easy to hack a known default administrator account. You should always rename it to something other than administrator. The first account that a threat actor would want to access is the admin login. Don’t make it easy to find. Also, keep the system security group as small as possible. And do not allow users to run as local administrators.
It is also highly recommended to use a Server 2021 or later Active Directory Domain. This centralizes the management of authentication and access. Update group security policies per NIST or CIS standards. Once again default policies are
not secure. For more information visit www.nist.gov or www.cisecurity.org.
Harden web servers to meet OWASP standards. For more information go to
www.owasp.org. Also look at www.ssllabs.com.
Educate Your Agents
Another thing many security admins take lightly is educating their employees about security risks. You should train your workers so they understand the risks involved with browsing the internet or opening spam emails.
One way many security admins are gauging their workers knowledge and adherence to rules is to send out a faux phishing email from an anonymous source to see how many people click on it. You can even offer incentives to get that click rate as low as possible.
If there is one thing you should be learning from all of this is just how easy and risk free this crime is. For many hackers the only security protocol they must contend with when hacking your system is figuring out your name and password. Once inside they can easily move about. But if you take the steps mentioned above you will make it harder for the hacker.
Many hackers are lazy and do not have time for redundant security measures. Once they realize how slow their progress will be, many will just give up. This is not because it is impossible but because it will require extra work.
While we cannot guarantee a failsafe security system, we can make it harder for the hackers to hack.
This blog was authored by Shawn Griswold. Shawn is the security analyst for Startel Contact Center Solutions. Shawn has been involved in software engineering for over thirty years and has been providing cyber security for Startel for the last six.