The CIS Benchmarks development team has been hard at work preparing several brand new Benchmarks and updates for June 2022.
Daily Archives: June 1, 2022
5 ways to prevent Ransomware attacks
This blog was written by an independent guest blogger.
“Ransomware has become the enemy of the day; the threat that was first feared on Pennsylvania Avenue and subsequently detested on Wall Street is now the topic of conversation on Main Street.”
Frank Dickson, Program Vice President, Cybersecurity Products at IDC
In the first installment of this blog series (Endpoint Security and Remote Work), we highlighted the need to provide comprehensive data protections to both traditional and mobile endpoints as an enabler of remote work. In this second chapter, we’ll expand on the importance of endpoint security as one of many key elements for defining an organization’s security posture as it relates to arguably the most relevant cybersecurity issue of the day.
Cue the ominous music and shadowy lighting as it is likely the mood for most cybersecurity professionals when considering the topic of ransomware. To the dismay of corporate executives, government and education leaders, and small business owners, ransomware is pervasive and evolving quickly. As evidence, a recent report indicated that roughly half of all state and local governments worldwide were victim of a ransomware attack in 2021.
However, there are important steps that can be taken along the path to digital transformation to minimize the risk associated to these attacks. As companies consider the evolution of their strategy for combating ransomware, there are five key strategies to help with reducing the risks inherent to an attack:
1. Prevent phishing attacks and access to malicious websites
Companies must be able to inspect all Internet bound traffic from every endpoint, especially mobile, and block malicious connections. This challenge is significantly more complex than simply inspecting corporate email. In fact, because bad actors are highly tuned to user behavior, most threat campaigns generally include both a traditional and mobile phishing component to the attack.
Bad actors are highly tuned to user behavior as they look to perpetuate their attacks and SMS/Messaging apps provide considerably higher response rates. To quantify, SMS has a 98% open rate and an average response time of just 90 seconds. The same stats for email usage equate to a 20% open rate and 1.5-hour response time which help explain why hackers have pivoted to mobile to initiate ransomware attacks.
As a result, Secure Web Gateways (SWG) and Mobile Endpoint Security (MES) solutions need to work in concert to secure every connection to the Internet and from any device. Both SWG and MES perform similar functions specific to inspecting web traffic but they do it from different form factors and operating systems. The data protections for SWG are primarily available on traditional endpoints (Windows, MacOS, etc.) where MTD addresses the mobile ecosystem with protections for iOS and Android. Because ransomware can be initiated in many ways including but not limited to email, SMS, QR codes, and social media, every organization must employ tools to detect and mitigate threats that target all endpoints.
2. Prevent privilege escalation and application misconfigurations
Another tell-tale sign of a possible ransomware attack is the escalation of privileges by a user within the organization. Hackers will use the compromised credentials of a user to access systems and disable security functions necessary to execute their attack. The ability of the IT organization to recognize when a user’s privileges have been altered is made possible through UEBA (User and Entity Behavior Analytics). Many times, hackers will modify or disable security functions to allow them easier access and more dwell time within an organization to identify more critical systems and data to include in their attack. The ability to identify abnormal behavior such as privilege escalation or “impossible travel” are early indicators of ransomware attacks and key aspects of any UEBA solution. For example, if a user logs into their SaaS app in Dallas and an hour later in Moscow, your security staff need to be aware, and you must have tools to automate the necessary response that starts with blocking access to the user.
3. Prevent lateral movement across applications
After the ransomware attack has been initiated, the next key aspect of the attack is to obtain access to other systems and tools with high value data that can be leveraged to increase the ransom. Therefore, businesses should enable segmentation at the application level to prevent lateral movement. Unfortunately, with traditional VPNs, access management can be very challenging. If a hacker were to compromise a credential and access company resources via the VPN, every system accessible via the VPN could now be available to expand the scope of the attack.
Current security tools such as Zero Trust Network Access prevent that lateral movement by authenticating the user and his/her privileges on an app-by-app basis. That functionality can be extended by utilizing context to manage the permissions of that user based on many factors such which device is being utilized for the request (managed vs. unmanaged), the health status of the device, time of day/location, file type, data classification such as confidential/classified, user activity such as upload/download, and many more. A real-world example would allow view only access to non-sensitive corporate content via their personal tablet to perform their job, but would require the data be accessed via a managed device if they were to take any action such as sharing or downloading that content.
4. Minimize the risk of unauthorized access to private applications
It is essential for companies to ensure that corporate/proprietary apps and servers aren’t discoverable on the Internet. Authorized users should only get access to corporate information using adaptive access policies that are based on users’ and devices’ context. Whether these applications reside in private data centers or IaaS environments (AWS, Azure, GCP, etc.), the same policies for accessing data should be consistent. Ideally, they are managed by the same policy engine to simplify administration of an organization’s data protections. One of the most difficult challenges for security teams in deploying Zero Trust is the process of creating policy. It can take months or even years to tune false positives and negatives out of a DLP policy, so a unified platform that simplifies the management of those policies across private apps, SaaS, and the Internet is absolutely critical.
5. Detect data exfiltration and alterations
A recent trend amongst ransomware attacks has included the exfiltration of data in addition to the encryption of the critical data. In these examples, the data that was stolen was then used as leverage against their victim to encourage the payment of the ransom. LockBit 2.0 and Conti are two separate ransomware gangs notorious for stealing data for the purposes of monetizing it and at the same time using it to damage the reputation of their targets.
Hence, companies must be able to leverage the context and content-aware signals of their data to help mitigate malicious downloads or modifications of their data. At the same time, it is just as important that these signals travel with the files throughout their lifecycle so that the data can be encrypted when accessed via an unauthorized user, thereby preventing them from being able to view the content. Enterprise Data Rights Management and DLP together can provide this functionality that serves as an important toolset to combat ransomware attacks by minimizing the value of the data that is exfiltrated.
It should also be noted that this functionality is just as important when considering the impact to compliance and collaboration. Historically, collaboration has been thought to increase security risk, but the ability to provide data protections based on data classification can dramatically improve a company’s ability to collaborate securely while maximizing productivity.
As stated above, there is considerably more to preventing ransomware attacks than good endpoint security hygiene. With the reality of remote work and the adoption of cloud, the task is significantly more challenging but not impossible. The adoption of Zero Trust and a data protection platform that includes critical capabilities (UEBA, EDRM, DLP, etc.) enables companies to provide contextually aware protections and understand who is accessing data and what actions are being taken…key indicators that can be used to identify and stop ransomware attacks before they occur.
For more information regarding how to protect your business from the perils of ransomware, please reach out to your assigned AT&T account manager or click here to learn more about how Lookout’s platform helps safeguard your data.
This is part two of a three-part series, written by an independent guest blogger. Please keep an eye out for the last blog in this series which will focus on the need to extend Endpoint Detection and Response capabilities to mobile.
Clever — and Exploitable — Windows Zero-Day
Europol Confirms Takedown of SMS-based FluBot Spyware
The action was prompted by the Android malware spreading aggressively through SMS around the world
CVE-2021-27914
A cross-site scripting (XSS) vulnerability in the installer component of Mautic before 4.3.0 allows admins to inject executable javascript
How Can We Strengthen the Cybersecurity of Critical Infrastructure? Here Are My Suggestions for CISOs, Regulators, Vendors – and All Citizens
A year after the ransomware attack against the Colonial Pipeline, what can we do to further harden the IT and OT systems of power plants, fuel pipelines, water treatment plants and similar critical infrastructure facilities?
The Colonial Pipeline’s shutdown after a ransomware attack in May 2021 put a massive spotlight on the importance of protecting the IT and OT systems of critical infrastructure providers.
With major disruptions to gasoline, diesel and jet fuel distribution across multiple U.S. states lasting about a week, the incident prompted reactions at the highest levels of government and industry, including the drafting of new rules and regulations.
A year later, the initial shock of the Colonial Pipeline hack has passed, but the concern remains very much front and center. What can we do to further harden the cybersecurity of power plants, fuel pipelines, water treatment plants and similar facilities?
As someone who worked as an ICS engineer – tasked with building, maintaining and troubleshooting industrial control systems – before specializing in OT cybersecurity, the issue is near and dear to my heart.
I’ve recently participated in discussions about this matter, including in a podcast and a LinkedIn Live session, and I’d like to share here some concrete steps I’ve talked about that we can all take – the U.S. government, CISOs, cybersecurity vendors and the public at large.
CISOs, CIOs and business leaders
CISOs, CIOs and business leaders at these critical infrastructure providers must recognize that, as the operations in these plants and facilities get increasingly digitized, more resources must naturally be allocated to cybersecurity. I’m not necessarily advocating for an increase in cybersecurity spending, but rather that it should be prioritized on the “crown jewels,” which in my mind are the OT and ICS systems.
IT and cybersecurity leaders must also recognize that the most critical component in the cyber protection of OT systems is the people involved in it. As such, you can’t expect ICS engineers with no training or experience in cybersecurity to add on cybersecurity tasks to their regular job of keeping the plant running. You need a dedicated, experienced and trained team for OT cybersecurity.
Once you have OT cybersecurity specialists on board, you should make sure they shadow their ICS engineers peers, so that they can get a hands-on understanding of how the facility operates, and a clearer sense of the implications that cybersecurity decisions can have on operations.
It’s critical to have full visibility into all IT and OT systems – not just the prominent, obvious ones like enterprise applications, web servers and billing environments. Your weakest link is often a system that’s tucked away in a closet or hidden under a desk and that was once installed as a stopgap and promptly forgotten, so it’s underprotected. You must make an effort to compile a comprehensive inventory of all your systems, and gain an understanding of the role each one plays.
Fix or mitigate your vulnerabilities, because they’re the low-hanging fruit that ransomware operators look for, and ICS environments are particularly at risk due to the prevalence of legacy software in them.
Vendors
ICS vendors must make their wares more secure. Many legacy ICS systems are insecure by design. They should be re-designed from the ground up with default security features and capabilities, such as secure protocols and approved mechanisms for authenticated firmware updates.
OT cybersecurity vendors must recognize that the ultimate goal of the technology they market is to keep critical infrastructure safe for the benefit of everybody in our society. As such, they should compete on the merits of their products, not on imposing proprietary technology that locks customers into their vendor ecosystem. Equally as important is to have a spirit of cooperation and open communication, despite their competitive differences, so that they can collaborate on advancing OT cybersecurity technology that better protects critical infrastructure. That’s why at Tenable we helped launch the Operational Technology Cybersecurity Coalition, where we advocate for the development of vendor-neutral, interoperable, standards-based cybersecurity solutions.
The U.S. government
It’s the role of the government to issue rules and regulations to ensure that a baseline standard of care is applied to safeguard the OT and IT systems of critical infrastructure providers. To be truly effective, these requirements should be outcome oriented – meaning, they should outline goals and achievements that should be attained. They’ll be less impactful if they’re overly detailed and prescriptive from a technical standpoint, because the government’s regulatory wheel typically turns slowly, and the mandates will soon become outdated, as the technology changes quickly.
The government does a great job of designing and carrying out exercises for its agencies to practice responses to crisis situations. It’d be great if the government shared its OT cybersecurity exercises with the private sector, which in turn could help the government better understand in more detail the wide variety of ICS deployments in operation across the country.
Regular citizens
The cybersecurity of our critical infrastructure should be everyone’s concern – even the large majority of people who aren’t in the first three buckets I addressed above. Here’s what you can do: Let your voice be heard. Get involved. Phone your state and local representatives. Participate in public forums where decision makers take feedback from residents. Be ready to have meaningful conversations with them. This isn’t someone else’s problem. It affects all of us.
If you’re interested in learning more about these topics, I invite you to listen to my recent conversations on the podcast The State of OT Security, a Year Since Colonial Pipeline with my Tenable colleague Dan Raywood, and on the LinkedIn Live session Colonial Pipeline One Year Later: What Have (and Haven’t) We Learned? with CNN cybersecurity reporter Sean Lyngaas.
You may also be interested in tuning into a transport-focused OT webinar we’re hosting on June 15 at 2 pm ET – Unpacking Some of the Most Common Cybersecurity Challenges Facing Your Transportation-Sector Business – with panelists from the U.S. Transportation Security Administration (TSA) and two of our partners. Sign up for this webinar today!
Logic bomb attacks: 4 famous examples
What is a logic bomb?
A logic bomb is a piece of code left lying in wait on a computer that will execute under certain specified conditions and take actions the owner of that computer would consider malicious. The actual code that does the dirty work, sometimes referred to as slag code, might be a standalone application or hidden within a larger program.
While logic bombs are sometimes delivered via the same techniques that can infect your computer with viruses or other malware, more often they’re planted by insiders with privileged access to the system being attacked—and can therefore be quite tricky to detect.
Are logic bombs viruses?
A logic bomb isn’t a virus, but it could be spread by one. Unlike a virus, the distinguishing characteristic of a logic bomb isn’t how it spreads, but how it’s triggered.
openssl-3.0.3-1.fc36
FEDORA-2022-249a08e2cc
Packages in this update:
openssl-3.0.3-1.fc36
Update description:
Rebase to upstream version 3.0.3
CVE-2020-26185
Dell BSAFE Micro Edition Suite, versions prior to 4.5.1, contain a Buffer Over-Read Vulnerability.
CVE-2020-26184
Dell BSAFE Micro Edition Suite, versions prior to 4.5.1, contain an Improper Certificate Validation vulnerability.