North Korea Now Suspected in Ransomware Attack

The massive cyberattack that has struck businesses, government agencies and citizens in more than 150 countries may be tied to hackers affiliated with North Korea. Called WannaCry, the ransomware encrypts the victim’s hard drive and demands a ransom of about $300 in the virtual currency bitcoin.

According to the Washington Post:

Several security researchers studying “WannaCry” on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.

The New York Times reported that the malicious software, based on a vulnerability included in the National Security Agency tools published by the Shadow Brokers hacker group, was distributed via email. The ransomware takes advantage of vulnerabilities in Microsoft Windows systems, generating the largest ransomware attack to date. Although the flaw was patched by the company months ago, the wide spread of the attack illustrates how many users fail to update their software. Institutions and government agencies affected included the Russian Interior Ministry, FedEx in the United States and Britain’s National Health Service.

Organizations are advised to save their data and take other measures to avoid being hacked. Kroll said that while the particular ransomware variation involved in hundreds of thousands of incidents has now been rendered largely harmless, its cyber security and investigations team “strongly recommends that organizations recognize that a small change in the malware code could reactivate it. So action should be taken in conjunction with your technology unit to reduce your risk and prepare for inevitable future similar attacks. If the malware has entered your network, it has the ability to spread—and spread rapidly.”

According to Kroll:

  • Obsolete versions of Microsoft Windows are particularly vulnerable. We understand that there may be very specific circumstances that require you to use versions that are no longer supported, but now is the time to revisit the topic. See if there is any way you could use a supported operating system running a virtual version of the operating system you need.
  • Microsoft has been working to roll out updates that can fix the underlying security weakness that this malware exploits. You should make sure that both your personal and business machines running Windows are updated. We know that many people don’t want to take the time to close out all their files and restart their computers to allow updates to occur, but this is an important defense against the WannaCry ransomware. As an indicator of how serious the threat is, note that Microsoft has even released a security patch for the old Windows XP system. Please take steps to assure that all relevant machines running the Windows operating system are updated.
  • Organizations that don’t have well-thought-out backup and recovery plans are also very vulnerable. Management should be asking if there is a plan to assure that all important files are backed up in a way that will prevent a ransomware infection from attacking both the primary files and the backups.

President Trump ordered homeland security adviser Thomas P. Bossert to coordinate a government response to the spread of malware and find out who was responsible. According to the Times:

“The source of the attack is a delicate issue for the United States because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cybertools developed by the National Security Agency.”

Government investigators, while not publicly acknowledging that the computer code was developed by American intelligence agencies, say they are still investigating how the code got out. There are many theories, but increasingly it looks as though the initial breach came from an insider, perhaps a government contractor.

In a report, How to Protect Your Networks from Ransomware, the U.S. government recommends that users and administrators take preventative measures, including:

  • Implement an awareness and training program. Because end users are targets, employees and individuals should be aware of the threat of ransomware and how it is delivered.
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
  • Configure firewalls to block access to known malicious IP addresses.
  • Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
  • Set anti-virus and anti-malware programs to conduct regular scans automatically.
  • Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.

8 Steps to Stronger Passwords Enterprise-Wide

Passwords remain one of the most critical security controls widely used to protect and secure company infrastructure and data. While the need for strong passwords has long been discussed, they continue to be the difference between a secure infrastructure and a potential cyber catastrophe.

Last year was extremely busy in cybercrime, with more than 3 billion credentials and passwords stolen and disclosed on the internet. That works out to a rate of 8.2 million credentials and passwords each day or 95 passwords every second.

Passwords have always been a good security control, but password strength and how they are processed make a major difference in how secure they really are. For example, it is critical to choose an easy password to remember, keep it long, and use some complexity and uniqueness. In addition, how the password is processed and stored in an encrypted format plays a major role in password security.

Here are eight easy steps to get in control and ensure passwords are strong and secure:

  1. Go with encryption: Passwords cannot be left in plain text ever and especially not in an Excel document. Always store passwords with encryption.
  2. Escape complexity: Focus on teaching your end users to use longer and more easily remembered passwords, like password phrases. Don’t let them get bogged down with having to remember special character requirements.
  3. Teach employees: Continued training is critical and is the most important step in implementing your policy. Make sure your users understand their role, prepare quarterly reviews, and make it fun with incentives.
  4. Size matters: The longer the password, the harder for a hacker to break. Make human passwords at least eight characters long and systems passwords 12-50 characters.
  5. Trust no one: Two-factor authentication is a must! No matter the size of your organization, there are two-factor options for you, like RADIUS tokens, DUO, or Google Authenticator.
  6. Omit duplicates: Use a unique password for each of your accounts. The same password should never be used more than once!
  7. No cheating: Remembering a long password can be difficult, but don’t allow password hints. These just make it easier for hackers to get in.
  8. Get a vault: Start using a trusted password manager to enforce strong password best practices. This way, users can always generate long and complex passwords, never have to remember all their passwords and, if you use a vault for your IT team, you can find one that automatically changes your admin passwords. When it comes to IT, automation is key to preventing a breach.

For more information on what’s expected in relation to security and passwords, check out Thycotic’s recent report on the current and future state of password security.

Most Organizations Deny Prevalence of Fraud

At a loss of more than $6 billion annually, experts have found fraud occurs in most organizations, but 80% of respondents to a recent survey by ACL believe their organization has “medium to no” exposure.

The 2017 Fraud Survey of more than 500 professionals in the United States and Canada found that “alternative facts” extend to the mentality among many businesses.

“As the phenomena of ‘fake news’ and ‘alternative facts’ permeate the U.S. landscape, it is interesting to see how disconnected many executives are from the true prevalence of fraud and corruption in their organizations,” said Dan Zitting, chief product officer at ACL, a risk management software provider. He added that companies increasingly discover they have had “numerous instances of potential fraud” that need to be investigated.

Almost two-thirds of respondents (63%) also said that most instances of fraud committed in their organizations are not detected, and more than 75% said that at least some of the fraud that is detected goes unreported.

Respondents noted that a company’s fraud experts can feel pressure from senior leaders, direct managers and even peers to suppress or alter their fraud findings. While the existence of internal pressure is no surprise to most, the survey confirmed that pressure from all sides makes fraud harder to overcome.

“As long as companies refuse to admit that fraud exists, the fraud will continue,” Zitting said. “As unscrupulous employees and vendors realize the company’s ignorance, the problem has great potential to grow.”

According to ACL:
2017 Fraud Survey Results

Closing the Vendor Security Gap

What do organizations really know about their relationships with their vendors?

It’s a question that most companies can’t answer, and for many, that lack of knowledge could represent increased risk of a security breach. This year, Bomgar conducted research into vendor security on a global scale, and the findings underscore that much work remains to be done to shore up third-party security.

The 2016 Vendor Vulnerability Index report produced eye-opening results that should be a wake-up call for business leaders, CIOs and senior IT managers. The survey of more than 600 IT and security professionals explores the visibility, control, and management that organizations in the U.S. and Europe have over external parties accessing their IT networks. Some of the most surprising statistics are summarized below:

  • An average of 89 vendors are accessing a company’s network every week.
  • 92% of respondents reported they trusted their vendors completely or most of the time.
  • 69% said they definitely or possibly suffered a security breach resulting from vendor access in the past year.
  • In the U.S., just 46% of companies said they know the number of log-ins that could be attributed to vendors.
  • Only 51% enforce policies around third-party access.

It’s evident from these findings that third-party access is pervasive throughout most organizations. What’s more, this practice is likely to grow—75% of the respondents stated that more vendors access their systems today than did two years ago. An additional 71% believe this number will continue to increase for another two years.

Two-thirds of those polled admit they have a tendency to trust vendors too much—confidence that should be questioned based on the results of this report. The data revealed that, while most organizations place a high level of trust in their vendors, they still have a low level of visibility into how vendors are accessing their systems.

This contradiction is not something organizations should take lightly. As noted above, 69% of respondents admitted they had either definitely or possibly suffered a security breach resulting from vendor access. An additional 77% believe their company will experience a security issue within the next two years as a result of vendor activity on their networks.

As an organization’s network of vendors grows, so too does the risk of a potential breach. For most companies, it is essential that third-parties have access to sensitive systems as a course of doing business—the question centers on how to grant this access securely.

Historically, companies have used VPNs to provide network access to third-parties. While appropriate for the intended end-user—remote and/or traveling employees—issues arise when the scope of VPN is trusted to manage connections from external groups. If a system connected via VPN is exploited and used as a point of persistence for leap-frogging into the broader network, hackers can persist for days or months and move stealthily about the network. Companies have also seen malicious (or well-intentioned) insiders choosing to abuse their access to steal or leak sensitive information, as this is all made fairly trivial when leveraging open-ended VPN connectivity.

To balance the dual demands of access and security, companies need a solution that allows them to control, monitor and manage how external parties are accessing their systems. Rather than providing “the keys to the kingdom,” a modern secure access solution enables organizations to grant vendors and other third-parties access only to the specific systems and applications needed to do their jobs.

To ensure security, organizations should also select a secure access solution that provides video and text logs of all session activity. This allows companies to monitor how remote access is being used and, perhaps more importantly, by whom. With this technology, any suspicious activity can be immediately flagged for further investigation. In addition, these session forensics can help companies meet internal and external compliance requirements.

Another secure access best practice is to employ a password/credential vaulting solution. This enables organizations to mitigate the risk of credentials shared between privileged users, which are often the target of a threat actor. It also reduces the risk of what system administrators often think of as “the stickynote nightmare,” where a sensitive credential is written on a stickynote and stuck on someone’s monitor for all who walk by to see. Password vaulting technologies also help with the dangers posed by embedded system service accounts that have administrative privileges and are rarely rotated for fear of bringing critical business services down. A small, yet strong initiative to protect network security would include requiring every privileged user to access credentials required for elevated work via checking out of a password vault. This removes most of the challenges associated with sharing credentials as, once they are checked back in, those credentials can be immediately rotated and thus become unknown to the employee or the bad actor who may have stolen them. Incorporating multi-factor technology in order to access the password vault and other sensitive systems takes it a step further.

In today’s heightened environment, following these steps should be essential security best practices for any company allowing vendors or other third-parties to access their network.

The Vendor Vulnerability Index report suggests that companies are aware of the threats posed by ineffective management and poor visibility into vendor access. Yet, as the data shows, just slightly over half of the respondents are enforcing any policies around third-party access. In light of these findings, companies should also ensure that they are properly screening any third-parties with whom they share network access. For example, does the vendor provide security awareness training as part of their employee on-boarding process? Asking this and similar questions will give companies a clearer picture of the vendor’s security ethos, and help them to determine if the partnership is a good fit to begin with.

In order to combat this growing vulnerability, organizations need granular control over external access. Only with such a solution in place can companies feel confident that their vendors won’t unintentionally become their weakest security link.