Immediate Vault Immediate Access

Five Strategies to Protect Against Ransomware and Other Cyberattacks

As organizations continue to adapt to remote or hybrid work models, it has never been more vital to have a robust cybersecurity program to better protect against ransomware attacks and other cyberattacks against company systems and personnel. Ransomware attacks have proven a particular risk in recent years, with attacks like the Colonial Pipeline and myriad attacks on health care organizations demonstrating the serious impact of cyberattacks beyond financial risks, affecting everyday life and business operations.

Ransomware and other cyberattacks are always evolving. Attackers are constantly finding new ways to infiltrate environments while trying to stay undetected. Cyberattacks can target many different points in an organization’s ecosystem, including firewall configuration, patch management, network segmentation and defensive technology. The following five strategies can help companies mitigate cyberrisk and respond to threats quickly and efficiently:

1. Strengthen Asset Inventory
You cannot protect what you do not know exists or cannot see. Having an efficient asset management program can significantly increase visibility and rapidly provide detailed information about systems in the event of a cyberattack. Organizations should document system or device types, operating systems and software used. To be more granular and aggressive, consider documenting what ports and service systems use for business functions and use that as a baseline for future firewall rules and network exceptions. Having a strong program is key for every organization, but is even more important in remote work environments.

2. Conduct Security Awareness Training
A comprehensive and effective security awareness program for employees benefits the organization at large. An efficient security awareness program extends visibility and cyber threat detection beyond defensive technologies applied in the environment by empowering people to be a critical line of defense. A robust security awareness training program allows employees to assist with the detection of network anomalies, suspicious emails and other potential threats.

3. Assess Antivirus and Endpoint Detection and Response Programs
Traditionally, antivirus programs have helped detect malicious activity. However, the problem with the traditional antivirus approach in modern day cybersecurity is that attackers regularly update their code to obfuscate and bypass signature-based antivirus products. By employing an endpoint detection and response (EDR) product, organizations create an efficient response to detecting malicious programs and activities based on network anomalies rather than signatures alone. If purchasing and implementing an EDR solution is not viable, consider additional layers of defense around the antivirus software. Ultimately, the goal is to increase visibility and the ability to alert upon suspicious activity.

4. Monitor and Detect New Processes
In addition to having inventory on assets, an organization should document legitimate system processes and software. Upon gaining access to an environment, ransomware downloads and executes its installer to infect the victim. Ensuring visibility into your environment can help IT and information security teams to detect programs or processes with behaviors that deviate from the norm. In turn, this allows operations and incident response teams to respond quickly in the event of those anomalies.
One example is Microsoft Windows’ AppLocker, which generates messages and alerts about anomalies such as when an attacker attempts to install an executable outside of the known baselined created. By creating baseline rules, AppLocker will create an 8003 warning message that can be collected and parsed using a security incident and event management (SIEM) product or log aggregator and monitored by the IT or information security team.

5. Network Anomaly Detection
Ransomware moves laterally across the network while infecting systems. This can be done quickly while raising flags or network anomalies such as authenticating to several systems within minutes. It is uncommon for systems or domain administrators to connect to multiple systems rapidly and on a large scale on internal networks. To differentiate between legitimate and potentially malicious activity, network administrators must first document legitimate network connections and known behaviors. This supports anomaly detection by establishing outbound and inbound connectivity from the organization’s servers. Once the legitimate network connection is documented and a baseline is created, you can leverage defensive technologies and monitoring programs to alert when deviations occur. Then, create alerts in firewalls and SIEM solutions to quickly detect and respond to network anomalies.

As cybercriminals become more advanced, cybersecurity programs must also evolve to identify and prevent malicious behavior. By implementing the best practices and strategies mentioned above, organizations can dramatically reduce their exposure to ransomware and other cyberattacks.

Cyberrisk Management Tips for Businesses Amid the Russia-Ukraine War

A wide range of risks are trickling down from Russia’s assault on Ukraine, from sanctions compliance to supply chain disruption to business interruption. Cyberrisk has also drawn considerable concern and the threat landscape continues to evolve rapidly, though the details of increased cyberattack activity are not yet fully known and may be largely unfolding below the surface right now. Attacks attributed to Russia have been launched against a range of targets in Ukraine, including new destructive malware campaigns, targeted information-gathering against a range of civilian and government targets, and attacks on critical infrastructure.

Concerns about escalating cyber activity around the crisis are a vivid reminder of the importance of knowing your threat model and adjusting your risk management priorities accordingly. According to experts ranging from independent cybersecurity professionals to officials at the Cybersecurity and Infrastructure Security Agency (CISA), organizations at greatest risk right now include critical infrastructure, banks and other financial services firms, and of course key service providers in Ukraine or Russia.

Spill-over to other businesses is more likely with cyber conflict, however, particularly given Russia is one of the most advanced and aggressive nation-state cyber threat actors—remember the crippling global attack known as NotPetya that upended supply chains in 2017 resulted from a Russian cyberattack on Ukraine. That is not to say that there is necessarily cause for panic, simply that the effects of cyber conflict can be unexpected, widespread and potentially severe.

At this point, for most companies that are not in a high-risk position as a direct result of the war, the best course of action for risk professionals is to focus on ensuring your company has an updated and detailed incident response plan on hand and distributing it to relevant members of the organization, reviewing and potentially strengthening your general cybersecurity posture, and reminding employees about cyber hygiene.

For example, given the tragic events and breaking developments around the conflict, many may be glued to news or social media. Unfortunately malicious actors are known to take advantage of such situations by posting phishing links on social media with alleged news updates or email scams that purport to collect charity donations. Remind employees about these perils and offer refreshers on how to spot phishing scams and the need to exercise caution with links in emails or on social media.

“In addition to taking a fresh look at plans and other policies within an organization’s cybersecurity risk framework, businesses should consider a few common-sense tips to prepare for a potential cyber incident,” advised Annmarie Giblin, partner at Hinshaw & Culbertson and leader of the firm’s data privacy and cybersecurity practice. Giblin recommended risk professionals take the following steps to boost cyberrisk management efforts right now:

  1. Print out a hard copy of any necessary polices and plans, like the cyber incident response plan, the business’ cyber insurance policy and a contact list for the organization, so you have them available in the event you cannot access your system and need to communicate with employees through alternative methods.
  2. Remind your employees about common cyber scams and reiterate that there will be no retaliation for reporting a cybersecurity mistake, such as clicking on a bad link.
  3. Have key members of the executive team and incident response team set up a secure but alternate method of communication, such as sharing phone numbers or creating a different off system email address to communicate in the event the business’ systems are not available or not trusted.
  4. Keep track of the latest threats and get the research over to your IT team so they can update your firewall, and/or contact the business’ security services provider and make sure they are aware of and addressing these new malware strains.
  5. Evaluate and if possible, test your business continuity plans. Organizations should be asking themselves, “What does the work day look like without access to the business’ systems?” and “How can we still work without any technology support?”

Cyber insurance firm Coalition has put together a guide to basic cybersecurity measures to help organizations—policyholders and otherwise—proactively manage cyberrisk and reduce the likelihood of a cybersecurity incident. The guide provides 10 key steps to help improve cyberrisk management, highlighting the basics of each mitigation measure, tips on how to implement, and even some vendor suggestions for credible options, if desired. Coalition notes this may be particularly helpful for small and mid-sized businesses that do not necessarily have dedicated in-house information security experts, but it could also be worth a look for any risk professional who wants an overview of mitigations that should be in place or ways to fill those gaps. Check it out here: https://info.coalitioninc.com/rs/566-KWJ-784/images/DLC-2020-12-2021-Coalition-Cybersecurity-Guide.pdf

For more resources on cyberrisk management best practices, cyber incident response, cyber insurance considerations, and more, check out Risk Management Magazine’s extensive cyber coverage here. Some of the highlights below can help address key concerns that you—or your board—may have right now, and offer actionable strategies to strengthen your cyberrisk readiness and boost employee cyber hygiene:

Ransomware Down, Extortion and Email Fraud Up in 2018, Proofpoint Finds

Ransomware may have waned at the end of last year, but that gave way to straight-up extortion, according to Proofpoint’s newest Quarterly Threat Report, Q4 2018.

Despite a slight resurgence in the middle of last year, ransomware strains appeared in “relatively small, sporadic email campaigns” that by Dec. 31, 2018, comprised one-tenth of 1% of overall malicious message volume.
buy elavil online https://royalcitydrugs.com/elavil.html no prescription

The consequence of this seemingly-good news was that direct extortion once again came en vogue, albeit in cyber form. The newest threats often took the form of “sextortion,” in which actors threaten to reveal compromising information (like revealing photos or video) or take destructive action if the victim does not pay a fee. Proofpoint theorized that actors have reverted to extortion simply because it is more cost efficient.

The report recommended tips to spot a sextortionist and call their bluff:

With rare exceptions, these emails do not contain malware or malicious links and rely on the human factor to trick recipients. Often, the threatening emails include “evidence” of compromise, such as an old password that the actor may have obtained from a data breach or simply guessed.

Additional findings and highlights from the report included:

  • 60% of companies’ domains were spoofed by email fraudsters, a nearly 10% increase from Q3.
  • Email fraud attacks against targeted companies increased by 226% quarter-over-quarter, and 476% vs. Q4 2017. Telecommunications, education and transportation were the industries experiencing this activity most.
  • Incidents of social media support fraud, or “angler phishing” – a type of phishing in which attackers attempt to insert themselves in legitimate conversations between consumers and brand-owned social media accounts – increased by nearly 40% from the prior quarter and saw an overall increase of 500% in 2018.
  • Emails leveraging malicious URLs outnumbered malicious attachments by roughly two-to-one for Q4 and three-to-one for the entire year.

Visit here for Proofpoint’s full quarterly report.

Ransomware Attacks Increase, With U.S. the Primary Target

Ransomware attacks constituted the greatest cybercrime danger in 2016 as the volume and value of attacks rose sharply, according to a new report from internet security firm Symantec.

“Attackers have honed and perfected the ransomware business model, using strong encryption, anonymous Bitcoin payments, and vast spam campaigns to create dangerous and wide-ranging malware,” according to “Internet Security Threat Report (ISTR), April 2017.”

The average ransom amount involved in such attacks jumped 266% to $1,077 during 2016 from just $294 in 2015. Symantec also found that frequency increased, with detection of ransomware up 36% to 463,000 from 340,000 in 2015; or 1,271 per day in 2016 compared to 933 per day in 2015.

The United States saw the largest share of these attacks by far at 34%, followed by Japan (9%) and Italy (7%). “The statistics indicate that attackers are largely concentrating their efforts on developed, stable economies,” Symantec said. Further, research from Norton Cyber Security Insight team said that 34% of those attacked will pay the ransom, but that figure jumps to 64% for U.S. victims, “providing some indication as to why the country is so heavily targeted,” the Symantec report said.

Another indicator of rising ransomware activity is the tripling of new families of ransomware to 101 in 2016 from just 30 in both 2105 and 2014. While the number of new variants (distinct variants of existing ransomware families) declined 29% to 241,000 from 342,000 in 2015, this “suggests that more attackers are opting to start with a clean slate by creating a new family of ransomware rather than tweaking existing families by creating new variants,” the report said.

The proportion of ransomware infections on consumer computers rose only marginally to 69% from 67% in 2015 as the rate of infections for enterprise and other organizations dropped accordingly to 31% from 33% in 2015. Consumer infections totaled between 59% and 79% for every month except December, when they fell to 51%.

Beyond the top threat of ransomware, the report discusses exposures including “New frontiers: Internet of Things, mobile, & cloud threats,” and has a section that lists multiple challenges from malware, spam and phishing via email. Email, for example, was a major avenue of attack in 2016, “used by everyone from state- sponsored cyber espionage groups to mass-mailing ransomware gangs,” it said, adding that one in 131 sent during 2016 were malicious, the highest incidence in five years.

Symantec also discusses a few of the largest cybercrimes of the year, including the theft of $81 million from the central bank of Bangladesh and alleged tampering with the U.S. electoral process. “Cyber attackers revealed new levels of ambition in 2016, a year marked by extraordinary attacks, including multi-million dollar virtual bank heists, overt attempts to disrupt the US electoral process by state-sponsored groups, and some of the biggest distributed denial of service (DDoS) attacks on record,” according to the report.

Despite the apparent rising threat level portrayed in the report, the cyber insurance landscape remains untamed, Risk Management Magazine reported in April. Potential customers would be wise to educate themselves prior to approaching the market.