Thursday, June 29, 2017

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

This isn't ransomware – it's merry chaos

Analysis It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.
The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out businesses from shipping ports and supermarkets to ad agencies and law firms. Once inside a corporate network, this well-oiled destructive program worms its way from computer to computer, trashing the infected machines' filesystems.
Although it demands about $300 in Bitcoin to unscramble the hostage data, the mechanisms put in place to collect this money from victims in exchange for decryption keys quickly disintegrated. Despite the slick programming behind the fast-spreading malware, little effort or thought was put into pocketing the loot, it appears.
"The superficial resemblance to Petya is only skin deep," noted computer security veteran The Grugq. "Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This [latest malware] is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”
To put it plainly, this code was built to destroy, not extort.
Here's a summary of the NotPetya outbreak:
  • The malware uses a bunch of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Minikatz to extract network administrator credentials out of the machine's running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them. It can either scan subnets for devices or, if it's running on a domain controller, use the DHCP service to identify known hosts.
  • It also uses a modified version of the NSA's stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency's stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities were patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.
  • Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
  • One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
  • With admin access, the software nasty can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation's hard drive's MBR so that only the malware starts up when the machine reboots, rather than Windows, allowing it to display the ransom note and demand an unlock key; it can also encrypt the NTFS filesystem tables and files on the drive. NotPetya uses AES-128 to scramble people's data.
  • Needless to say, don't pay the ransom – there's no way to get the necessary keys to restore your documents. It appears the malware doesn't provide enough information to the extortionists for them to generate a correct unlock key, so it would be impossible to obtain a working decryption key from the crims. And the means to contact the miscreants after paying the money is now shut off, so you're out of luck regardless.
  • Not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You'd be surprised how many outfits are too loose with their admin controls.
  • The precise affected versions of Windows aren't yet known, but we're told Windows 10's Credentials Guard thwarts NotPetya's password extraction from memory.
  • Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

In the beginning

So far, the vast majority of infections have occurred in Ukraine and Russia, but some big names in the West have also suffered. International advertising conglomerate WPP was taken offline (even its website was down), global law firm DLA Piper was infected and, most worryingly, shipping goliath Maersk is warning of a worldwide outage that could seriously bork the global transport supply chain. Computer terminals in major ports were borked for hours by the malware.
In Ukraine itself, which appears to be ground zero for the attack, the situation was critical. Large numbers of businesses were caught by the software nasty – the contagion has broken the automatic radiation monitoring systems in Chernobyl, meaning some unlucky scientists are going to have to take readings manually for the time being. Energy companies were hit as well as government agencies.
According to Ukraine's cyber-cops, as well as phishing emails booby-trapped with malware-laden attachments, financial software firm MeDoc was used to infect computers in the ex-Soviet nation. We're told miscreants managed to compromise a software update for the biz's products, which are widely used in the country, so that when it was downloadable and installed by victims it contaminated their network with NotPetya. If this software was running with domain admin access, it would be immediately game over.
MeDoc issued an early statement confessing "our server made a virus attack," but has since U-turned on Facebook, denying that it is responsible.
The tax software maker admitted it was hacked but said its last software update was sent out on June 22, just before Tuesday's attack. However, police said that on June 27 the update servers – – pushed out a 333KB download to customers that unpacked a RUNDLL32.EXE containing the NotPeyta nasty. Oops.
The executable, by the way, lightly XOR encrypts itself and uses faked Microsoft digital signatures in an attempt to fool antivirus scanners. When the nasty started spreading, just two AV engines on the VirusTotal roster detected it as dangerous.

What's in a name?

While it was first assumed that the malware was a new strain of the Petya ransomware family that surfaced last year, that is now in doubt due to some key differences in code. The changes are so striking that Kaspersky Lab has gone as far as to dub the code "NotPetya."
One thing is certain – if you are infected with the malware and it has taken a mixing spoon to your bytes, you're screwed. There doesn't appear to be a way to restore PCs with scrambled filesystems, and no way to pay the ransom, because the Posteo webmail address given to pay the $300 ransom has been shut down.
"Since midday it is no longer possible for the blackmailers to access the email account or send emails," Posteo said. "Sending emails to the account is no longer possible either."
Putin and his pals in action?
The first clue is in the types of files this piece of ransomware encrypts. Typically this kind of malware encrypts everything to make the victim more likely to cough up the digital cash, but in total this ransomware encrypts 65 types of files, from .7z archives and .c source files to .aspx code to .pdf and .php files to PowerPoint and Python to VMware images and Excel spreadsheets.
That might sound like a lot, but the original Petya ransomware that popped up last year encrypted hundreds of file types, and the new code makes some interesting choices in what it encrypts.
"It's very odd," Justin Cappos, assistant professor of security, operating systems and networks at the New York University Tandon School of Engineering told The Register.
"The image types like .png don't seem to be among those encrypted and usually those would be the kinds of things people want to encrypt because the victims will care about their baby pictures, if you were targeting consumers. I find this suspicious; it's targeting code and even Python scripts and Visual Basic to lock down developers' work."
There's also the method of extracting money from the attack. Ransomware has been exploding of late because it makes it easy for criminals to collect funds without having to recruit a lot of money mules around the world to harvest payments.
Bitcoin has helped with this and, as you'd expect, this infection also asks for the digital currency but with a crucial difference. This time, users wanting to get their files back had to email details to a specific address.
This is neither normal or sensible, since the malware writers must have known that the email address would be shut down quickly, which cut off access to funds. This is not how criminals looking to make a quick buck operate.
Another hint comes in the timing of the attack. Tomorrow, June 28, is a national holiday in Ukraine, its annual Constitution Day. Criminal hackers typically attack on holidays and weekends to avoid detection, but doing so the day before looks like an attempt to cause maximum disruption for the largest number of people in the country.
Who is Ukraine's main enemy at the moment? Russia, since it's currently fighting a proxy in the country by supporting the Donetsk People's Republic that has set itself up in the east of the country. Russia has also been accused of hacking Ukrainian systems in the past.
That said, Russian firms have been hit by the ransomware too. State oil giant Rosneft has reported infections, although it says oil productions and processing wasn't harmed in the outbreak, and local steel maker Evraz has also been infected.
As is so often the case in online attacks, we may never know the truth behind the source of the infection, but Interpol and police forces in at least three countries are investigating the source and motivations behind the attacks. Microsoft will be doing its own detective work and says Defender has been updated to block the ransomware.
"Our initial analysis found that the ransomware may use multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10," a spokesperson told The Reg.
"As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers."
In the meantime, the best advice for dealing with ransomware hasn't changed since yesterday. Ensure that you take regular and complete backups, patch software as soon as possible, and disable any unwanted features or open ports that can be closed off. ®

Wednesday, June 28, 2017

Petya ransomware reportedly spread via malicious software updates, Windows exploits and tools

Petya ransomware reportedly spread via malicious software updates, Windows exploits and tools

 While WannaCry ransomware specifically targets files, Petya attempts to encrypt a machine's entire hard disk, making it significantly more dangerous to infected organizations.
While WannaCry ransomware specifically targets files, Petya attempts to encrypt a machine's entire hard disk, making it significantly more dangerous to infected organizations.
The Petya ransomware attack that infected corporations around the world today may have originated from a malicious update for a Ukranian accounting software product called MeDoc, according to researchers.
Additionally, the ransomware possibly leverages not one, but two former Microsoft Windows exploits that were employed by the National Security Agency (NSA)0 before they were leaked by the Shadow Brokers hacking group.
Still, the security community has much work to do as it scrambles for answers regarding Petya's coding, how the ransomware differs from WannaCry 2.0, and the attackers' identity and motive. At this point, there is even disagreement over whether or not the ransomware is actually a variant of Petya at all.
Petya Analysis: Worse than WannaCry
Like the WannaCry malware that infected victims in May, Petya has a wormable component that allows it to spread laterally around connected networks. But while WannaCry specifically targets files, Petya encrypts a machine's entire hard disk by overwriting the master reboot record, making it significantly more dangerous to infected organizations.
"Unlike other types of ransomware, the Petya ransomware family appears to be more brutal in the techniques it uses to encrypt files as it goes straight for the hard drive to encrypt the entire machine," said Lenny Zeltser, vice president of products at endpoint security solutions company Minerva. "Therefore, not only do users lose their data, their entire productivity is shut down as even their Windows operating system won't run."
Chris Hinkley, lead ethical hacker at Armor, similarly noted that while Petya looks like "somewhat of a WannaCry copycat," it is potentially worse because it "for all intents and purposes turns the computer off."
And in a surprise twist, Recorded Future reported that Petya ransomware is actually being coupled with a second payload: an information stealer, possibly Loki Bot. "The Loki Bot information stealer grabs usernames and passwords from victim computers and sends the data to a command and control server controlled by the attacker," said llan Liska, an intelligence analyst at Recorded Future. "If confirmed, that would mean that while the computer is completely inoperable because of the Petya ransomware, the attackers have full access to the usernames and passwords stolen from the computer."
The specific variant of Petya spreading around the world has been identified by some researchers as Petrwrap. According to the Kaspersky researchers who discovered this variant last May, Petrwrap is derived from the original Petya ransomware-as-a-service module, but with a modification that allows users to receive ransom payments without having to share the profit with the original developers. Others have identified today's ransomware as another variant called GoldenEye, which was described in a recent Sophos report.
However, Kaspersky reported via Twitter that, contrary to public reports, the ransomware actually may not be a variant of Petya at all, but rather a previously undiscovered ransomware that it is calling NotPetya.
There are also conflicting accounts of how companies have been infected. Many reports have cited phishing scams as a likely source of infection. While this is possible in some cases, the evidence strongly suggests that Ukrainian organizations were by and large infected via a malware-ridden update of MeDoc accounting software, according to a report from Cisco Talos and another from Kaspersky. In a Facebook post, MeDoc denied that its software updates were responsible for any infections, through it did admit to being targeted by hackers.
Still, a compromise of MeDoc would not likely explain how other international organizations became infected as Petya began to spread outside of Ukraine's borders.
What seems more clear at this time is that once the malware resides on a machine, it then spreads laterally across connected networks via various Windows exploits and tools. While WannaCry specifically leveraged the exploit known as EternalBlue, Petya (or NotPetya) takes advantage of both EternalBlue and EternalRomance, a separate remote code execution Windows exploit, Kaspersky reported. According to various reports, the ransomware also uses the Windows Management Instrumentation Command-line (WMIC) interface and the telnet alternative PsExec to enable lateral propagation.
Via Twitter, security researcher Kevin Beaumont additionally reported that the ransomware has no kill switch in its code, like the kind that cut short WannaCry's path of destruction. And Ori Bach, vice president of product at TrapX Security, said that his company determined from a malware sample analysis that Petya was designed "not to run on desktops [that] only have a keyboard running EN-US" language code (which commands the Windows operating system to use U.S. standard English). If accurate, this might suggest that the attackers hoped to avoid U.S. causalities, although American companies including the pharmaceutical company Merck were reportedly hit.
SC Media's own research expert Dr. Peter Stephenson also conducted his own sample analysis and found that the ransomware uses a wrapper program for obfuscation purposes. Commenting on fellow researchers' early findings, Stephenson highlighted the uniqueness of the malicious MeDoc update, noting that "there haven't been a lot of massive attacks that have been spread that way."
In conclusion, while the WannaCry attack appeared amateurish in how it was executed, Petya has all the hallmarks of a professional job, Stephen surmised.
Poor Patching to Blame
In March 2017, Microsoft issued patches for both vulnerabilities linked to the NSA's EternalBlue and EternalRomance exploits. So if, indeed, the attackers capitalized on these bugs, it further demonstrates the continued negligence of companies that fail to update their software, in spite of lessons learned from the WannaCry infection.
"Given the notoriety that WannaCry achieved, it's surprising to see that organizations are falling victim to a vulnerability that has been public knowledge since earlier this year," commented Andrew Avanessian, VP at Avecto.
"The current approaches to security with respect to patching and updates is severely broken," said Mike Kail, CTO at Cybric. "Companies need to rapidly adopt a much more continuous strategy around patching and security testing, along with a robust disaster recovery plan that gets tested frequently." This is especially true for organizations that provide critical infrastructure technology, he noted, alluding to Ukrainian energy companies that were affected in this latest attack, including the Chernobyl nuclear plant.
Mike Ahmadi, global director of critical systems security within Synopsys's software integrity group, called for increased legal enforcement of security patching. "Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs," said Ahmadi. "Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated."

Huge 'Petya' cyber attack spreading across the world in potential repeat of 'Wannacry' hack

Thursday, June 22, 2017

Cyber Attack At Honda Stops Production After WannaCry Worm Strikes

I write about automobiles and games.
In a career that spans nearly 30 years, I have written about automobiles, innovation, games, luxury lifestyles, travel and food. Based in Tokyo since 1988, I have scribbled about all things Japanese for publications including Car and Driver, Edmunds, Top Gear, Autocar, The Sydney Morning Herald and Herald Sun. I have published a book on Japanese car culture in Japanese and plan to get an English version out soon. I also host a weekly TV show about cars called 'Samurai Wheels' on the country’s national broadcaster NHK World. In 2010, I placed 4th in class in the Nurburgring 24-hour race in Germany co-driving a Lexus IS-F and in 2011, my team came 2nd in the annual Mazda MX-5 Media 4-hour race in Japan.
Honda was forced to halt production at its Sayama plant after WannaCry virus struck. Photo by KAZUHIRO NOGI/AFP/Getty Images
The WannaCry worm is still alive. Honda said this week that it was forced to halt production for one day at its Sayama plant near Tokyo after finding the WannaCry ransomware in its computer network.
This virus is the same one that infected over one million machines worldwide after taking advantage of security holes in some Microsoft products. According to a Honda spokesperson, about 1,000 units were not produced as planned at the plant when WannaCry attacked several older production line computers, causing them to shut down. The Sayama plant produces models such as the Accord sedan and Odyssey and StepWagon minivan models.
Production at other Honda plants had not been affected with regular operations resuming at the Sayama plant this week. Honda discovered that the virus had infected networks across Japan, Europe, North America and China, despite moves to secure its systems in mid-May when WannaCry caused widespread disruption worldwide.
Nissan and Renault were also affected by the cyber attack last month, forcing them to temporarily stop production at plants in Japan, Britain, India, France and Romania.
WannaCry has infected companies using aging technology and outdated software and this appears to be what transpired at Honda’s Sayama plant.
Cyber security company Kryptos Logic said last week that it had dealt with 60 million infection attempts from WannaCry of the past month.
Intelligence agencies have linked the virus infections to a hacking group associated with North Korea and say that the threat of further attacks still looms.


Tuesday, June 20, 2017

Registered to Vote? If So, A GOP Firm Probably Exposed Your Personal Data

Registered to Vote? If So, A GOP Firm Probably Exposed Your Personal Data

Ryan Grenoble,HuffPost 14 hours ago  

MEPs Ready To Fight For End-To-End Encryption Across EU


MEPs Ready To Fight For End-To-End Encryption Across EU

Sam Pudwell joined Silicon UK as a reporter in December 2016. As well as being the resident Cloud aficionado, he covers areas such as cyber security, government IT and sports technology, with the aim of going to as many events as possible.

A European Parliament committee has called for end-to-end encryption to be enforced on all forms of digital communication
A European Parliament committee has called for end-to-end encryption to be enforced on all forms of digital communication in the latest development in the ongoing encryption debate.
The draft legislation argues that EU citizens are entitled to privacy online and wants to protect their sensitive data from being accessed by governments and cyber criminals.
A key factor being considered is a ban on the inclusion of ‘backdoors’ into apps such as WhatApp and Telegram, something which WhatApp has denied ever having.
houses of parliament

 Privacy boost

A backdoor ban would ensure end-to-end encryption where neither government agencies nor the company providing the service  are able to listen in on conversations, ensuring a significant boost to consumer privacy.
“The principle of confidentiality should apply to current and future means of communication, including calls, internet access, instant messaging applications, email, internet phone calls and personal messaging provided through social media,” a draft proposal from the European Parliament’s Committee on Civil Liberties, Justice, and Home Affairs says.
Any such rule change would require approval by both the European Parliament and the European Council.
The issue gained prominence in the UK after March’s Westminster terror attack which resulted in the deaths of six people.
In the wake of the attack, home secretary Amber Rudd publicly slammed WhatsApp for its “completely unacceptable” use of encryption which made the attackers messages inaccessible to third parties.
This was followed by Prime Minister Theresa May’s calls for increased internet regulation following the attack on London Bridge and the revelation of government plans to ask Parliament for more power over technology companies.
It is an issue which is being driven by horrific acts of terrorism, but many industry experts believe that the technical implications of encryption, or a lack thereof, are yet to be understood by the UK government.
It should also be noted that steps are being taken to combat the issue. The world’s biggest tech firms have pledged to work harder to tackle terrorist propaganda online, with many using technology such as artificial intelligence to do so.

Saturday, June 17, 2017

Swift CEO Says Hackers Can Unite Banks and Blockchain Disruptors

by Michael del Castillo

When the CEO of Swift wants to learn about blockchain, he does it in style.
On stage yesterday in New York, Gottfried Leibbrandt gathered senior executives from some of the largest banks in the world – which also happened to be members of his interbank messaging platform – and put them on stage with the president of one of his own biggest (potential) competitors: blockchain startup Chain.
Speaking on stage in front of 500 senior financial institution leaders, Leibbrandt then deftly navigated his interrogation of representatives from the diverse group of financial institutions including JPMorgan, Citi and CLS.
While there was no doubt that members of the panel viewed one another as potential partners, potential customers and definite competitors, the Swift chief summarized what they all shared in his own closing comments: a common enemy, hackers.
Leibbrandt concluded:
"We have to be better than them."

Joining the 'dark side'

For his part, Leibbrandt seemed to be trying to establish a tone of camaraderie throughout his questioning, one that found an unlikely partner in Tom Jessop, the newly appointed president of Chain – a heavily funded blockchain startup ostensibly out to make middlemen (like Swift) unnecessary.
But Chain has struck a more conciliatory tone than some of its rivals such as Ripple, which has set Swift square in its sights as the incumbent to beat. By contrast, all three of Chain's first public clients – Citi, Nasdaq and Visa – are what would be considered legacy financial institutions.
Jessop came up through the ranks at Goldman Sachs as part of the bank's fintech investing team, and was hired by the blockchain firm last year specifically because of his ability to work with incumbents.
In spite of the friendly demeanor on stage, though, Jessop, alluded to criticism that his joining Chain has been perceived as a betrayal of the legacy financial institutions from which he came.
"People always say to me, 'Why did you go to the dark side?'" said Jessop. "Actually, I don't think it's the dark side. I think there’s a lot of work we can do together, and it only happens through partnership."

Fighting for the system

Leibbrandt's own comments on using blockchain technology to thwart criminal activities echoed earlier statements made by panelist David Puth, CEO of foreign exchange service CLS.
Puth drew laughs from the audience when, following Jessop’s first address to the audience, he described Chain's value proposition, saying: "You see what I’m up against?"
Puth also joked that running a "systemically important financial business" might not be the best business decision, with no pricing control and upstarts trying to take away "pieces" of what you offer and selling it to customers in a "different or simplified way".
To take on the technological upstarts head-on, Puth last year announced at Swift's Sibos conference that his firm had partnered with IBM to work on its own blockchain solution.
"When we're competing, when we're going at innovation against the likes of Tom Jessop, we have to think really hard about how we approach things," said Puth, who also indicated that his firm was looking for partners similar to Chain.

The enemy of my enemy...

However, the general consensus among the panelists was that whatever the differences between the participants, they were on the same side against criminal adversaries.
To stay one step ahead of bad actors, both the strengths of the legacy infrastructure providers and the innovation of blockchain startups need to be leveraged over the long haul, according to Emma Loftus, managing director and head of global payments at the US division of JPMorgan Treasury Services.
Also speaking at the event, Loftus, whose company recently joined the Enterprise Ethereum Alliance and open-sourced its ethereum-based private ledger called Quorum, positioned partnerships across borders and via consortia as crucial to fighting fraud.
But she went a step further, calling collaboration between blockchain startups and the legacy financial system one of the great challenges slowing widespread adoption.
"This traverse from traditional to blockchain and the requisite interoperability is why people are taking a very thoughtful approach before jumping in to replace everything," said Loftus.

Innovate or lose

For his part, Charles Blauner, global head of information security at Citi – another 'bulge bracket' bank adopting blockchain – had advice of a different sort for industry startups confident that their cryptography is the solution to every financial security problem.
Blauner cautioned blockchain startups that all cryptographic algorithms "degrade" over time, and that like the Roman cipher wheels of the past, even the most sophisticated encryption might eventually be hacked by quantum computers and more.
As fintech startups achieve wider adoption, he warned, the prize for successfully hacking them will increase and "the volume of attacks from potential adversaries will grow".
In addition to building platforms with easily upgradable cryptographic algorithms and intensely testing the protections, Blauner advocated for even closer collaboration between those who might otherwise be considered competitors.
"The bad guys, the adversaries … collaborate brilliantly, innovate rapidly," said Blauner. "If we can’t do the same thing, we’re going to lose and so we have to be better than them at innovation. We have to be better than them at collaboration."
He concluded:
"Otherwise, statistically speaking they win, we lose."
Disclosure: CoinDesk is a subsidiary of Digital Currency Group, which has an ownership stake in Chain.
Swift panel image via Michael del Castillo for CoinDesk
The leader in blockchain news, CoinDesk is an independent media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. Interested in offering your expertise or insights to our reporting? Contact us at                        

Tuesday, June 13, 2017

Cybersecurity Is DeadCybersecurity Is Dead

Elite CIOs, CTOs & execs offer firsthand insights on tech & business.

Forbes Technology Council is an invitation-only organization comprised of elite CIOs, CTOs and technology executives. Members are hand-selected by the Council's selection committee. Find out if you qualify at


Post written by
Mike Baukes
Co-founder and co-CEO of UpGuard, the world's first cyber resilience platform.

Well-known cybersecurity firm Crowdstrike greets travelers who arrive at San Francisco International Airport with a rather bold claim advertised throughout the terminals. The advertisements pose a pernicious yet seemingly tidy answer: "Yesterday’s Antivirus Can’t Stop Today’s Cyber Attacks. Crowdstrike Falcon Can."
Irresponsible hyperbole? Or is it a pitch made in good faith, albeit one as confident as it is ignorant? It doesn’t much matter. It is 2017, and we now have ample evidence proving that the false promise of so much cybersecurity -- that risk can be entirely eliminated with one simple program -- will, barring a technological revolution, never be realized.

The data is in: Cybersecurity is dead. Even as global cybersecurity spending is expected to balloon to over $100 billion by 2020, the frequency and severity of cyberattacks continue to grow, with seemingly no end in sight. While exploits and hacking tools become even more widely available and simple to deploy, there has been little commensurate progress in beating back attackers, who continue to find success striking at persistent, common weak points. How is this possible?
The answer is one that must chagrin any CISO spending exorbitant amounts of money on cybersecurity programs: The entire conception upon which cybersecurity rests -- of constructing a castle, against which any marauding attackers stand little chance of breaching -- is barely of use.
It would be mildly amusing but for a simple fact: The integrity of sensitive data, ranging from your grandmother’s medical records to your personal financial information, relies on its secure storage by a dizzying array of institutions. It is no exaggeration to say that cyber risk -- the accumulated potential for the exposure of privileged data -- is a matter of life and death, as seen in the frightening effects of cyberattacks on the healthcare industry across the world. The existing conceptions of how IT systems can be secured and protected must be discarded in favor of a new and more diffuse understanding of cyber risk.
The concept embodied in the Crowdstrike ad -- that, at last, here is the program that will, like the little Dutch boy, plug the hole in the dam -- is insufficient for combating the real and growing threats looming across the digital landscape. Unsurprisingly, ransomware is exploding in popularity, as the low-cost, easily usable malware proves continually effective at extracting money. But there are grander threat vectors looming: crimes such as electronic bank robberies, digitally enabled high-seas piracy and cyberattacks against electrical grids are not science fiction premises; rather, they are real crimes that will only grow more common. The false promises of cybersecurity doctrines have been repeatedly laid bare over the course of the past few decades. Antivirus programs, once relentlessly promoted as an indelible part of any IT configuration, are now dead even to their creators, having proven thoroughly ineffective in combatting cyber risk -- indeed, even posing to be a liability at times. The “set it and forget it” model, with its focus on an endpoint solution to be instituted without much thought, typically relies upon an out-of-the-box program sold by a third-party vendor. If even the most seemingly impregnable of such barriers are laid down, hackers will be able, with time, to build a higher ladder.
Even more irresponsible is the suggestion that breaches can be forever prevented. Laying down firewalls or perimeter security measures, paying premium prices for executive intelligence on emerging threats, adhering to checkbox compliance regimens -- whatever benefits such measures bring, cyber resilience is not among them. For most consumers and enterprise customers, they believe cybersecurity programs will be able to protect systems against all hacks and breaches -- a belief more or less encouraged by such providers. The reality is no company can do that.
Such defenses, of course, assume that cyber risk is a matter of malicious hackers overcoming paltry defenses. According to Gartner (paywall), mere misconfigurations, not vulnerabilities waiting to be exploited by hackers, account for anywhere from 75-99% of all breaches depending on the platform. And as seen in the recent cyber assault on the United Kingdom’s National Health Service, in which badly outdated IT systems had not received critical updates, hackers rely less on their own (often limited) talents than upon the unfortunate fact that an overwhelming abundance of technologically degraded targets makes their nefarious business easy. Far too easy.

The latest antivirus software will not be the cure-all for this full-spectrum threat any more than the thousands of such programs that came before it. A better conception would involve viewing risk as an inescapable fact of doing business using any internet-facing devices. There is no such thing as a knockout blow that will ensure the integrity of systems; cyber resilience, the intelligent means of managing and mitigating cyber risk, requires best practices be followed every day.
Simply put, fostering cyber resilience is a full-time job, one that must be integrated into every layer of the toolchain when provisioning, configuring and managing IT systems. From documented processes to constant updating to automation, changes in management and visibility, true cyber resilience is the product of inviolable work -- the kind of critical IT management that can never be cast to one side as extraneous. Beyond these requirements of maintenance, IT administrators -- and their superiors, all the way up to the C-suite -- must understand that full visibility into their systems is a prerequisite for mitigating cyber risk.
Only by gaining full insight into the real state of IT systems can stakeholders ensure systemic integrity and, in the event of a breach, begin to quickly and adequately respond, as seen in the WannaCry contagion. That is the future of cyber resilience.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?

How a Holistic Approach Supports Robust Website Security

How a Holistic Approach Supports Robust Website Security

With cybercrime on the rise, it is more important than ever for companies and organizations to invest in website security.

There are more than 1 billion websites on the internet. Just as that figure continues to grow at a dizzying rate, so, too, do concerns over website security.
Safeguarding digital assets is of central importance for virtually all global enterprises. Effective and secure websites are the lifeblood of the modern economy, but online payments and other forms of data sharing provide cyber criminals with lucrative targets at which to take aim.
Unfortunately, we have grown accustomed to the flood of data breaches and identity thefts in the news — and those are just the ones that become public. Business leaders determined to avoid falling prey to a potentially calamitous cyber event must make cybersecurity a core priority, rather than treating it as the information technology department’s concern. That starts with prioritizing a skilled, well-trained security workforce on the front lines of protecting enterprises’ precious information assets.

Investing in cybersecurity

Without clearly explaining a return on investment, investing in cybersecurity can be difficult for executives to accept. It is critical to make business-related arguments, addressing business continuity, customer trust and clearly linking investment to the organization’s business objectives.
“Security by design is more cost-effective than security that is patched around systems.”
Even for those organizations whose boards of directors recognize that cybersecurity investment is a business imperative, implementing a robust security program is an enormous challenge. Given the ever-growing number and sophistication of cyber threats, finding the right security professionals can prove an exasperating exercise. ISACA’s 2016 State of Cybersecurity Report showed that it takes 27 percent of organizations six months to fill a cybersecurity position — an unacceptable duration given the threats lurking in today’s landscape.
Simply waiting for qualified professionals to come knocking on the door is unrealistic. Enterprises should encourage upskilling from their current security workforce, either by offering training opportunities or encouraging employees to pursue pertinent industry certifications.
Enterprises also should be mindful that security by design is more cost-effective than security that is patched around systems. With the appropriate frameworks in place, taking into account response and recovery as seriously as prevention and detection, a robust and holistic security program can be put in place.

Technological advantages

Bear in mind, cyber criminals are not the only ones capable of taking advantage of improved technology. Enterprises also can benefit from new and evolving methods for keeping pace with threats.
Leveraging modern mobile payments is a worthwhile consideration for enterprises and consumers alike who are concerned about protecting data during transactions. Advancements in mobile payment security technology — specifically the use of tokenization, device-specific cryptograms and two-factor authentication — can provide important security benefits that result in decreased instances of identity fraud and lower costs.
While it is important to keep an eye on what is new, emphasizing tried-and-true security fundamentals also goes a long way. Ensuring appropriate design and effectiveness of controls to identify critical assets, to protect them with preventive controls around a web application, operating system, network and infrastructure layer — to detect attacks and to respond to them and eventually recover from breaches — are key for cyber-securing websites.
There is much that can and needs to be done to promote effective website security. The threat landscape may be daunting, but leaving an organization’s reputation and future viability to chance is not an option.

Monday, June 12, 2017

ISO 27001 can be implemented on your current Windows® system

ISO 27001 can be implemented on your current Windows® system

As highlighted in our blog last week, several supervisory authorities across Europe have already highlighted ISO 27001 as a model of best practice that will provide good evidence of intent and effort to comply with the GDPR.
ISO 27001 provides an excellent approach to complying with data protection and privacy legislation because it requires the business to recognise the “needs and expectations of interested parties”, which include customers, the public, partners and regulatory bodies, and “may include legal and regulatory requirements and contractual obligations”.
Certification to ISO 27001 can bring organisations a host of benefits, including:
  • Safeguarding their valuable data and intellectual property
  • Winning new business and retaining their existing customer base
  • Avoiding the financial penalties and losses associated with data breaches
  • Complying with business, legal, contractual and regulatory requirements
  • Improving their processes
  • And much more.

ISO 27001 is not the complicated standard it is made out to be

We recently caught up with Brian Honan, the author of June’s book of the month ISO27001 in a Windows® Environment, in one of our author podcasts. You can listen to the full podcast here.
Brian said that it “really struck him how complicated people seemed to think ISO 27001 was”.
Brian said that many people thought ISO 27001 would “require thousands of mandates, lots of money to invest in IT equipment and systems, and would take forever to get implemented”.
However, he highlighted that the Standard is not as complicated as you might think and that you may not have to buy new systems or security systems to comply with it.

ISO 27001 can be implemented on your current Windows® system

A lot of the technical controls in ISO 27001 can be addressed with the inbuilt functionality and tools in Windows.
ISO27001 in a Windows® Environment gives essential guidance for everyone involved in a ISO 27001 can be implemented on your current Windows® systemWindows-based ISO 27001 project.This book:
  • Details the various controls required under ISO 27001:2013, together with the relevant Microsoft products that can be used to implement them.
  • Explains how to make the most of Windows security features.
  • Is ideal for bridging the knowledge gap between ISO 27001 and Windows security.