News

7 tips to secure against IoT cyberthreats

by Oladimeji Ajayi Oladimeji Ajayi No Comments

For years, experts have warned about the danger of Internet of Thing devices, often built by companies on the cheap with little or no interest in building security into their products. Many of these insecure devices have found their ways into businesses, interacting and exchanging cloud-based information with other parts of the corporate infrastructure.

With the emergence of powerful IoT malware such as Mirai, the bad news predictions are being borne out. The reality is that any connected device provides an attack vector for adversaries.

Still, the prospect of malware-infected devices repurposed as a zombie army acting at the behest of cyberattackers hasn’t slowed IoT adoption. Just the opposite is true, in fact. Companies in sectors such as manufacturing, transportation, healthcare and utilities continue to deploy IoT devices in ever-greater numbers, and researchers expect billions of devices will be in use around the world by the end of this decade.

Your plan of attack

When it comes to IoT security, there may be no silver bullet. But that doesn’t mean you’re left defenseless. As the AT&T Cybersecurity Insights report notes, companies can mitigate the threats by adopting a proactive approach that builds in security from the start. The goal should be to lay down a strategy that aligns IoT security with the organization’s existing cybersecurity policies and systems.

Here are seven blocking and tackling tips your cybersecurity team should implement.

  1. Order a device assessment to track where IoT devices are being deployed and how they operate with the rest of the infrastructure.
  1. Identify any security vulnerabilities so that the IT team can swing into action to make any necessary fixes.
  1. Change any standard default log-ins and passwords  Leaving default credentials in place will only invite trouble as botnets frequently scan for IoT systems that use factory-default or hard-coded usernames and passwords.
  1. Keep all your devices up to date with all the latest security and firmware updates.
  1. Security ought to be treated as a priority as high as functionality. If your organization intends to develop its own IoT apps, make sure that security testing is front-and-center, not an afterthought.
  1. Adopt an end-to-end, data-centric security approach by encrypting all communications, commands and values transmitted from any IoT device to the infrastructure.
  1. Telecommuting employees should only connect through secure WiFi, and not use public Wi-Fi at the corner coffee shop or airport lounge. Spell out specific policies and controls telecommuters must abide by.

The very connectedness of the IoT leaves it open to security and safety vulnerabilitiesBut by implementing a tight security policy for your growing arsenal of IoT devices, your organization will go a long way to guarding against IoT-powered zombie attacks.

Charles Cooper has covered technology and business for the past three decades. All opinions expressed are his own. AT&T has sponsored this blog post.

Sponsored by AT&T

Want to know more about Cyber Security and Threats, contact us here

How your company needs to train workers in cyber-security

by Oladimeji Ajayi Oladimeji Ajayi No Comments

Survey finds workers still violate security policies to remain productive

With workplace cyberattacks on the rise, industry experts are pressing businesses to train their workers to be more vigilant than ever to protect passwords and sensitive data and to recognize threats.

“It is imperative for organizations of all sizes to instill among employees the critical role they play in keeping their workplace safe and secure,” said Michael Kaiser, executive director of the National Cyber Security Alliance, a group that promotes education on the safe and secure use of the internet. The group’s members include such major technology companies as Cisco, Facebook, Google, Intel and Microsoft.

Kaiser made his comments timed with last week’s release of a Dell End-User Security Survey that found that 72% of workers are willing to share confidential company information without regard for proper data security protocols. The survey was conducted online in late February and early March with results from 2,608 professionals in companies with more than 250 workers.

Cybersecurity education needs to be an integral part of the workplace culture,” Kaiser added. “Cybersecurity education doesn’t mean hosting a one-time course or seminar; it means making security a collaborative, continuous cultural initiative.”

Creating a security culture at a company can be complicated. The survey found that 65% of employees recognize their responsibility to protect confidential information, but many said security programs limit their productivity. Of those who received cybersecurity training at work, 24% admitted they went ahead and used unsafe behaviors anyway in order to complete a task.

There is a “balance between protecting your data and empowering employees to be productive,” said Brett Hansen, vice president of endpoint security and management at Dell. Data security needs to be the top priority “while maintaining productivity,” Hansend said. It’s a difficult task that requires companies to create simple, clear policies that address potential breaches.

The survey found that unsafe behaviors for accessing, sharing and storing data are common in the workplace. Forty-six percent of employees admitted to connecting to public Wi-Fi to access confidential information, while 49% admitted to using a personal email account for work tasks. The survey found 35% said it was common to take corporate information with them when leaving a company.

“As the Dell survey clearly indicates, there is still much work to be done regarding cybersecurity education and training for employees,” said Kristin Judge, director of government relations for the Alliance, via email.

 “The trend we are seeing is one of creating a culture of cybersecurity within an organization, which means taking cybersecurity best practices out of the IT department and bringing them into the risk management discussion… Effectively responding to cyber threats is relatively new on the list of day-to-day business practices — so it will take some time to establish and instill widespread organizational change.”

Avivah Litan, a security analyst at Gartner, said companies are beginning to institute cybersecurity training programs. “When it is instituted, it really makes a huge difference,” Litan said in an email. She said she used to be cynical about the impact of these training programs, but has become convinced recently about how effective they can be. She wrote a blog in December describing how one Midwest energy firm had seen an almost 80% reduction in security incidents after training.

The alliance urges companies to talk frequently to workers about:

  • Rules for keeping a clean machine, including what programs, apps and data that workers can install and keep on their work computers;
  • Best practices for passwords, including making them long and strong, with uppercase and lowercase letters, numbers and symbols, and changing them routinely;
  • Throwing out suspicious links in email, tweets, posts, online ads, messages or attachments—even if they know the source;
  • Remembering to back up work, based on the policies of each company;
  • Speaking up if they notice strange happenings on their computer.

For business travelers going abroad, the National Counterintelligence and Security Center has posted a series of travel tips. They include suggestions such as taking a different mobile phone from the one you typically use and checking for updated cybersecurity alerts at the U.S. Computer Emergency Readiness Team’s website.

NotPetya – Destructive Wiper Disguised as Ransomware

by Oladimeji Ajayi Oladimeji Ajayi No Comments

NotPetya/GoldenEye Malware Overwrites Master Boot Record

The Petya/NotPetya ransomware used in the global attack ongoing for the past two days was in fact hiding a wiper and was clearly aimed at data destruction, security researchers have discovered.

The attack started on June 27, with the largest number of victims being reported in Ukraine, where it apparently originated from. Within hours, the outbreak hit around 65 countries worldwide, including Belgium, Brazil, France, Germany, India, Russia, and the United States.

The attack would spread within local networks through various tools, including Mimikatz for credential gathering, and the EternalBlue exploit (also used by WannaCry), the EternalRomance exploit (Microsoft released patches for both in March), and WMIC (Windows Management Instrumentation Commandline) and PSExec for lateral movement.

The initial infection vector was the hijacked updater process of tax accounting software MEDoc, but researchers also discovered that the website of Ukrainian City of Bahmut might have been hacked and used to serve the malware as well.

Soon after the outbreak began, however, security researchers noticed that NotPetya wasn’t following the same rules as normal ransomware does when it comes to the payment process, and started sounding the alarm: an easy-to-block email address was used, a single Bitcoin address was hardcoded in the malware, and the payment process was rather counter-intuitive. The attackers weren’t seeking financial gains, multiple researchers said yesterday.

“A number of us in the security community are debating if the Petya attack on 27 June wasn’t a targeted attack on Ukraine, disguised as a ransomware attack on any organization caught up in the method used for infection,” Travis Farral, Director of Security Strategy at Anomali, told SecurityWeek in an emailed statement.

“There are details that support such a theory. The attackers behind the ransomware haven’t experienced much ROI despite the broad impact of the attack, they set up a weak payment process, launched the attack just prior to Ukraine’s Constitution Day and leveraged a malware family named for the pet name of Ukrainian President, Petro Poroshenko,” Farral continued.

During a phone call with SecurityWeek on Wednesday, Bitdefender senior e-threat analyst Bogdan Botezatu suggested that the attack might have had as final purpose data destruction rather than financial gains, and it didn’t take long for Matt Suiche, Microsoft MVP and founder of Comae Technologies, to reach the same conclusion.

“The ransomware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Suiche says.

He reveals that, while the original Petya was meant to encrypt the Master Boot Record (MBR) and demand ransom to decrypt it, the malware used in this attack, which was referred to as Petya.A, Petrwrap, NotPetya, exPetr, and GoldenEye, is in fact overwriting MBR sectors without saving them elsewhere.

“We noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk,” Suiche says. The malware, he continues, “does permanent and irreversible damages to the disk.”

Comae also discovered that the attackers implemented a function to unconditionally wipe the first 10 sectors if two conditions were met: the hash command computed from a running process name (unknown so far) returned 0x2E214B44; the function that replaces the actual MBR returns an error (which should counter EDR trying to prevent bootloader modifications).

According to Kryptos Logic security researcher MalwareTech, however, the sectors that NotPetya overwrites in this attack don’t contain data at all. The malware supposedly saves the original first sector (MBR) elsewhere, but trashes the next 24 sectors.

“The 24 sectors following the MBR are completely empty on any standard Windows installation. […] Essentially on any standard Windows operating system there is nothing between sector 1 and sector 64,” the researcher points out.

Russian security firm Kaspersky Lab also reached the conclusion that the NotPetya campaign wasn’t designed as a ransomware attack, as everyone believed in the first place. Instead, it was “designed as a wiper pretending to be ransomware,” Kaspersky’s Anton Ivanov and Orkhan Mamedov explain in a recent blog post.

The first thing the researchers noticed was that the ransomware is actually generating random data when pretending to generate the installation ID showed to the victim. Without a valid ID, the attackers can’t decrypt the victims’ files.

“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” Kaspersky says.

On the one hand, this means that victims can’t restore their data even if they pay the ransom. On the other, it reinforces the idea that the main goal of the attack “was not financially motivated, but destructive.”

“The fact of pretending to be a ransomware while being in fact a nation state attack — especially since WannaCry proved that widely spread ransomware aren’t financially profitable — is in our opinion a very subtle way from the attacker to control the narrative of the attack,” Suiche notes.

“Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action. Effectively wiping hard drives through the pretense of ransomware confuses the issue,” Gavin O’Gorman, Symantec Security Response, points out.

Avira reveals that computers with Russian or Ukrainian language settings were impacted the most. The company also notes that the attack affected mostly older Windows systems running Windows 7 SP1, but that Windows 8 systems were affected as well.

Affected users are advised to refrain from paying the ransom as that would by no means help them decrypt their data. This advice is particularly true for the NotPetya incident, as the attackers have no means to restore victims’ data.

“Do not pay. You will not only be financing criminals, but it is unlikely that you will regain access to your files,” Europol notes. “Disconnect the infected device from the internet. If the infected device is part of a network, try to isolate it as soon as possible, in order to prevent the infection from spreading to other machines,” the agency continues.

A Managed Services Approach that Contains IT Costs and Delivers on Business Expectations

by Oladimeji Ajayi Oladimeji Ajayi No Comments

In an era of shrinking IT budgets and rising expectations for ever-increasing business value, traditional IT portfolio approaches must be revised to cope with lofty organizational demands.

Across industries, IT budgets for “run the business” initiatives have declined steadily over the past few years. Yet despite having fewer dollars to spend on activities such as application maintenance and extensions, many senior leaders still expect IT to deliver outcomes that meet if not exceed their strategic business objectives. 

To deliver on these expectations, IT must initiate a more rigorous review of the ROI measurement process and consider embracing a managed services-based approach to managing their portfolios. This approach, in our experience, can simultaneously reduce costs and increase the value delivered to business.

We believe organizations should adopt a “zero maintenance strategy,” based on the following imperatives:

  • Reduce non-discretionary spend by eliminating the effort expended to run applications in production while optimizing infrastructure costs by “rightsizing” application needs.
  • Optimize discretionary spend by accelerating time-to-market while, at the same time, ensuring that the technical and functional value of the application portfolio is increased.
  • Deliver business outcomes that continuously verify the relevance of installed applications and ensure they are not only “fit for use” but also “fit for purpose.”

WannaCry Ransomware: What is it and how can you protect yourself?

by Oladimeji Ajayi Oladimeji Ajayi No Comments

WannaCry, Wanna Decryptor, WannaCrypt – whatever it’s referred to, the ransomware involved in the recent NHS computer hack is, by and large, the same bitcoin-demanding beast. Here we explain everything we know about the worm that caused global chaos.

 

WannaCry is a so-called encryption-based ransomware also known as Wanna Decryptor or WCRY, Travis Farral, director of security strategy for Anomali told WIRED.

It encrypts users files using AES and RSA encryption ciphers meaning the hackers can directly decrypt system files using a unique decryption key.

In previous WannaCry ransomware attacks, victims have been sent ransom notes with “instructions” in the form of !Please Read Me!.txt files, linking to ways of contacting the hackers. WannaCry changes the computer’s wallpaper with messages asking the victim to download the ransomware from Dropbox before demanding hundreds in bitcoin to work. Read more