As you may remember, last fall, we were reading about, and maybe experiencing, about a major botnet-based DDOS attack against Dyn’s DNS service. This attack employed roughly 100,000 network connected devices, including surveillance cameras, and the Mirai virus to tie up 1.2 Tbps (trillion bits per second) of bandwidth, the largest such attack recorded.
Grabbing headlines this past month was a ransomware attack of an unprecedented worldwide scope. It has been published (refer to the Shane Harris book “War”) that the NSA has been consistently amassing a cyber arsenal of known vulnerabilities and exploit tools. Last summer, a group called Shadow Brokers released a collection of exploits allegedly stolen from that arsenal. This particular ransomware exploit is called Eternal Blue and targets Windows systems earlier than the latest Windows 10 release. Microsoft had patched this vulnerability in March, but machines remain at risk for two reasons. Either patches weren’t applied or machines running Windows XP couldn’t be patched because of the end of Microsoft support for them. After the exploit was unleashed, Microsoft took the highly unusual step of issuing an update for Windows XP, Windows 8, and Server 2003. (They also added a signature update for Windows Defender.) It is reported that 90 percent of the English National Health Service trusts run Windows XP. Only because an English cyber researcher discovered a kill switch in the exploit did the damage not become more widespread.
To make life even more interesting, for those wannabe ransomers without the needed skills, there’s “Ransomware as a Service” (RaaS), where you can get supplied with customized code in exchange for the code writer getting a cut of the action. One concierge-type offering called Fatboy even provides location-based pricing, whereby victims in higher cost of living areas, as determined by the Economist’s Big Mac index, pay more to get their data decrypted.
So, it’s worth talking about how malware can get into a digital device and what we can do about it.
Technology: Systems themselves may get compromised through brute force attacks and the exploitation of vulnerabilities. The most common brute force attack is against passwords where millions or billions of character combinations may be tested in seconds, starting with the most likely combinations (dictionary attack). Common vulnerability exploits occur through default passwords remaining unchanged, unpatched systems with known vulnerabilities, and needlessly opened ports.
People: As powerful as technology-based attacks may be, it all becomes simpler when people are factored in. The primary vehicle is email. I’d like to think that many are wising up to the blanket phishing schemes that tell you an account or password has been compromised and you must click a link or view a document to resolve the issue. However, if you do … they’ve got you. Either can be a vehicle for malware entering your machine and the network that it’s connected to. Spear phishing, the act of crafting a personally targeted email is more enticing. By leveraging social media, public records purchased or stolen email lists, or other means, a very personal email can be created to appear to be from someone you know or recognize. The end result is potentially the same…you’re infected.
People: How many USB sticks have you found or been given lately. Many don’t realize that the Stuxnet virus that caused Iranian centrifuges to spin out of control was likely inserted by an infected USB stick. Most information from vendors can be provided via their website or other secure means, so you’re better off not accepting or using USB sticks for which you have no basis of trust.
People: Social engineering, the act of gaining useful or unauthorized information or access, is a valuable tool for reconnaissance or attacks. Encounters can be in-person, via telephone, email, or social media. Sometimes, they involve leveraging one piece of received information to get more until something really useful is assembled.
While there are certain actions, such as vulnerability assessments and penetration testing, that can and should be taken by organizations, we can all help by grabbing the low-hanging fruit.
- Passwords – If you’re working with devices that require passwords, immediately move away from the default. Remember that the longer and more randomized a password, the more difficult to crack. Use all character types available to you. If passwords must be changed, don’t make the new password a variant of the old, as that’s easier to guess. Use a password generation and management services such as LastPass or DashLane to make this doable and more effective.
- E-mails – Whether if it’s from your mother, special other, or long lost uncle from Nigeria looking to give you $1 million, don’t open the attachment or click on a link until you know you can trust it. (This also applies to texts and tweets.) Contact that person you know (not as a Reply) and ask for validation.
- USB Sticks – Get your own from a trusted supplier.
- Social – Know who you’re talking to and ask for credentials and verification.
- Security updates- Don’t ignore them.
For those who have employees, constant training and testing of your people is a must. Even when employees are told that a test fake email is coming their way, many will open it anyway. At the recent PSA Tec event, two integrators, Low Voltage Contractors (Minneapolis) and Integrated Security Technologies (Hawaii), told me they use such cyber awareness tests. Kudos to them! Check out the type of services offered by KnowBe4 (www.knowbe4.com) where customized email programs, USB security, password tests, and more are available.
About the Author: Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and RepsForSecurity.com. Ray can be reached at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or followed on Twitter @RayCoulombe.