There has been a recent trend for companies to “negotiate” with the criminal terrorists behind wave of ransomware attacks across the world by paying the ransom. In a recent study some alarming statistics have been released:
Current Ransomware Stats
If Ransom is Paid: The global findings also show that only 8% of organizations manage to get back all of their data after paying a ransom, with 29% getting back no more than half of their data.
Cost of Ransom: The average ransom paid was $170,404. While $3.2 million was the highest payment out of those surveyed, the most common payment was $10,000. Ten organizations paid ransoms of $1 million or more.
Who is Paying the Ransom: The number of organizations that paid the ransom increased from 26% in 2020 to 32% in 2021.
The Brighter Side: While the number of organizations that experienced a ransomware attack fell from 51% of respondents surveyed in 2020 to 37% in 2021, and fewer organizations suffered data encryption as the result of a significant attack (54% in 2021 compared to 73% in 2020).
What is Being Done
There are now organizations trying to create a common framework to address this threat. The Institute for Security and Technology has created a Ransomware Task Force. This task force has been working to develop this framework and has published some guidance. Even though this is just the foundation work, it is good to see that efforts are being made.
If your company is worried about the threat of ransomware, then contact us for assistance setting up a multiple layer approach to security.
There has been information released by a security research firm called Eclypsium that there is a vulnerability dubbed Boothole in Unified Extensible Firmware Interface (UEFI) Secure Boot that would allow an attacker to completely take over a workstation, laptop, or server and be nearly undetectable. All hardware vendors will have to send out updates in the near future to patch the UEFI code to secure it against this “BootHole” vulnerability. Due to the difficulty in designing and testing these types of updates it will be some time before they are released. We will keep you posted as to the release of these updates as they become available.
If your company is concerned about security, then contact us for assistance.
Many industries we serve are under some sort of compliance requirements – HIPAA, PCI, GDPR, etc. and several of these require some sort of vulnerability scans or penetration testing:
HIPAA Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
PCI DSS Requirement 11.3:
The scope of a penetration test, as defined in PCI DSS Requirement 11.3, must include the entire CDE perimeter and any critical systems that may impact the security of the CDE as well as the environment in scope for PCI DSS. This includes both the external perimeter (public-facing attack surfaces) and the internal perimeter of the CDE (LAN-LAN attack surfaces).
GDPR Article 32 states:
A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Farmhouse Networking has begun offering both internal and external network vulnerability scans and penetration testing for clients who fall under compliance requirements. We also provide remediation planning and implementation for any issues found during the scans.
If your company is has compliance requirements for internal or external vulnerability scans or penetration testing, then contact us for assistance.
Got a call a couple weeks ago from a local church:
“we came in and open the computer and we have ransomware on there. We can’t even get to any of our stuff. It’s telling us to email somebody and so that they can free up the computer.”
How does this happen?
Generally these things happen because people click on things they shouldn’t. Whether in an attachment in email from someone they don’t recognize, a link in social media that sounds too good to pass up, or an advertisement for something they can’t live without. Once the user gives permission for something to open or run on their computer the game is over and the hacker wins.
What to do when it happen?
Stop using the computer.
Leave the computer alone! Do not carry out any further commands, including commands to Save data.
Do not close any of the computer’s windows or programs. Leave the computer alone.
Leave everything plugged in and do not turn off the computer or peripheral devices.
If possible, physically disconnect the computer from networks to which it is attached.
Call us immediately. Write down any unusual behavior of the computer (screen messages, unexpected disk access, unusual responses to commands) and the time when they were first noticed.
Write down any changes in hardware, software, or usage that preceded the malfunction.
Do not attempt to remove a suspected virus! Let the professionals do the dirty work.
How to prevent this from happening?
Layers of protection is the simple answer. A good antivirus installed to stop the bad programs from running, DNS filtering to keep users off of bad sites / advertisements, a good backup of all data to recover when this does happen, and most important of all EDUCATION – teaching users what safe internet usage looks like and having policies in effect to train them can mitigate 60-70% of infections.
If your company is would like to discuss the layers of security you have in place, then contact us for assistance.
NIST is the National Institute of Standards and Technology. It acts as the defacto baseline that all other security and compliance organizations use to construct their standards. Reading their publications is like reading any other government document – extremely long and not interesting. Farmhouse Networking recently became aware of one such document called NISTIR 7621 aka Small Business Information Security: The Fundamentals. We took the time to distill out the main points here:
The Fundamentals aka Best Practices
Identify: Who has access to the network, who has access to the data, and what do they have access to. This includes background checking employees during the hiring process, taking an inventory of data to see who needs access to what, requiring that each user have their own login, and company policy creation.
Protect: Protection starts with separating data into shares then giving access only to those who really need it. It also includes protecting hardware with uninterruptible power supplies (UPS) and protecting software with regular updates. Protecting the network includes setting up a proper firewall, separate wireless for guest access, and VPN only access for remote users. Web filtering, SPAM filtering, file encryption, proper disposal of old equipment, and employee training are also mentioned.
Detect: Having a centrally managed antivirus software on each workstation is a must. This includes the ability to look back in time via log files or monitoring system to find the root of the security breach.
Respond: Have a disaster recovery plan and security incident response plan in place.
Recover: Need full backups of all important business data, invest in cyber insurance, and regularly access your technology to find timely improvements.
If your company does not meet these fundamentals, then contact us for assistance.
“In a new stunning example of the scale and sophistication of online cybercrime, just before the holidays, DOJ charged two hackers with stealing hundreds of gigabytes of data—including sensitive intellectual property, confidential business data, and personal information from companies and government agencies around the world—as part of a multi-year cyber-espionage campaign that targeted managed service providers (MSPs) directly, bypassing the protections of client systems. This indictment is the latest example of the U.S. government’s use of the criminal justice system to crack down on state-sponsored economic espionage.
As alleged in the indictment, the hackers belong to what is believed to be an elite, Chinese government-sponsored group known within the cyber-security community as Advanced Persistent Threat 10 (APT10). The targets of the hacking campaign included companies in the aerospace, health care, biotechnology, finance, manufacturing, and oil and gas industries, as well as U.S. government agencies, such as NASA and the U.S. Department of Energy.”
The indictment alleges that APT10’s MSP Theft Campaign began in 2014 and involved three stages.
The hackers gained unauthorized access into the MSPs’ computers and installed malware allowing APT10 to remotely monitor the computers and steal login credentials.
The group then used these stolen credentials to move laterally into each MSP’s network and the networks of their clients, further spreading the malware infection.
APT10 identified data of interest on these compromised computers and created packages for exfiltration using encrypted archives, allowing the hackers to move the data from one system to another before ultimately transferring it to APT10’s computers.
This sort of breach calls into question the operating procedures of MSPs everywhere, their security practices, and moral compass. If IT support staff are not trained in best practice and cannot keep from being infected via websites or emails, then what business do they have managing larger network systems with sensitive data.
If you are unsure of your MSPs practices and would prefer a company with transparency, then contact us for assistance.
Phase 1: Break-In: Hackers are still using phishing emails, bad passwords, social media links, and poorly patched systems to make their way in with the initial infection. Employee training is the first step towards preventing breaches for 9 out of 10 companies now (and it is included in the price for all our monthly clients).
Phase 2: The Inside Man: Once inside the hacker will scan the network for further vulnerable systems, employees with more access rights than they need, and systems that allow access into other parts of the network. Having systems in place that detect strange or malicious activity are key to stopping an infection in its tracks.
Phase 3: Spread Out: This is where the hacker has all the access they need and start to find the data that is worth selling. Hackers will usually start moving data to places it doesn’t belong on the network then downloading it to their computers for resell. This is where strong access policies that are clearly defined and enforced make the greatest impact to protect sensitive data.
Phase 4: The Long Con: Once a hacker has taken all they need for the short term payout, they will setup remote access back doors to allow for future access whenever they want to. It almost pays to assume that a breach has already occurred and continually scan the network for these kinds of activity to catch the hackers in the act.
Take the time to read this article, it is a wake-up call on security.
If you would like to learn more about creating an effective cyber defense strategy and mitigating risk, then contact us for assistance.
It’s an unfortunate reality but our workforce can often times be our worst enemies, often creating vulnerabilities and leaving our systems open to hackers, viruses, data breaches and data loss. More often than not, we do this through completely harmless, everyday activities like opening compromised emails and links.
As a leader in your organization it’s your role to monitor your team and arm them with the knowledge of good security practices. Without implementing a company-wide security training program, you leave your systems vulnerable to a host of attacks.
Another crucial step in preventing system attacks, is to configure a firewall to monitor user activity and website visits throughout your organization. An Acceptable Use Policy is helpful in establishing what your organization will and will not allow from its employees.
Curious how we can help you establish a more secure company infrastructure?