As I write this column, a major worldwide cyber event is in the news. As you may remember, last fall, we were reading about – and perhaps experiencing – a major botnet-based DDOS attack against Dyn’s DNS service. The attack employed roughly 100,000 network-connected devices, including surveillance cameras, and the Mirai virus to tie up 1.2 Tbps (trillion bits per second) of bandwidth, the largest such attack recorded.
Grabbing headlines this time is a ransomware attack of unprecedented worldwide scope. It has been published – refer to the book “War,” By Shane Harris – that the NSA has been consistently amassing a cyber arsenal of known vulnerabilities and exploit tools. Last summer, a group called Shadow Brokers released a collection of exploits allegedly stolen from that arsenal. This particular ransomware exploit is called Eternal Blue and targets Windows systems earlier than the latest Windows 10 release.
Microsoft had patched this vulnerability in March, but machines remained at risk for two reasons – either patches were not applied, or machines running Windows XP couldn’t be patched because of the end of Microsoft support for them. After the exploit was unleashed, Microsoft took the highly unusual step of issuing an update for Windows XP, Windows 8, and Server 2003, along with a signature update for Windows Defender.
It has been reported that 90 percent of the English National Health Service trusts run Windows XP. Only because an English cyber researcher discovered a kill switch in the exploit did the damage not become more widespread.
READ MORE: Check out more on the Ransomware attack and how security integrators can help protect against this threat in SD&I's June cover story.
To make life even more interesting, for those wannabe ransomers without the needed skills, there is “Ransomware as a Service” (RaaS) – where you can get supplied with customized code in exchange for the code writer getting a cut of the action. One concierge-type offering, called Fatboy, even provides location-based pricing, whereby victims in higher cost of living areas, as determined by the Economist’s Big Mac index, pay more to get their data decrypted.
So, it is worth exploring how malware can get into a digital device and what can be done about it.
Attack Vectors and Prevention Techniques
Technology: Systems themselves may get compromised through brute-force attacks and the exploitation of vulnerabilities. The most common brute-force attack is against passwords where millions or billions of character combinations may be tested in seconds, starting with the most likely combinations – a dictionary attack. Common vulnerability exploits occur through default passwords remaining unchanged, unpatched systems with known vulnerabilities and needlessly opened ports.
People: As powerful as technology-based attacks may be, it becomes simpler when people are factored in. The primary vehicle is email – I would like to think that many are wising up to the blanket phishing schemes that tell you an account or password has been compromised and you must click a link or view a document to resolve the issue; however, if you do it, they got you. Either can be a vehicle for malware entering your machine and the network that it is connected to. Spear phishing – the act of crafting a personally targeted email – is more enticing. By leveraging social media, public records, purchased or stolen email lists, or other means, a very personal email can be created to appear to be from someone you know or recognize. The end result is potentially the same: You are infected.
Additionally, social engineering – the act of gaining useful or unauthorized information or access – is a valuable tool for reconnaissance or attacks. Encounters can be in-person, via telephone, email or social media. Sometimes, they involve leveraging one piece of received information to get more until something really useful is assembled.
Giveaways: How many USB sticks have you found or been given lately? Many do not realize that the Stuxnet virus – which caused Iranian centrifuges to spin out of control – was likely inserted by an infected USB stick. Most information from vendors can be provided via website or other secure means, so you are better off not accepting or using USB sticks for which you have no basis of trust.
While certain actions such as vulnerability assessments and penetration testing can and should be taken by organizations, dealer/integrators can help both themselves (internal policies) and their customers by helping to secure the following low-hanging fruit:
- Passwords – If you are working with devices that require passwords, immediately move away from the default. Remember that the longer and more randomized a password, the more difficult it is to crack. Use all character types available to you. If passwords must be changed, do not make the new password a variant of the old, as that is easier to guess. Use a password generation and management service such as LastPass or DashLane to make this doable and more effective.
- Email – Whether it is from your mother, special other, or long-lost uncle from Nigeria looking to give you a million bucks, do not open the attachment or click on a link until you know you can trust it. This also applies to texts and tweets. Contact that person you know – directly, and not as a “reply” – and get validation.
- USB sticks – Get your own from a trusted supplier.
- Social interaction – Know who you are talking to and ask for credentials and verification.
- Security updates and patches – Do not ignore them.
For those who have employees, constant training and testing of your people is a must. Even when employees are told that a test fake email is coming their way, many will open it anyway.
At the recent PSA TEC event, two integrators – Low Voltage Contractors (Minneapolis) and Integrated Security Technologies (Hawaii) – told me they use such cyber awareness tests. Kudos to them!
For more information, check out the type of services offered by KnowBe4 (www.knowbe4.com) where customized email programs, USB security, password tests and more are available.
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers and RepsForSecurity.com. Reach him at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or follow him on Twitter, @RayCoulombe.