I realize it is a bit cheeky for me to make security resolutions for your security program, but I believe you will find these recommendations to be straightforward and highly actionable. In no particular order:
- If you can’t do it, outsource it. Don’t not do it because you don’t have the expertise or the capital budget to buy or manage the particular security control in question. Now more than ever many security controls can be consumed as services as opposed to being purchased in the form of software or hardware appliances. Increasingly security professionals, just like their cousins in the IT department, can leverage the cloud to get the services they need and save money and time to boot. Security professionals should use 2017 to accelerate their transformation from owning every aspect of the implementation and maintenance of the control to being the strategists and architects of their security controls.
- Plan for an incident response now, well before you need to use it. In this era of near certainty of business impacting security incidents, it’s key to plan now for the variety incidents that will likely hit your business. You know what they are likely to be: ransomware, DDOS attacks, email-borne impersonation attacks, botnet infections, insider threats – malicious, accidental, policy violating, and a handful of others. Work with the relevant functions around your organization, write your incident response plan down and run a table-top exercise or two in 2017. It is much better to do it in theory once or twice before you have to do it for real.
- Make employee security awareness training an everyday affair and not a once a year, video watching boredom fest. While no security program should wholly rely on employees to save them from security incidents, having well-informed and engaged employees greatly helps reduce the risk and mitigate the damage of the inevitable breach. Pushing out a 30-minute video once a year does not. Attacks are dynamic and unpredictable, and so should be the user training. Build informative user messages and tests into the daily operation of your security program. When employees do the right thing, let them know. When they don’t, help them understand why what they did was risky. For example, make it easy for them to report likely spam and other suspicious emails. If you must block something they did, like visiting a sketchy Web site, make sure you tell them why they were blocked and what their options are.
- Evaluate your critical business processes and make sure that they are not completely vulnerable to hacked IT systems or the impersonation of executives or critical partners. Given how easy it is to spoof or hack an organization’s email, it is amazing to see how many business processes are 100% dependent on trusting the content in emails. One needs only to consider the number of fraudulent wire transfers that are generated from simple email requests apparently from executives or business partners to understand the absurdity of fully trusting an email. Please make sure every business process of an importance of yours has automated fraud inspection and out-of-band checks-and-balances that are built-in to the process. Don’t expect your users to be the first and last line of defense.
- I realize this resolution is like requesting three more wishes as your third wish from the Genie (Genies don’t go for that by the way), but I strongly recommend leveraging the SANS 20 Critical Security Controls as a key security framework to benchmark your organization for 2017 and beyond. While there is a lot of depth behind these 20 controls, overall I find this SANS list to be both simple and comprehensive. A great framework to use to frame your security resolutions for 2017 and beyond.
For a quick resource, here’s an eBook from Mimecast outlining five tips to combat email-based attacks.
Every now and again I hear otherwise sensible security people question why they should improve their security controls, when increasing their cyber-insurance coverage seems much easier and less costly, as if they were alternatives to one another. To me this is akin to debating whether it is better to eat right and stay fit or buy more health insurance coverage. To be clear, cyber-insurance is not a substitute for having strong and sensible security controls, just as health insurance is not a substitute for healthy living. Why is this?
Firstly, cyber-insurance can’t reasonably cover non-quantifiable, but quite real losses that are associated with breaches, such as brand impact, hits to customer goodwill, and wasted staff time responding to incidents. Secondly, like a recent US federal court decision highlighted regarding a rather easy to defend against email enabled attack, whether a successful attack is even covered is debatable and often will need to be fought out in court to find out for sure. Thirdly, and very logically, insurance companies that write cyber-insurance increasingly are measuring organizations’ security posture and maturity to determine pricing and level of coverage. If your “cyber-health” is poor, expect to pay more, just like health coverage costing more for smokers than for non-smokers.
Clearly the takeaway of this blog is that security controls and cyber-insurance are complements and not substitutes. And given the relative immaturity of the cyber-insurance industry, the difficultly of determining what is covered, and the constantly evolving creativity of the attackers, good IT risk management practice calls for having effective security controls that are backed up with cyber-insurance coverage that can help take the edge off a successful attack. Think complements not substitutes.
Have you ever wondered about the key issues with ransomware? How it might affect you or even what to look for? Maybe you're simply curious as to how to react when you get hit? Look no further than this whiteboard session with our in-house security expert Matthew Gardiner. He touches on 8 key facts to be aware of with ransomware moving forward.
Hello, I’m Matthew Gardiner. A security specialist here at Mimecast. I’m here to talk to you about the 8 keys facts about ransomware. But before I do that I would like to explain to you exactly what ransomware is. Ransomware is a very popular form of attack with the goal of monetizing your assets. The way in which the hackers do this is by loading in a form of encryption software that encrypts your clients, your servers, and anything they can get their hands on and then ransoming you the key to unlocking it to get back the data back. For 2016, the FBI reported that approximately 1 billion dollars in ransoms are expected to be paid - so it’s a substantial and growing business. There are ways to defend yourself, but you do need to know the keys facts before you can do that.
#1 Email is and will remain for the foreseeable future, the primary delivery mechanism
Why is that? Email is ubiquitous, email is cheap from the attacker’s point of view, and email is easy. And, it’s a trusted source for many people. So people will click on links and open files, with just a little bit of encouragement, enhanced with social engineering. So watch your email, even though it’s not the only source of ransomware infection, it is the primary source.
#2 The business of ransomware has shifted from one focused on consumers to corporations
The second thing is the business of ransomware has shifted, years ago it was a phenomenon that hit consumers, just basically randomly hitting people on the Internet. Which was a reasonable source of money from the attacker's point of view, but corporations and organizations really are a much better source because the assets and the data that can be encrypted and thus ransomed is much more valuable. So you’ve seen a shift in the attacker’s focus from consumers to corporations, which makes complete sense when you think about it.
#3 Ransomware is not only a client-side problem – recent attacks have increasingly targeted server-side applications, such as databases, shared file systems, and customer management systems
Number three and kind of related to number two. Ransomware has shifted from being a purely client side problem, meaning users’ desktops being encrypted - to one that is more ‘server side’ being the focus of the attack. Why is that? Well when you think about the value of a single client vs a server, the server is much more valuable, in that it’s a database or a shared file system or it’s a customer transaction system that has a lot of value to the business vs a desktop that may or may not have a lot of value. So the shift is from the client to the server. Although, clients certainly do still get hit.
#4 Relying on Anti-Virus alone, or really any preventive-only security system, will not work as cybercriminals can work around all of them.
If you think about prevention, probably you’re thinking about your anti-virus. Traditional Anti-Virus isn’t going to be enough, in fact, any preventive system can be bypassed. Because what cybercriminals do is they take preventive systems and they put them into their development environments, and when they are developing an instance of ransomware they test it to make sure those systems can’t don’t detect it and thus can’t defend against it. So a preventive only solution depending primarily on anti-virus is not going to cut it for advanced forms of ransomware.
#5 The rise of crimeware kits, TOR, Bitcoin and sketchy, multi-lingual call centers, as well as other complementary services, has enabled non-technical cybercriminals to execute ransomware campaigns by assembling an ecosystem.
Why is ransomware hitting now more than in years past?
- 1st - It is largely because ancillary services that what an attacker needs are now readily available. What do I mean by that? For example, crimeware kits, an attacker can go to the market and get a kit for building a ransomware attack, he doesn’t have to build the technology himself, he can essentially go and buy it in the market.
- 2nd - Second, Bitcoin, if you can’t be paid anonymously it’s hard to be a ransomware criminal. Because you can’t use the credit card network or PayPal because those are not anonymous and if and when you get reported it will come back to the attacker. Whereas Bitcoin doesn’t know who owns it and doesn’t really keep track of how you got it.
- 3rd - Things like TOR - the onion router - the network used to essentially hide the client and server communications, so attackers can hide on the TOR network. And with this it’s very hard to track where the attack is actually coming from.
- 4th - Call centers, so in some cases, you need to communicate with the attackers, and so there are actually call centers for hire that will help support these criminal enterprises in multiple languages. So if you’re English you can actually choose the English speaker version, if your German you can hit the German speaker in these call centers.
There are many other examples of the ecosystem of products and services that attackers leverage as part of their ransomware and other types of criminal campaigns.
#6 Ransomware Can be Distributed into Existing Botnets – Splitting the $
There are other ways ransomware can be distributed, not just via email. We have examples of BOTNETS, zombie computers that are run by a botnet master and can be used for many purposes. One of the main purposes is becoming more common is for the delivery of ransomware. So if your machine is part of a botnet, it could be part of a ransomware campaign in the future. There are other ways to get infected with ransomware more than just botnets, you could have poisoned USBs and other ways. So it’s important to remember that while email is the primary attack method there are other methods that can, in fact, get you into a ransomware bind.
#7 It can only be combated using a two-layer method. They are technology, herd alertness.
You can defend yourself with technology and what we call “HERD” awareness. So there is technology that exists, services that exist that go beyond traditional, preventive controls. Things like Sandboxing, security email gateways in the cloud, those sorts of things can be applied to help prevent and others that can actually address a ransomware infection even when it has occurred.
The “Herd” alertness relates to user awareness. The more the users can be aware of both what not to do and what to do to not get infected with ransomware. And if they do those things anyway, to understand what has happened is really, really valuable. Your organization can detect essentially a ransomware campaign, process and better defend and react to it if your herd, your users, can better understand the importance in taking part in your defense plan.
#8 A three-tier approach is needed to protect yourself. Prevention, Continue and Recovery
Really the best way to think about a defensive program is in three-tiers.
- So try to maximize your prevention with some of the methods I mentioned. But don’t think these will be fool-proof. Make sure you have a continuity plan so you can keep operating in the midst of an attack
- For example if a user’s machine is hit, how the user is going to business, how are they going to send and receive email while their systems are being fixed. Same on the server side, if servers go down, you need to have a plan- including a ransomware plan. Just like in the case of if a hurricane hit, business needs to be able to keep on going.
- You need to have a recovery plan, like a disaster recovery plan, where you’re consistently archiving, backing up and setting yourself up for quick recovery, because you never want to get in a situation where you have to pay a ransom, because it only feeds into the criminal cycle. And if you pay the ransom once, they will come after you again to try and get more money.
Again, these are the 8 key facts about how to better prepare yourself and defend against ransomware. I hope these help, - Thank you.
August 17, 2016
I am in the middle of my second week here at Mimecast and am excited to focus on all things security. The timing of my arrival is good as we just released important new data around malicious insiders. Here’s my take on the topic …
There’s nothing worse than being hit with a surprise attack from behind – especially by a previously trusted person. In the military, surprise rearguard actions can be very effective for the attacker and very debilitating for the defender. In a sense, cyberattacks from malicious insiders are a form of a digital rearguard action.
Today, most IT security defenses are set up to defend against external attackers, be they cybercriminals in search of money, nation states pursuing strategic advantage, or hacktivists with a politically driven agenda. And, this allocation of resources does make some sense, as most attacks do come from outside the organization – but not all. Attacks also do come from the inside. And, these attacks, when originated by trusted insiders, have proven to be extremely damaging.
In one recent example, this past July a Citibank IT engineer was sentenced to 21 months in prison for using his administrative access to wipe out nine of the company’s network routers, bringing down 90% of Citibank’s network. In Mimecast’s new survey 45% of respondents picked “Malicious Insider Attack” as their number-one perceived security vulnerability. Clearly, this is an area deserving greater focus.
Your security program needs to be based in reality. You need to honestly assess both the trustworthiness of your insiders, the amount of damage they could reasonably do if they had both the motivation and opportunity, and how much security controls can be applied given the culture and practices of the organization. Reasonable controls for malicious insiders need to be put in place to reduce the business risk to an acceptable level.
Most security programs don’t sufficiently factor in controls for the malicious insider. This is unfortunate as there are some basic ones which are cost-effective and also helpful when it comes to protecting against malicious insiders and even those who are non-malicious insiders, as well as external attackers.
Here are four tips to help reduce the risk of a malicious insider attack:
- Use role-based access management, in particular on critical systems and for highly privileged users, such as IT administrators. This approach limits the ability of malicious actors to do damage.
- Don’t make it easy for the malicious insider to steal your data. Monitor and block the movement of sensitive data outside the organization via email, ftp, and via the web.
- Train employees – regularly. The more eyes you have on this area of risk the better. Help your team understand that “if they see something, say something.”
- Update your incident response plan to include how to guard against and respond to malicious activities by insiders. This will definitely need to involve more than just your IT and Security departments – include HR, legal and PR.