Tag Archives: incident response

Security News for the Week Ending December 17, 2021

The Gift That Keeps on Giving – Log4j – List of Affected Vendors

First, get used to hearing about this. It will be haunting us for months, at least. Jen Easterly, current head of DHS’s CISA and formerly at NSA and a professor at the US Military Academy at West Point says this may be THE WORST vulnerability she has seen in her career. As of Monday, here is a list of affected vendors. If you use any of these vendors, and it looks like a who’s who of computer software, watch for patches. Second, it looks like the first patch for Log4j, 2.15, didn’t close the hole and now there is a new release, 2.16. This will keep evolving, so if you are a company that uses software, this applies to you.

From Friday through Tuesday researchers tracked more than 840,000 attempted attacks looking for the Log4J vulnerability. They are only getting started. Credit: Ars Technica

Hackers Hit Third Cryptocurrency Company This Month-Total Haul is Over $400 Mil

Vulcan Forge is the next cryptocurrency company to get hit by hackers. They stole about $135 million from them. If you get the sense that cryptocurrency software is buggy and processes are weak, you have it about right. In VulcanForge’s case, since it is decentralized, there is no central authority to block the movement of stolen currency. This is not going to end anytime soon. Credit: Vice

Apple Airtags Make a Wonderful Stalking Tool

Stalkers are using Apple Airtags to stalk people. A woman in Arkansas, for example, got into her car and her iPhone told her that an airtag was following her. She found the tag on her trunk. If a stalker tried to hide it, say under her car somewhere, it would be more difficult to find. Apple says that Android users can detect a rogue Airtag because it will beep if it is separated from its owner for more than three days (assuming that is the case).

Credit: Apple Insider and Daily Kos. Apple has released an Android app to detect rogue trackers, but how many Android users are going to even think of downloading an Apple app. Credit: PC Mag

Feds Don’t Quite Handle Incident Response

A backdoor in the network of the United States Commission on International Religious Freedom has allowed attackers to intercept, and likely exfiltrate, all local network traffic on the agency’s systems. Security firm Avast discovered the intrusion in May, spoke the agency’s executive director and even talked to CISA. After getting no follow-up for months, Avast published their findings. Avast says that due to lack of communications from the Agency, they don’t know if they fixed the problem. They have since reached out to other agencies and NGOs focused on international rights to warn them. Maybe they fixed the problem right away? Who knows? Credit: Data Breach Today

Confusion Over Cyber Attack Response

The Washington Post had an eye opening story on just how bad things are when it comes to responding to cyber attacks. Based on a congressional review by the House Oversight Office of three very major cyber attacks (CNA, Colonial and JBS), we have some insight into why incident response preparation is so important.

#1 – Who should victims call in the government?

If you don’t already have the name and cell phone number of the person you are going to call if you need help, get that now. Establish a relationship and keep it active.

“Colonial was in contact with at least seven federal agencies or offices,” the committee found. “CNA was initially referred to one FBI field office before a different field office was designated as the primary point of contact.”

In the case of JBS, the company emailed the FBI. But it took several hours for a substantive reply, as the email was forwarded between case agents at the same field office who were trying to determine the right point of contact, investigators found. 

#2 – How are you going to handle the hacker’s timeline. The hackers say if you don’t pay in 24 hours, the ransom doubles, for example and in 72 hours we are going to publish your data. Are you ready to handle that? Assume that you don’t have access to email or any company files that are online or maybe even in the cloud.

Hackers with the REvil gang, for example, told JBS their $22.5 million ransom demand would double if it wasn’t paid quickly. They also threatened to post the company’s data publicly if they weren’t paid within three days. Eventually JBS negotiated paying an $11 million ransom. 

Colonial faced a similar threat of a doubled ransom after a set period of time. Hackers with the DarkSide gang amped up the pressure with a clock ticking down in the corner of the company’s computer screens. 

The feds really have to get their act together, but you can’t count on that happening so you need to take action yourself.

For some critical infrastructure, the feds are starting to collaborate with industry, but that is not going to help most companies.

This comes a day after an FBI law enforcement web site was hacked.

There is some good news. In the new $1 trillion infrastructure bill about $2 billion of that money, assuming it actually gets funded, which is less than one percent of that money, is allocated to cybersecurity.

In the case of these high profile attacks, the companies were not prepared. See more information at The Hill

ARE YOU PREPARED?

New Security Metrics to Consider – 24/72 and 1/10/60

Once a new bug is publicly announced, it takes, on average, seven days for bad guys to figure out how to weaponize it.

Experts say that this means that you need to harden your systems against that new attack within 72 hours.  That is not very long, even for the best of operations.

How long does it take the average organization to close holes?

On average – 102 days or 15 times the amount of time it takes to weaponize it.

Once a vulnerability is disclosed, it is a race between the good guys and the bad guys to either  fix it or abuse it.

Some examples:

Microsoft patched Bluekeep, a bug that was very well publicized in May 2019.   It was also explained why it was critical to patch.  In December 2019, there were at least 700,000 machines publicly exposed and still vulnerable.

Remember Wannacry?  Sophos says that there are still a large number of machines not patched against it – two years later.

Zero day attacks are even worse – best practice says that they should be patched in 24 hours.

To add to the complexity of the problem for IT, these fixes need to be tested.

So if the benchmark for MEAN TIME TO HARDENING is 24 HOURS FOR ZERO DAYS AND 72 HOURS FOR OTHER FIXES, IT has got a lot of work to do.

The cousin of this is incident response.  Crowdstrike sets the benchmark at 1/10/60.

For those of you not familiar with this benchmark, it means:

  • ONE MINUTE TO DETECT
  • TEN MINUTES TO UNDERSTAND
  • SIXTY MINUTES TO CONTAIN

These two goals really important and also really hard.  Almost no organizations can currently do this.

These two goals interact with each other.  If we can close off enough holes then we make it harder for the bad guys.  This allows IT to focus on the remaining attacks.

For IT, the battle is basically the need for speed.

So here are the recommendations:

24/72 (hours) for patching

1/10/60 (minutes) for incident response

For almost all organizations, this is a big project.  Everybody ready?

Source: Threatpost

77% of Orgs Lack a Cybersecurity Incident Response Plan

The fourth annual benchmark on cyber resilience authored by  Larry Ponemon and paid for by IBM shows that 77% of the organizations surveyed do not have a cybersecurity incident response program applied consistently across the organization.

Does your organization have an effective, trained and tested cybersecurity incident response program (CSISP) that works across all parts of your organization?

For organizations that said that they do have an CSIRP,  54% said that they do not test it regularly.   Not testing it regularly is the equivalent of not having one.  That is more than half.

Other results from the study include:

  • Less than 25% of the organizations say that they use significant automation in responding to breaches.
  • Only 30% said that they had sufficient cybersecurity staffing.
  • 62% said that aligning cybersecurity and privacy is critical to achieving cyber resilience.

There are some pretty clear recommendations that can be drawn from these results:

1. The three-quarters of organizations that do not have incident response plans need to create one (having one reduces the cost of a breach significantly according to another study).

2. Organizations need to test their plans regularly. 

3. Automation improves the speed and consistency of response.  Not having automation makes response more problematic.

4.  Staffing is still an issue and staffing with the right skills is a problem.

5. With all of the new privacy regulations (such as CCPA, GDPR and others), privacy incident management and security incident management need to be tightly aligned.

How well does your organization do?

Contact us if you need assistance in improving your program.

For more information on the study, go to Help Net Security‘s web site.

Norsk Hydro Ransomware Attack Impacts Price of Aluminum

Update:  The Washington Post pointed out that malware probably did not spread from Norsk’s IT network to it’s plant floor or OT network since they were able to run some plants manually.  This is where network segmentation is really important, even within the IT network.  They also pointed out that Norsk was very public about what was going on, even though it had a (likely) short term impact on their stock price.  They definitely should get gold stars for that.  Source: The Washington Post.

Aluminum Giant Norsk Hydro was hit with a ransomware attack this week.

The attack has forced the company to shut down several plants and take other other plants offline to stop the spread of the attack.

Other plants were operating in “manual” mode.

The Norwegian company employs 35,000 employees in 40 countries.  They report that their entire worldwide network is down affecting production and office  operations.

While some smelting operations can run manually, the company has had to shut down some of its extrusion plants.

The company says that it doesn’t plan to pay the ransom and plans to restore its systems from backups.

One expert suggested that the attacker(s) might have gained domain admin access and then installed a malicious executable on the domain controllers.  From there it gets downloaded to any machine that logs on to the network – workstation or server.  That is why they had to completely shut down the network.

The interesting thing is that they said that this attack is so big that it is affecting the spot price of aluminum on the world market.

So what does this have to do with you?

Let’s assume that you got hit with a ransomware attack.  Not a great thought but not impossible either.

Now assume that you had to shut down the entire company network.   Maybe computers can be powered up, but maybe not.  Since the network is down, the cloud based phone system doesn’t work.  No email and your cell is only useful as a phone.  As long as it doesn’t need WiFi access to work.

How will your company operate?

Are you prepared for an event like this?

Do you have a plan?  Have you tested it?  When?

This is not an isolated event.  We hear about it all the time.  Most of the time it doesn’t affect the spot price of materials on the world market.  That doesn’t mean that it won’t hurt you.

Your cyber incident response plan, program and training is critical.  Are the external third party resources that you may need identified?  Have you reviewed the contracts that will need to be signed?  

Do you have backup plans for how your business will operate when you no longer have a network or an Internet connection?

What happens when your web site goes down?  Will visitors just get a message that your site can’t be found?  What will they think if that happens?

In the case of Norsk it was a ransomware attack, but it could be a failure of your Internet provider, a fire in your building, a burst water pipe in your data center or any number of other possible situations.

In their case, they can afford the millions of dollars they are spending to deal with the situation.  Can you afford that?

Will your cyber risk insurance cover all of this?  Many times companies come to us after discovering that their insurance won’t cover the loss and we look at the policy.  The insurance company is right.  It doesn’t cover it.  That is because cyber insurance is like the wild west and if your agent does not write a lot of coverage, you may or may not get what you need.  This is very different than almost EVERY other form of insurance.  In Colorado and many (most) other states, cyber risk insurance is not regulated by the Department of Insurance.

If you are not prepared then now is the time to get prepared, because it is not a matter of if, but rather how, how bad and when.  

Plan now or deal with it later and dealing with it later will not be pretty.  Take it from someone who knows.

Information for this post came from Threatpost.

 

Dolce and Gabbana Needs a Better Incident Response Program

Stefano Gabbana is known for very edgy ads and posts on social media.  Some people say over the edge – way over the edge.

The brand ran a series of commercials of Chinese people eating pizza and other Italian foods with chopsticks on the eve of a star-studded fashion show in Hong Kong.  I suspect someone thought that it was something the Chinese would find funny (?).

Then Gabbana’s Instagram account sent out racist taunts to people who were complaining about the ad campaign.

The company’s response was to claim that both Stefano’s and the Company’s Instagram accounts were hijacked.  Few people believed that.  Stefano posted this note on his instagram account after.

If there is one thing the Chinese are, it is loyal to their country.  Models pulled out of the show. Next celebrity guests pulled out.  The show was cancelled less than 24 hours before it was scheduled to go on.

Now D&G merchandise is being pulled from store shelves and removed from web sites.  A full scale disaster for the company.

So what lessons are there to learn from this?

The obvious one is that if your strategy for getting attention is edgy commercials and racist social media posts, you might want to rethink that, especially in certain countries.

In reality, most companies don’t do that, at least on purpose.

The bigger issue is how to respond to cyber incidents.

Lets assume their accounts were hijacked.  It is certainly possible.  Obviously, you want to beef up your social media security if you are doing things that might attract attackers, but more importantly, nothing is bulletproof in cyberspace, so you need an incident response program to deal with it. 

That incident response program needs to deal with the reputational fallout of events that may or may not be in the company’s control.  Crisis communications is a key part of incident response.

The Incident response team needs to be identified and then the team members need to be trained.  That can be done with “table-top” exercises.

Bottom line -prepare for the next cyber event. Information for this post came from SC  Magazine and the New York Times.