By Saryu Nayyar, CEO, Gurucul

It Used to be Easier

From the attacker’s perspective, ransomware is popular because it’s comparatively easy to go from initial infection to cash payout.  With stolen credit card information, for example, the attacker needs some way to get the payout from the card.  Whether that’s by selling the cards to someone else on the dark web or using the card themselves to make purchases or get cash advances, there are extra steps involved that make the attack less attractive and less lucrative.  Likewise, stolen personal information can allow a range of attacks and can be a valuable commodity on underground markets, there are additional steps between compromise and payout.

By using the initial attack to plant their malware and hold the victim’s encrypted files for ransom, the attacker eliminates a layer of complexity and the profit taken by middlemen – unless the attacker is using some kind of Crime as a Service, the ransom payout goes directly to them.  No extra steps, and no paper trail as could happen with stolen credit cards.  But the model wasn’t perfect.

We Learned to Defend

While ransomware originally just entailed encrypting the victim’s files and demanding payment for the decryption key, attackers still found there were weaknesses in that business model.  In some cases, flaws in the malware.  Weak encryption, or a sloppy implementation of the algorithm, made it reasonably easy to generate keys and break the encryption.   There were publicly available tools that could recover files encrypted by several different malware strains, which limited their effectiveness – to the great relief of their victims.

Disaster Recovery and Business Continuity plans also evolved to compensate for malware attacks, including, specifically ransomware.  There is an entire industry built upon providing rapid backup and restoration capabilities in the case of file loss.  The current generation of cloud backups is dramatically faster and more efficient than the tape backups of old, and made recovery from ransomware a fairly simple and relatively painless process.

Backups let an organization respond to a ransomware attack with “sorry, but no,” while they simply restored the damaged files from a secure backup.  This backup and restore capability was already baked into many disaster recovery plans, and this alone should have been enough to turn ransomware attacks from a massive and expensive outage to barely an inconvenience.

They Didn’t Go Away

As more and more organizations embraced operational plans that account for those attacks, we would have expected to see ransomware attacks fade.  And that’s not even taking into account cybersecurity technologies that could prevent, or at least slow, these attacks before they damaged more than a handful of files.  But that’s not what’s happened.

Faced with improved defenses, cybercriminals evolved their attacks.  Now, before their malware starts to encrypt files and throw up the disconcerting “your files have been encrypted!” banner, they copy large volumes of their victim’s data outside the organization and threaten to expose it if the victim doesn’t pay the ransom.

Now, even if the target can rely on a robust backup plan to rapidly recover from a ransomware attack, they are still subject to blackmail lest their company secrets are revealed.

Evolve and Adapt

It’s this evolution to hybrid attacks that includes holding data for ransom both through encryption and the threat of revelation, that has kept ransomware a near top-of-mind threat in the cybersecurity space.  Our existing ability to rapidly recover destroyed files doesn’t prevent the damage that comes from having the said files released to the public.  This change in attacker strategy forces us to shift our defense plan from one of recovering rapidly after the attack to one that must resist the attack in the first place.

Assume They Are Already In

In truth, resisting attacks in the first place is where cybersecurity should start.  It is always better to keep the bad guys out so they’re not in the environment doing damage in the first place.  Unfortunately, the reality is we know the bad guys will find their way in.  Yes, improved perimeter defenses can go a long way to keeping them out, as can risk-based user authentication systems and multi-factor authentication solutions.  But we must operate from an “Assume Breached” perspective.  After all, the best perimeter defenses in the world are of little use when an attacker bribes an insider to plant malware[2] or otherwise compromise the business.

The “assume breach” posture means we need to have internal defenses that can identify an attack before it does serious damage.  Whether that’s through micro-segmentation that helps thwart lateral movement, endpoint defenses that contain malware infections, deception systems that lead attackers into revealing themselves, or security analytics that can identify an attack by the attacker’s behaviors and tie them together through context, organizations need a comprehensive security stack that can thwart even a sophisticated attacker.

Back to The Question

To answer the ultimate question of why ransomware is still a problem, it’s because cybercriminals have evolved their business model to go beyond simple ransomware.  We evolved our defenses to thwart their attacks and they have evolved their attacks to get around our defenses in an unending cycle.

However, with a combination of solid disaster recovery and business continuity plans, and a comprehensive security stack that’s built around defenses in-depth and assuming attackers can find a way in, organizations can blunt the impact of ransomware attacks – if not eliminate the threat entirely.

RELATED STORY

Ransomware in 2020. How likely is it to advance?

Learn Penetration Testing and become a Certified Ethical Hacker. Help your company fight ransomware. More details here.

About the Author

Saryu Nayyar is an internationally recognized cybersecurity expert, author, speaker, and member of the Forbes Technology Council. She has more than 15 years of experience in the information security, identity & access management, IT risk & compliance, and security risk management sectors. She has held leadership roles in security products and services strategy at Ernst & Young, Oracle, Simeio, Sun Microsystems, Vaau (acquired by Sun), and Disney. She is passionate about building disruptive technologies and has several patents pending for behavior analytics, anomaly detection, and dynamic risk scoring inventions.

DISCLAIMER

Views expressed in this article are personal. The facts, opinions, and language in the article do not necessarily reflect the views of CISO MAG.

References

[1] The “AIDS Trojan” of 1989 – https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)

[2} https://www.zdnet.com/article/at-t-employees-took-bribes-to-plant-malware-on-the-companys-network/

CISO MAG’s February issue on Ransomware is out. Get your preview here. To get your copy Subscribe now!

The post Why is Ransomware Still a Problem? appeared first on CISO MAG | Cyber Security Magazine.

By Andy Brown, CEO and Co-Founder, Sand Hill East; and Matthew Rosenquist, CISO, Eclipz

A policy framework is required that is specifically crafted for edge environments and implemented through technical controls and configuration. A structure of robust architectures and practices must protect the data from exposure, exploitation, and manipulation. They must be designed for sustainability over the extended lifecycle of these types of products, and adapt to the new tactics of emerging threats.

Since their inception, internet-connected devices have become vastly more complex, capable, and specialized. To improve performance and responsiveness, much of the computing is now pushed closer to end-users, thus becoming edge devices. These act as sensors capable of providing valuable data to localized feedback loops. Continuous streams of information enable real-time insights into operations, potential issues, and emerging opportunities.  Such designs empower organizations around the world to automate processes and make favorable decisions promptly. In short, feedback loops powered by edge devices are fueling the global digital transformation to deliver efficiency and modern automation.

A significant reduction of costs and an increase in functionality have propelled the explosive adoption rates of IoT/IIoT devices. However, the benefits of greater visibility and empowerment come with risks that are unfamiliar and, in many cases, hidden. The exposure and corruption of this feedback data can cause catastrophic downstream impacts for the continuity of operations, protect personal privacy, and people’s safety. The breaching of sensors and the data they create can be wielded for unethical or undesired purposes, to the detriment of organizations, partners, customers, and society.

Secure the data

Data security has emerged as a crucial requirement for complex automated systems. However, providing trust in digital systems is proving difficult because legacy technologies are not well-suited for a more autonomous world. All major industries are embracing digital technologies for enhanced capabilities, faster results, and better decisions. In doing so, they are also inheriting the risks of undermined systems.

Data provides a competitive advantage. Manufacturing, retail, transportation, defense, and every sector of Critical Infrastructure (CI) are leveraging digital sensors and becoming reliant upon the insights they provide. A continuous stream of the right data is the key to assessing situations and acting decisively. In complex environments, interconnected feedback and decision loops are the backbones of most operational practices. These systems need a constant stream of incoming information to adjust and achieve the desired goals. However, erroneous or tampered data may pose a risk by providing incorrect information that undermines good decisions. Without proper security controls, honest mistakes or malicious attackers can undermine the very foundations of automation and business decisions.

Increased scale and complexity; increased risk

Much of our growing digital ecosystem is or will be reliant on the principles of the simple feedback loop through sensors that provide data for instantaneous decision-making.  There is a race to embrace new technology and adopt automation solutions that deliver a business advantage.  The possibilities are as limitless as our imagination, but so are the associated risks. Sensor data makes possible the automated online processes we have come to take for granted, such as online storefront order processing, shipment logistics, and healthcare monitoring. Manufacturers can increase production speed and improve consistency. Dangerous environments can be monitored and managed for safety. Manipulation of digital sensors and data can make all of these automated processes go wrong. Industry professionals have long expressed concern that most of the billions of IoT and IIoT devices in the world are vulnerable. This reality places global services, national economies, personal privacy, and the safety of people’s lives at an ever-growing risk.

The defense of sensors and edge devices can’t be achieved with the same techniques that evolved with traditional desktops, servers, and laptops. Modern personal computers and servers are built with tremendous computational power, memory, and storage resources to be flexible across a wide range of tasks. IoT sensors and devices are designed with the opposite in mind, generally with a specific purpose to be as economical and streamlined as possible. They are in a different class entirely and do not benefit from an abundance of computing resources.

Current tools fall short

Most cybersecurity tools have evolved to leverage the extensive system resources in personal computers and servers to provide comprehensive protection. These solutions are not compatible due to IoT limitations. Very few solutions are available to meet the specialized needs of something as small as a sensor.

The scale and diversity of the IoT landscape compound the problem. An additional 4 billion IoT devices are predicted to come online in 2020. These systems will add to the vast amount of data already existing for an estimated total of 100 trillion gigabytes by the end of 2020. IoT/IIoT are often deployed in clusters, aren’t very well-protected, and may represent the weakest link that hackers and malicious agents can use to gain a foothold to attack other systems.

The IoT industry has begun to address the first order of issues that resulted from poor designs and the omission of basic security features. As a first step, the focus is on protecting the devices themselves from exploitation. Changing default passwords, removing manufacturer administration and testing backdoors, and requiring user authentication are now standard practices. What has not been addressed is the more difficult problem of fortifying the data and network connections to and from these devices. Vast exposures are still present.

What exactly is at risk?

Digital sensors and systems contribute to the safety of employees and customers and are vital components to critical systems. Due to this importance, they are targeted by cyber threats. The more the world relies upon computer-based services, the more the attackers’ leverage when they disrupt or control these systems. As automation increases, the complexity grows, and systems become more sensitive to significant impacts. An increasingly online yet unguarded world creates many possible safety concerns.

After years of warnings from cybersecurity professionals, the predictions came true: attackers turned their attention to IoT devices. Everything from industrial controls, healthcare tools, entertainment systems, vehicles, telecommunications, and home surveillance cameras have been successfully hacked. An IoT-powered botnet brought down significant portions of the Internet on the American eastern seaboard for an uncomfortable amount of time in one attack. Implanted medical defibrillators and pacemakers were shown to be exploitable and had to be replaced in patients. Power plants and regional distribution grids have been targeted. Hackers can also tap into cameras and watch victims in public settings, offices, and in the privacy of their homes. There have been instances of hackers taking control of automobiles and aircraft. Private information has been scraped from retail devices and personal health monitoring devices. Implanted medical devices and emergency room equipment are vulnerable to compromise. The range is incredible, from small sensors and home appliances to the biggest planes, ships, chemical plants, and power distribution networks.

Even a trivial device makes a difference. Sensor data for chemical spills, fires, and unsafe breathing conditions may automatically trigger fire suppression, evacuations, and emergency response. Data that falsely report an unacceptable temperature drop in stored foods might require the assets to be discarded. Worse, if the controls were tampered with and the temperature did drop to unsafe levels without any alarms, then lethal consumables might be released for distribution to the public.

The list of confirmed vulnerable devices grows every week, demonstrating that these systems and the data they generate are at significant risk. The abundance of these dangers, whether actual or potential, requires a greater oversight to support a higher degree of confidence in the technology upon which we all depend. Malicious online attackers breed new threats that can undermine the confidentiality, integrity, and availability of data. Criminals target systems that they can easily manipulate to seize control, commit fraudulent activities, and steal sensitive information. Data, both at-rest, and in-transit must be protected from such attacks, and edge devices are easy targets on the front lines.

Innovation is necessary to safeguard data across the new digital landscape

The traditional model for digital security begins to unravel when enormous numbers of less sophisticated IoT/IIoT devices generate a vast amount of data that is not adequately protected. Current solutions simply don’t operate well within the limitations of IoT deployments. As cybersecurity professionals, we need innovative new technologies and processes to mitigate risks posed by current and emerging threats for this fastest-growing sector of computing devices. Solutions must overcome the challenges that traditional protections are unable to address. Securing devices, network connections, and the data that travels across them are paramount. The future of the Digital Transformation (DT) movement resides in preserving the trust that people place in technology, that it will act for their benefit and not maliciously against them. The solutions of the past become more obsolete as every day passes. Innovation that is specifically tailored to IoT is necessary to safeguard the benefits across the new digital landscape.

About the Authors

Andy Brown currently serves as CEO of Sand Hill East, LLC, which provides strategic management, investment, and marketing services to emerging companies. Brown is also a member of the boards of directors of Guidewire Inc., a public traded company in the PNC insurance business; Zscaler, Inc., a publicly-traded company providing cloud security services; LMRKTS LLC, a company providing FX and Swaps compression utilities; Moogsoft, a next-generation AI-Operations company; SiteHands, a company providing “field engineering as a service,” and Pure Storage, Inc., a publicly-traded software-defined data storage solutions company. He is also CEO and co-owner of Biz Tectonics LLC, a privately-held consulting company. From September 2010 to October 2013, Brown served as Group Chief Technology Officer of UBS, an investment bank. Prior to that, he served in a variety of executive management and leadership roles at a variety of leading banking companies including Bank of America, Merrill Lynch, and Credit Suisse. Brown holds a BSc Honors Degree in Chemical Physics from University College London.

Matthew Rosenquist is the Chief Information Security Officer (CISO) for Eclipz, the former Cybersecurity Strategist for Intel Corp, and benefits from 30 diverse years in the fields of cyber, physical, and information security. Mr. Rosenquist specializes in security strategy, measuring value, developing best-practices for cost-effective capabilities, and establishing organizations that deliver optimal levels of cybersecurity, privacy, ethics, and safety.  As a cybersecurity strategist, he identifies emerging risks and opportunities to help organizations balance threats, costs, and usability factors to achieve an optimal level of security.  Mr. Rosenquist is very active in the industry.  He is an experienced keynote speaker, collaborates with industry partners to tackle pressing problems, and has published acclaimed articles, white papers, blogs, and videos on a wide range of cybersecurity topics.  Mr. Rosenquist is a member of multiple advisory boards and consults on best-practices and emerging risks to academic, business, and government audiences across the globe.

Disclaimer

All views are personal and attributed to the author(s). The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Managing IoT Data Security Risks: The Need to Secure Data in Modern Computing appeared first on CISO MAG | Cyber Security Magazine.

By Rob Pike, Founder and CEO, Cyemptive Technologies

Although artificial intelligence (AI) and machine learning (ML) technologies are being touted as a solution by attempting to solve the problem faster, the scale and frequency of cyber compromise have still gotten worse during the last five years at an alarming rate.  The time for hackers to break into any environment and extract data out of a network is measured in seconds and minutes while detection is still measured in days, weeks, and even months, after the compromise has occurred.  At the same time, the detection technologies are hitting such high false positives and false negatives, it causes a decline in progress on detecting and stopping the elite hackers of the world, making it almost impossible to stop them.  Even the less experienced hackers have gained traction on infiltrating networks and systems with the use of AI tools.

On top of all that, we have new industry standards and directions for a hardware design that we believe is significantly eroding the levels of network security.  The changing design, combined with the failure of cybersecurity solutions to protect against cyberattacks, is resulting in weaker security at the hardware level – so much so that hackers can potentially access your computer, even when it is turned off.

The Problem with AI and Cybersecurity

AI (along with machine learning) can operate faster and more efficiently than humans and other technologies to identify and detect against hackers and their various forms of cyberattacks, the thinking goes.

The one big comment that most people who talk about AI for cybersecurity do not explain is that AI stands for “Already Infiltrated” to the top cyber insiders of the world. AI is too little too late.

The problem with artificial intelligence is that although it can be faster and more efficient than other technologies, it simply cannot keep up with the frequency and speed of today’s cyberattacks, which can take place in seconds to minutes.  Even with AI and ML, today’s cybersecurity solutions take days to weeks or even months to detect attacks.  By that time, the hackers have gotten in and the damage has been done.

Changing Hardware Security Standards

At the same time, hardware providers are changing their security standards at the hardware level.  Many are moving in a direction away from supporting legacy BIOS, to only supporting UEFI.  With UEFI, security layers are added to the UEFI stack.  Settings are controlled by custom applications added to the UEFI web application stack.

The idea behind UEFI is to provide more manageability to infrastructure.  However, as is the case with any new standards, there are also new issues that arise.  Such is the case with the UEFI security approach.

Security Issues with the New Hardware Standards

With the UEFI approach to security, hackers have the potential to gain control over the hardware before the operating system is booted – in some cases enabling full network stack before an operating system is booted.  This design enables hackers anytime access to hardware even when it is powered off.

For example, at Cyemptive, we see numerous worms and exploits from hackers on the UEFI web application stack.  In addition, the issues we are encountering in the operating system’s web application stacks are now showing up in the UEFI layer, because they are enabling similar application stacks to be loaded.  This in turn causes more exploits that weaken, not strengthen, the security model.  What should be simple is now turning into a complete mess.

As part of this, with the UEFI security approach, there are thousands of lines of code involved.  All are potentially available to hackers at the physical hardware layer of our systems.  At Cyemptive, we regularly detect multiple hacks against our customer’s UEFI.  While Cyemptive is able to detect and prevent these attacks from entering their systems, UEFI is a long way from being able to secure systems properly and to be called a secured platform.

Solutions

 What is needed now is for hardware providers to step back and take a look at the UEFI security approach.  At present, adding thousands of lines of code to firmware – which is the case with UEFI – is now allowing hackers remote access to our laptops, workstations, and servers, even when they are turned off.  Instead, hardware providers should consider moving back to a more simplified model.

For years, legacy BIOS has been the standard for hardware providers.  It is a worthwhile standard to consider going back to.  Legacy BIOS has seen far fewer security problems than what is now showing up in the current UEFI implementations.  It also doesn’t enable hackers to remotely hijack into the systems stack before an OS is enabled, the way UEFI does.

Conclusion

What the industry should do now is to remove the thousands of lines of code that presently allow hackers remote access to our physical hardware layer of systems today.  Relying on the application stacks in the firmware is not the proper way to secure hardware.  Rather, a different approach is needed, and sometimes simplest is best. Legacy BIOS offers stronger security than UEFI.

Although UEFI can offer companies more manageability in their infrastructure, enabling hackers to remotely hijack into the systems UEFI stack before an operating system is enabled is the wrong approach to cybersecurity. After all, manageability is useless if the hackers in the world can use the same tools to take control of the hardware and OSs running on that hardware.  Let’s prevent hackers from having remote control of our laptops, workstations, and servers, even when turned off.

About the Author

As Founder and CEO of Cyemptive Technologies, a provider of pre-emptive cybersecurity products, Rob Pike brings a wealth of experience in creating new technologies and bringing them to market for companies both large and small.  Pike founded Cyemptive in 2014, with his vision of ushering in a new era of cybersecurity.  Working in stealth mode, the company focused on developing a revolutionary approach to solving cyberthreats, using a preemptive strategy to remove hackers and threats in real-time.  He also has served as Chief Strategy Officer at Hitachi Data Systems in Japan, where he invented Hitachi’s cloud platform UCP, as well as at Microsoft, where he served in a variety of capacities culminating with Virtualization Architect and invented an internal cloud solution.  He has founded several startups, in addition to Cyemptive Technologies.  Pike holds numerous patents in servers, storage, networking, monitoring, security, and management.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post How Hardware Security is Getting Weaker as the Industry Changes its Cybersecurity Models appeared first on CISO MAG | Cyber Security Magazine.

By Pooja Tikekar, Feature Writer, CISO MAG

Recently, EC-Council launched its cybersecurity training solution, Aware. Aware is a user-friendly and easy-to-access training app that helps end-users understand security risks on a cyber battlefield. Aware is for all in the organization — C-levels, managers, executives, employees, contractors, temporary workers — who are looking for information to defend their organizations from cyberattacks.

EC-Council Aware is available on Android and iOS platforms. The setup does not require technological acumen, and users can Sign Up to create a new profile or use their existing social media profiles (Google, Facebook, and LinkedIn).

Aware’s Salient Features

• Automatic Enrolment: Users will be automatically enrolled in the training they need based on their success during phishing simulations.
• Upload Your Training Content: Once an organization is registered, the admin is authorized to upload training videos/modules, limit no bar. The training modules are required to be SCORM-compliant (Sharable Content Object Reference Model). Organizations can also add a company logo to the training videos/modules, which would help in branding and promotion.
• Customizable E-learning Content: Users can customize their training programs to suit their requirements.
• Scheduled Reminders: To ensure the completion of training, the app sets deadlines and reminds users of the timeframe they set in the beginning.
• Advanced and Automated Reports: Aware’s advanced reports helps users know how well they are performing on phishing simulations and testing, and more. Reports can be generated using the in-built templates to keep the teams/staff informed about the areas they need to improve on.
• Customizable Training Certificates: Complete the training and voilà! Aware pats your back with a Certificate of Training with customizable text options.

Learn with Fun

Science has proved that learning is fun. And the idea of having fun while learning makes information processing an enjoyable experience. Do you remember the last time you sat down to hone your skills at work?

EC-Council Aware makes learning fun and effective. It is power-packed with challenging games and quizzes to offer its users a memorable screen time. Users can choose from millions of live games and host quizzes on the go, in the classroom, or at parties. Teachers can now save time and assign homework using creative challenges and track learning progress.

The app also offers premium plans —  Aware! Plus and Aware! Pro — for corporate trainers to engage in exciting remote training.

An Assembly for All

Creativity, trivia, and training, EC-Council Aware is a cyber assembly for everyone. It nurtures a cyber-aware culture to better understand cyberthreats and their potential to incapacitate a business and its information assets. In tough times like the pandemic, raising appropriate awareness about ransomware or phishing is a must. It’s more important than ever to encourage collective effort to minimize the risk of cybercrimes.

And with the Aware app, organizations can not only train employees but also pave the way to a compliant digital future. #BeCyberSmart

Put on your quizmaster hat and download EC-Council Aware from the Google Play Store or Apple Store. For more information, visit https://aware.eccouncil.org.

About the Author

Pooja Tikekar is a Feature Writer and part of the editorial team at CISO MAG. She writes news reports and feature articles on cybersecurity technologies and trends.

More from the author.

 

The post Are You Cyber-aware? EC-Council’s Aware App Gamifies Learning appeared first on CISO MAG | Cyber Security Magazine.