What Security Measures are Most Effective at Fighting Ransomware

 

In response to the announcements today from both the US and UK governments about significant persistent cyber threats from state actors, I though it would be important to bring in an expert.

Here is a guest post from Stu Sjouwerman from KnowBe4– out preferred vendor for cyber awareness training. We just had our staff go through some of the training modules- and we were amazed. Amazed may be the wrong word- scared s#*&less may be more accurate. The threats out there are so deadly for businesses and organizations of all sizes and industries.

The Spiceworks staff wrote: “Years after CryptoLocker raised its ugly head — setting off an unfortunate security trend — ransomware continues to be a rather painful thorn in the side of IT professionals and organizations around the world. phishing

In 2017, we saw entire companies and government agencies shut down for days thanks to WannaCry and NotPetya, sometimes costing a single organization hundreds of millions of dollars. And things haven’t gotten that much better recently.

For example, in March 2018, the city of Atlanta fell victim to ransomware that brought city services down (airport Wi-Fi, online bill pay systems, police warrant systems, job application forms, and more) and forced many employees to shut down their systems for five days. Similar attacks have been launched against cities in the U.S. and around the world.

A ransomware security poll

There isn’t one magic bullet that can solve all IT security problems. Instead, companies must employ a layered strategy to reduce the risk of a ransomware infection. But are all security measures created equal?

Ideally, organizations would be able to follow all security best practices; in reality, however, organizations have to prioritize. Here’s our question: If you landed in a brand new environment and had to choose, where would you start or focus your security efforts? That is, which security measures do you think are most important / are most effective when it comes to fighting ransomware?

Pick your favorites in our anonymous poll below (you can choose up to three options) and join the conversation in the comments!”

The poll asked: “What security measures are most effective in fighting ransomware?” and 2209 IT pros answered, including me which are the bolded options:

Spiceworks_Poll_results

 


I strongly suggest you get a quote for new-school security awareness training for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don’t, the bad guys will, because your filters never catch all of it. Get a quote now and you will be pleasantly surprised.

Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/kmsat_quote-request_partner?partnerid=0010c00001wis6gAAA

If you would like to test out some free cyber awareness training tools, please visit our landing page: http://downloads.primetelecommunications.com/CyberAwareness-Free-Tools

If you want to be really proactive, we can run a free Dark Web search for your company domain and tell you how many of your domain emails are on over 600,000 sites on the Dark Web- and tell you the email address, the password and the date it was discovered. http://downloads.primetelecommunications.com/Dark-WeB

 

Advertisements

The Latest Round Up of Data Breaches for March 2018 and up to April 4 2018

Here is the latest round up of data breaches that can compromise your network’s credentials. As you know, after the data is stolen, it appears on the Dark Web for sale. Whereas individuals should use products like LifeLock or Experian; IT managers/CISOs/CFO’s for small and midsize businesses can use our Dark Web search for free to see if they are compromised. http://downloads.primetelecommunications.com/Dark-WeB. 

If you find that you have credentials exposed, we can help you by monitoring and educating your end users.

Warning:

We do not recommend that you access the Dark Web on your own. Exploring this hidden network of sites without the necessary expertise is extremely dangerous and can expose you, your network, company and data to a large number of threats. Let experienced professionals specializing in cyber security help you access the necessary intelligence to safely bolster your defenses.


 

  1. MyFitnessPal

Date Occurred: February 2018

Date Disclosed: March 2018

Data Compromised: May include usernames, emails addresses, and hashed passwords. Payment information NOT affected.

How it was Compromised :  Unauthorized party access

Customers Impacted: 150 million users

Attribution: None at this time

Business Risk: Moderate (Data Exploit, Compromised Credentials, Weak Encryption)

Since motivation is unknown at this time its hard to determine how the data may be used and its direct impact on individuals compromised. The data set holds 3 key data elements: Email, Username and Password.  “Most” Password were encrypted using becrypt, however, it appears a large percentage were simple SHA-1. Financial data was collected and housed separately, a solid best-practice.

https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html

  1. Ohio Applebee’s

Date Occurred: December 6, 2017 – January 2, 2018

Date Disclosed: March 2, 2018

Data Compromised: Certain guests’ names, credit or debit card numbers, expiration dates and card verification codes processed during limited time periods could have been affected.

How it was Compromised: Unauthorized software placed on the point-of-sale system at certain RMH-owned and -operated Applebee’s restaurants was designed to capture payment card information and may have affected a limited number of purchases made at those locations.

Customers Impacted:  Only impacted stores within the RMH network of restaurants and not the broader Applebee’s network.

Attribution:  None at this time

Business Risk: Low (POS exploit, Regional)

This POS compromise was regional in scope and would have more of a direct impact to individuals rather than businesses. We will continue to monitor for chatter/ uptick in online financial fraud levering this data set.

https://www.rmhfranchise.com/dataincident/

  1. Boeing

Date Occurred: Early 2018

Date Disclosed:  March 2018

Data Compromised: Not disclosed at this time

How it was Compromised : “Limited intrusion of Malware” WannaCry, Supply Chain

Customers Impacted: “A small number of systems”; older systems

Attribution: Nation State leanings. WannaCry, Crypto-malware

Business Risk: High (External / Persistent Targeting, Crypto, Vulnerability Exploit)

Although Boeing is publicly downplaying its impact, the company called for a sent company-wide alert calling for “All hands-on deck.” Its apparent that the infections caused major disruptions to airplane production and significant internal resources were spent on determining downstream impacts.

There has been significant chatter regarding alternate payload distribution and kill switch circumvention.  Boeing most certainly would have beefed up its resiliency to WannaCry after its initial outbreak in 2017.  This suggests that supply chain access to Boeing core systems was exploited to deliver the payload.

https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/

  1. Active.com

Date Occurred: December 2016 – September 2017

Date Disclosed: March 2018

Data Compromised: PII used in registration/checkout process for races

How it was Compromised: Unauthorized access by 3rd parties

Customers Impacted: Potentially hundreds of runners in Great Britain affected; full affects not known.

Attribution: None at this time

Business Risk: Low (POS exploit, Regional)

Small scale POS exposure impacted several hundred individuals in the UK.  3rd party intel firms suggest data has been sold on dark web markets in TOR. However, we have not validated the sale or exploit of this data as of 4/2/18.

https://www.runnersworld.co.uk/events/credit-card-details-from-runners-potentially-at-risk-in-a-security-breach

  1. Loganville, Gwinnett County, GA

Date Occurred: March 15, 2018

Date Disclosed: March 2018

Data Compromised: May include PII such as social security numbers and/or banking information

How it was Compromised: City server breached by outside person or entity

Customers Impacted: Specifics unknown

Attribution: None at this time

Business Risk: Moderate (External / Persistent Targeting, Vulnerability Exploit)

The city’s announcement on Facebook suggest that its systems were left open to public access. It has yet to be determined/ disclosed if access was the result of an individual leveraging default password access or if systems were left unpatched and open to automated exploit. It does not appear to be related to the City of Atlanta’s Samsam ransomware compromise from March 22.

https://www.wsbtv.com/news/local/gwinnett-county/metro-atlanta-city-reports-its-own-data-breach-warns-customers/722204765

  1. Baltimore 911 Dispatch System

Date Occurred: March 24-25, 2018

Date Disclosed: March 2018

Data Compromised: Hack affected messaging functions within the Computer Aided Dispatch (CAD) system which supports 911 and 311 functions in the city.

How it was Compromised : Crypto-malware hack prompted temporary shutdown of automated 911 dispatching services and forcing reversion to manual operations

Customers Impacted: Specifics unknown

Attribution: Unknown actors – assumed Eastern European, Crypto-malware

Business Risk: Severe (External / Persistent Targeting, Human Error, Vulnerability Exploit)

Attack shows constant scanning and targeting of public sector systems.  Attackers performed an automated scan of the city’s firewall/ ports within a few hours of a technician manually changing firewall settings on the its computer-aided dispatch system.

https://technical.ly/baltimore/2018/03/28/cyber-breach-baltimores-911-dispatch-system-investigation/

  1. Orbitz

Date Occurred: October 1, 2017 – December 22, 2017

Date Disclosed: March 1, 2018

Data Compromised: Potentially wide range of PII including full names of customers, credit card numbers, birth dates, phone numbers, mailing addresses, billing addresses and email addresses.

How it was Compromised: Hackers able to breach one of the company’s legacy booking platforms to access records that cover dates between January 2016 – December 2017.

Customers Impacted: Orbitz customers and potentially customers who used Amextravel.com to book.

Attribution: Unknown actors

Business Risk: High (Vulnerability Exploit, potential for widespread online fraud)

It took Orbitz almost 3 months to discover that attackers exploited a legacy version of their travel booking platform between October 1, 2017 and December 22, 2017.

Data impacts more than 880,000 individuals.  The string of PII compromised combined with business itinerary information provides the ability to effectively social engineer impacted individuals.  Individuals should proactive monitor their personal data for misuse.

https://thehackernews.com/2018/03/expedia-data-breach.html

  1. Hudson’s Bay Co. (Saks /Lord & Taylor)

Date Occurred: “Preliminary analysis” found credit card data was obtained for sales dating back to May 2017

Date Disclosed: April 1, 2018

Data Compromised: Hackers stole information for more than 5 million credit and debit cards used at Saks Fifth Avenue, Saks Off 5th and Lord & Taylor stores. Cards used for in-store purchases. “No indication” online purchases were affected.

How it was Compromised : Not known at this time.

Customers Impacted: The breach likely impacted more than 130 Saks and Lord & Taylor locations across the country, but the “majority of stolen credit cards were obtained from New York and New Jersey locations.”

Attribution: Hacking syndicate JokerStash or Fin7 began boasting on dark websites last week that it was putting up for sale up to 5 million stolen credit and debit cards. The hackers named their stash BIGBADABOOM-2.

Business Risk: High (POS compromise, potential for widespread online fraud)

Chatter about data sets began to surface 2 weeks back but were largely discounted.  The Joker’s Stash site has been touted several comprehensive sets of validated credit card data going back to 2016 including Hilton and BeBe Stores.

The data set contains more than 5 million credit and debit cards (all card types with complete data strings). This data set will produce significant online credit and debit card fraud.  Any organization running ecommerce platforms are urged to add additional card validation requirements until card issuers are able to invalidate all cards identified in the harvest.

https://www.nytimes.com/2018/04/01/technology/saks-lord-taylor-credit-cards.html 

  1. ATI Physical Therapy

Date Occurred: Unknown – discovered in January 2018.

Date Disclosed: Early March 2018

Data Compromised:  ATI Holdings discovered in January that some employees’ direct deposit information had been changed in its payroll system. At least one of the hacked email accounts included patient names, birth dates, driver’s license numbers, Social Security numbers, credit card numbers, diagnoses, and medication and billing information, among other data.

How it was Compromised: May have been compromised after hackers got ahold of email accounts belonging to the Bolingbrook, Illinois-based chain’s employees.

Customers Impacted: As many as 35,000 patients of ATI Physical Therapy and its subsidiaries. ATI Physical Therapy has more than 100 clinics in Illinois and hundreds of others across 24 other states.

Attribution:  Not known at this time.

Business Risk: High (Compromised Email Accounts, Lateral movement, Downstream Exploit)

With the hallmarks of organized crime, this compromise was able to extract and manipulate both employee and customer data.  The downstream impacts are widespread and will have adverse impacts on impacted individuals.  Privilege access was leveraged to re-route banking information and extract comprehensive medical records/ data sets on thousands of patients.

This is a devastating compromised that allowed attackers to move laterally within their victim’s network for an undetermined length of time.

https://www.hipaajournal.com/ati-physical-therapy-data-breach-impacts-35000-patients/

  1. CareFirst

Date Occurred:  Unknown
Date Disclosed: Discovered March 12, 2018; disclosed late March 2018

Data Compromised:  The breached email account allowed the attackers access to the employee’s emails, the attack could have compromised personal information on about 6,800 CareFirst members — including names, member identification numbers and dates of birth. The company said the information did not include medical or financial data. CareFirst also disclosed, in the case of eight members, social security numbers may have been compromised.

How it was Compromised : CareFirst employee was the victim of a phishing attack, which compromised their email account. In this case, the compromised CareFirst email account was used to send spam messages to an email list of individuals, which the insurer said were not associated with CareFirst.

Customers Impacted: Potentially 6,800 CareFirst members

Attribution: Not known at this time.

Business Risk: High (Phishing, Compromised Credentials)

Well-crafted Phishing attack harvesting compromised credentials. Expect more information on this compromise to surface in the coming week. The public response to this compromise falls inline with how most large organizations are messaging their exposures. It’s becoming common place for organization generalize the numbers impacted to minimize negative public reaction.

https://www.databreachtoday.com/carefirst-bluecross-blueshield-hacked-a-8248

11. DELTA Airlines

Date Occurred:  Unknown
Date Disclosed: Discovered March 12, 2018; disclosed late March 2018

How it was compromised: [24]7.ai–a company that provides online chat services for a variety of companies including Delta–was involved in a “cyber incident.” This cyber incident allowed Delta customer payment information to be accessed during the period from September 26, 2017 to October 12, 2017

https://www.inc.com/peter-economy/delta-air-lines-just-revealed-stunning-data-breach-and-your-payment-information-may-have-been-exposed.html

Prime Telecommunications Partners with ID Agent to Heighten Cybersecurity

 

Prime Telecommunications, a leader in managed technology services, announced today that the company has partnered with ID Agent, to enhance the security of SMBs (small to mid-sized businesses) across the nation. ID Agent and this partnership will enable business owners, to prevent identity theft and thwart cybercriminals from gaining access to sensitive data.

“We’re thrilled to announce this partnership. It’s going to have a huge effect on the business owners we serve,” stated Vic Levinson, President of Prime Telecommunications. “This partnership allows business owners to get a very clear and immediate picture of how their cybersecurity is currently performing. When owners are made aware of the threats and risks that are facing their business, they’re capable of bringing in the right infrastructure to protect themselves from cyber-attacks. This partnership is so important because it gives a very clear picture of the company’s risks.”

The partnership between Prime Telecommunications and ID Agent will combine human and sophisticated Dark Web intelligence with search capabilities to identify, analyze and proactively monitor an organization’s compromised or stolen employee and customer data. Business owners will receive real-time alerts, so they can focus on running their organizations. This partnership will not only allow businesses to monitor the dark side of the web, but it also provides the option to monitor an organization’s supply chain, third party partners and vendors that may have access to sensitive data, as well.

“At the end of the day it’s all about protecting employees who don’t realize the threats they face when executing their day-to-day responsibilities,” added Levinson. “Employees who spend time browsing the Internet, who share their email passwords freely, or use unsecured, cloud-based tools to do their work may not necessarily realize all of the potential vulnerabilities facing their network. We consider it to be our duty to educate the marketplace on these types of solutions to prevent as many cyberattacks from happening as possible.”

 

About ID Agent

ID Agent provides Dark Web monitoring and identity theft protection solutions, available exclusively through the reseller channel, to private and public organizations and millions of individuals at risk of cyber incidents. Its flagship product, Dark Web ID, delivers Dark Web intelligence to identify, analyze and monitor for compromised or stolen employee and customer data, mitigating exposure to enterprise clients’ most valuable asset – their digital identity. The company’s SpotLight ID provides personal identity protection and restoration for employees and customers while enhancing their overall cybersecurity awareness as well as further safeguarding corporate systems.