Protection of Information Assets
October 13, 2021 by David Lanter 33 Comments
Kelly Sharadin says
October 17, 2021 at 4:44 pm
Ransomware targeting industrial and infrastructure networks has become a serious national security issue. What these types of incidents reveal is how little these sectors are prepared to respond to such catastrophic events. This article by Bleeping Computers, reports that over the past two years United States Water and Wastewater System (WWS) facilities have been repeatedly targeted and breached by ransomware attacks. The frequency and successfulness of these attacks are due to inproper access control, outdated software and phishing susceptibility. Typically responding to ransomware is part of the incident response playbook. However, with WWS belonging to the U.S. 16 critical infrastructure sectors, I would also hope the incident response plan points to a disaster recovery plan in the event of an attack leading to full compromise.
Andrew Nguyen says
October 17, 2021 at 8:51 pm
I came across this article that details how on average, organizations around the world take more than two business days to respond to a cyber-attack.
Some of the obstacles that the organizations face when it comes to responding to these attacks included:
• Time needed to investigate threats
• Shortage of qualified SecOps staff
I think that these three obstacles are pretty common amongst many organizations, and that these play a major factor in the response time of organizations towards cyber threats.
I think it also shows how important cybersecurity is, as the time needed to respond to a cyber attack could be the difference between an organization surviving the attack, or being shut down.
Matthew Bryan says
October 17, 2021 at 8:59 pm
The article begins by reviewing Hurricane Ida’s recent destruction and how it affected the National Archives and Records Administration (NARA). The storm caused the agency’s electronic records archive to be offline for nearly two weeks. Fortunately the integrity of the records were not affected during the disruption. Power was eventually restored to the data center that housed the records, but network connectivity remained an issue and extended restoration timelines. NARA could have been back online sooner had they accounted for disruption to network connectivity in their disaster recovery plan.
Disaster recovery can often be a “check the box” activity at the bottom of the priority list for most companies, especially government organizations. While most have disaster recovery plans, they are not tested frequently enough, nor do they have the depth to respond to actual disasters. They also don’t often account for accessing the data that’s required to run critical business functions, as was the case with NARA.
A solid disaster response plan should cover both natural disasters as well as cyber attacks such as ransomware. There needs to be a shift in focus from treating disaster recovery as an annual compliance drill, to an evolving process that responds to current threats. It’s predicted that natural disasters and cyber attacks will continue to increase in frequency which means more organizations will be put to the test by actual events.
Article: With extreme weather events on the rise, consider data when making disaster relief plans
Author: Michaela Althouse
Published: Oct. 6, 2021
Madalyn Stiverson says
October 18, 2021 at 8:43 am
Having an untested IRP is nearly just as bad as having no IRP. Therefore, it is vital to plan tabletop exercises and get all key players involved. An increasingly common cause of interruptions in today’s current world is ransomware.
I found this article interesting since, as an insurance underwriter, a key question I ask applicants is whether they have conducted a ransomware tabletop exercise. It’s very rare to find an applicant that has (less than 10%).
Even if you have tested your IRP, a ransomware incident has unique conditions that other network interruptions don’t experience. For example, in a worst-case scenario, a third party will likely be demanding crypto currency in return for a decryption key. An important step in the analysis post-incident would be whether to pay the demand or restore from backups. In other words, is it more costly to restore from backups or to pay for a decryption key? There are also other considerations, such as OFAC and if you trust the threat actor to provide a working decryption key.
The ransomware response plan should include how to respond to all levels of incidents – from someone attempting to break in and lock down the system to someone that has successfully encrypted your network. Carefully consider all potential outcomes and how to most appropriately respond.
Wilmer Monsalve says
October 19, 2021 at 5:45 pm
I really liked this. Making sure your IRP works before actually implementing it is very important. If the company goes through a simulation test then there is no doubt that they will be more prepared than ever given they have tested this plan out and can tweak some changes if needed.
October 18, 2021 at 6:58 pm
This article goes over 5 tips for a business to help develop a better disaster recovery and business continuity plan. Within it explains why backups, disaster recovery as a service, AI and automation, cybersecurity and protection, and lastly updating old plans. I believe the best option out of the 5 would have to be backups. The backup copy using the 3-2-1-1 model looks to be useful for both BCP and DRP as it stores 3 copies on two separate devices and one completely offsite and one in an air gapped security location where ransomware attackers can’t reach or access. while other options are viable they are not as effective. DRasS includes a cloud third party that may not be reliable, AI and automation is not reliable as it can come down with the system, cybersecurity and protection can have a human error, and lastly updating old plans are not nearly as effective as taking action into securing and saving data effectively as it is the most valuable asset to a company.
Dhaval Patel says
October 18, 2021 at 7:55 pm
Sinclair broadcast group announced they had become victims of a ransomware attack. The attack compromised servers and workstations and the attackers were able to steal their data. There is currently limited information as the investigation is currently ongoing, but they will be able to continue most of their operations. With the limited information, we can’t say anything with certainty, but the fact that Sinclair can keep running the critical parts of their business suggests that they did have a disaster recovery plan along with a business continuity plan in place.
Richard Hertz says
October 19, 2021 at 9:02 am
An article that calls out many of the facets we are studying in this class – building cyber awareness in your organization etc. There were 2 things that caught my eye in this article: 1) It talks about doing DR exercises with cyber attacks as a trigger event (vs natural disasters) 2) It talks about cyber insurance and even ceding control of your network to 3rd parties as a cyber response.
I think #1 is a very easily committed over-sight because the Security team is not always the DR response team. #2 is a very interesting concept. I wonder whether it will take off in the business world – not only is my insurance company financially making me whole, they are actually remediating my technical problems related to a cyber incident…..
Jason Burwell says
October 19, 2021 at 10:55 am
Cryptocurrency funds removed from 6,000 Coinbase accounts due to flaw in SMS authentication
Cryptocurrency exchange Coinbase has admitted that a fault in its implementation of SMS-based authentication led to the compromise of at least 6,000 users accounts.
In a letter (PDF) to victims, the US-based exchange said that a third-party actor had gained access to Coinbase accounts and removed funds.
The incident, which happened between March and May 20, 2021, was due to a vulnerability in its two-factor authentication protocol.
October 19, 2021 at 7:30 pm
This reminds me of using SIM swapping attacks to defeat SMS 2FA. Using SMS 2FA is better than not using anything, but it’s not as secure as an authenticator app like Google Authenticator, Authy, etc.
Ryan Trapp says
October 19, 2021 at 12:00 pm
There appears to be a mass volume email attack that is being carried out by a prolific cybercriminal gang. It is mostly targeting Germany and Austria. These emails have a malicious attachment which hinges on the users enabling macros after opening. If the users end up falling for this, it installs a remote access trojan on their computer.
Vraj Patel says
October 19, 2021 at 4:57 pm
The researcher has identified 3 vulnerability within the Wodify gym management application. If vulnerability could be taken advantage of to get access to sensitive personal information and to modify the production data. There are more than 5000 gyms that uses Wodify gym management application. It is mostly used within US to track the performance of the app and payment method for the membership. Accordingly, to the researcher this vulnerability is a rated as high. It could also allow the attacker to modify the payment settings. The patch for this vulnerability has not yet been created. This vulnerability also could allow the attackers to run a payload to exploit cross-site scripting attack and steal the data as well.
October 19, 2021 at 7:45 pm
Perhaps we can offer Wodify some pro bono security consulting as ITACS students. They are a Philadelphia company.
It’s concerning that their site hasn’t been patched yet given the visibility of the issue. The reputational damage of a breach will likely be more expensive than the cost to fix the vulnerabilities. Hopefully they issue a patch soon.
Christopher Clayton says
October 19, 2021 at 5:22 pm
“Feds Warn BlackMatter Ransomware Gang is Poised to Strike”
CISA, the FBI, and NSA are warning businesses to be on alert for the return of ransomware hackers known as BlackMatter, a Ransomware-as-a-Service group, and possibly another version of DarkSide, a ransomware group believed to be connected to the Colonial Pipeline attack in May of this year. BlackMatter has attacked many organizations in the US and sought between $80,000 and $15 million in cryptocurrency, including bitcoin and Monero, to unlock its victims’ systems, and now their main target is food and agricultural organizations. Removing unnecessary access to administrative shares, using a host-based firewall, incorporating Multi-Factor Authentication (MFA), and strong passwords for user credentials was highly recommended for organizations to dodge any compromise with stolen credentials.
Joshua Moses says
October 19, 2021 at 5:37 pm
The article I chose for this week is about human behavior, more so burnout of employees. This inevitably leads to stress and risky behaviors. The article acknowledges the fact that human beings are not machines, and even when they are working their best they still have their limitations. “In a recent survey of over 3,000 people, 55% said they felt at risk of burnout.” (Dr. Margaret Cunningham) When an employee is burned out, cyber hygiene ultimately suffers. These employees try to use workarounds to achieve their objectives for the day or even the entire work week.
Cyber security professionals need to invest the time to understand (NOT CONTROL) these human behaviors to reduce risks. The author believes that this is a key factor to building strong and resilient security systems. By assessing and understanding the risky behaviors from burned out employees, an organizations security posture can be increased dramatically by just a few little accommodations. Moreover, this will help in the effort to avoid small losses and breaches… or even circumvent some serious adverse incidents from happening. Worker burnout is a serious threat to organizations, and it is imperative that the risks they impose are mitigated promptly.
October 19, 2021 at 8:03 pm
I really enjoyed this article. The author raises an interesting point about increased shadow IT from burned out employees. I hadn’t considered this in the context of burnout before and it makes a lot of sense. It’s an important reminder for security teams to view users holistically.
Dan Xu says
October 19, 2021 at 8:15 pm
I agree with your shared that to reduce risk, cybersecurity professionals need to invest time in understanding these human behaviors, not controlling the behavior. Find the root cause by assessing and understanding the reasoning behind the risky behaviors of exhausted employees. Improvements through effective methods can reasonably improve high employee productivity.
Lauren Deinhardt says
October 19, 2021 at 6:26 pm
FBI warns about scams during Cybersecurity Awareness Month
Being that October is Cybersecurity Awareness Month, it is alarming that there is an anticipated uptick in phishing schemes/online scams. FBI Special Agent Gabriel Gundersen provided a public warning that threat actors will be active in operating online-based ransomware attacks (using cryptocurrency). This anticipated uptick can also be a result of the increase in online shopping resulting from holiday preparations also. Gundersen also foresees extortion schemes increasing, where an individual threats a victim using compromising photos/videos for monetary gain. Gundersen recommends that users regularly change their passwords on trusted accounts like Amazon/Google, and even enable multi factor authentication if it has not been enabled already.
This article really stood out to me since it is alarming that threat actors seek to increase cybercrime attempts in light of Cybersecurity Awareness Month. However, in terms of IT Auditing, this gives organizations a chance to see if their security awareness training programs are properly informing users/employees of social engineering schemes during this uptick.
zijian ou says
October 19, 2021 at 7:16 pm
“Squirrel Engine Bug Could Let Attackers Hack Games and Cloud Services”
Researchers have disclosed an out-of-bounds read vulnerability in the Squirrel programming language that an attacker could exploit to break out of a sandbox and execute arbitrary code in SquirrelVM, giving a malicious actor full access to the underlying machine.
October 19, 2021 at 8:09 pm
“Report: Public-sector cyber forecast looks mostly sunny”
The “Government 2021 Cybersecurity Trends Report” released by BeyondTrust on October 13 gives four potential reasons for government IT managers to be optimistic: they are identifying and implementing the right security technologies, targeted initiatives, funding, and seeing a decline in pandemic stressors. The report looks at how respondents view security measures from three perspectives: basic, fundamental and organizational.
Data protection (62 percent), data resiliency (62 percent) and privileged access management (61 percent) were nearly tied for the top three in terms of basic cybersecurity measures, according to the report. For organizational security measures, implementing security awareness training topped the list, with 77 percent of respondents citing it as the most important measure, although only 24 percent said it would stay that way. Malicious insiders were ranked as the #1 issue (67% of respondents), and insider errors leading to security incidents (55%) were the #3 issue. Concerns about external threat actors (57%) came in second, just slightly ahead of insider errors. Eighty-two percent of respondents believe the U.S. Rescue Plan will improve cybersecurity, and 34 percent say the improvements will be significant. The report’s findings support an optimistic outlook that cybersecurity processes and technologies must adapt to what attackers are doing in the future.
Corey Arana says
October 19, 2021 at 8:21 pm
Sky Lakes Medical center was one of a dozen healthcare providers who were targeted in a ransomware attack. The group known as “Ryuk” claimed the attack, “this group is notorious for effectively and continuously evolving their attack methods to ensure greatest impact.” This group used worming capabilities to exploit vulnerable desktop protocols. The incident lasted more than 3 weeks and Sky Lakes upgraded their systems and 2,000 computers.
Skylake Medical Center was one of dozens of healthcare providers who were victims of a ransomware attack. “The attack came from a group known as “Ryuk” and this group is notorious for effectively and continuously evolving their attack methods to ensure greatest impact.” In October 2020 Ryuk sent an employee from Sky Medical Healthcare opened an email and downloaded a file related to a company bonus. By doing this, the computer “blipped” and the computer restarted. The employee didn’t think anything of it and did not report the incident to the security department. IT was able to figure out about this incident after employee complaints of computers running slowly. At this time, leadership shutdown 2,500 devices and 600 servers to limit the spread of the ransomware. Leadership then reached out to Sky Lakes medical insurance company and Cisco Talos for a recovery effort.
The recovery process included: a disaster recovery plan, Sky lake established downtime procedures and due to this, Sky Lake was able to maintain patient care through the process. Adjustments were made to communication lines. Backups and pen testing were performed regularly. 3rd party cyber protection was utilized by Sky Lake to help with the response. Staff stepped up to perform duties outside of their job description. Luckily, the backups were not impacted by the ransomware. These efforts helped with the initial analysis and discovery.
The impact of the breach lasted 3 weeks and those backups and recovery process were a lifesaver for Sky Lake. If they did not have the proper recovery process, the incident would of lasted much longer.
Bryan Garrahan says
October 19, 2021 at 9:34 pm
This article discusses how the world has become more complex and diverse while also simultaneously interconnected as a result of COVID-19. Similarly, the business world and their IT shops have experienced these new changes as well, which has greatly increased the risk landscape for organizations. As a result the author, Steve Culp, encourages organizations to update their business continuity plans to ensure they are accounting for risks introduced as a result of the pandemic. Culp writes, “While our research found that 83% of risk managers have updated their business continuity plans in the last 12 months (and that 82% believe their current plan is fit for purpose) future disruptions are likely to take different forms and have a different impact. Planning for the last crisis won’t necessarily deliver the needed results”.
Furthermore, Culp provides a few key steps risk managers can take in order to realize these emerging risks. They are:
1. As organizations move to a cloud-first strategy, risk is working to establish redundancy and backups among cloud providers and to realize the resiliency benefits derived from an acceleration to the public cloud. And, of course, risk itself is taking advantage of the cloud to capture and analyze internal and external data.
2. Risk is helping companies understand the benefits of resiliency. While the ability to recover quickly from adversity remains a critical attribute; successful companies will also seek to better prepare and sense emerging threats to mitigate these risks before they become crises.
3. Companies are realizing the benefits of an integrated approach to resiliency and are naming chief resiliency officers to increase focus and heighten awareness. These are individuals who, in collaboration with business leaders, can get the different parts of the organization working together, incorporating continuity and resiliency into everyday strategy and operations.
Antonio Cozza says
October 19, 2021 at 9:47 pm
This article by the Wall Street Journal summarizes an interview with Google CEO, Sundar Pichai, who is making a serious call for improved cybersecurity in the United States, which he expressed by addressing the issue and presenting it to the U.S. Government. Specifically, he is calling for more government investments in cybersecurity for the nation in light of a presumably competitive disadvantage to China’s excelling security progress led with strong support by the Communist Party in developing AI. Most importantly, the discussion is also steered around the high impact of recent cyberattacks; it is interesting to hear Mr. Pichai mention that in contrast with how the Silicon Valley-emerged tech giants previously wanted the government to stay out of these companies, now they would actually prefer more government involvement in the technology industry in order to address issues many are now facing more commonly with such cyberattacks.
Ornella Rhyne says
October 19, 2021 at 10:31 pm
The article is about a misconfiguration of a VPN exposing people PII (Personally Identifiable Information). At least one million users of a Chinese-run VPN service have had their personally identifiable information (PII) exposed due to a misconfigured Elasticsearch server, Infosecurity can reveal.
The privacy concern affects Quickfox, a free VPN used mainly by the Chinese diaspora to visit sites otherwise inaccessible from outside mainland China, according to reviews site WizCase.
Michael Galdo says
October 19, 2021 at 10:40 pm
67% of Orgs Have Been Hit by Ransomware at Least Once
Well-known cybersecurity company, Fortinet, surveyed companies about ransomware and whether or not the company has ever been attacked by ransomware. The research study found that 67% of companies surveyed have been attacked by ransomware at least once. On top of that, 50% of the companies have been attacked twice, and 16% of these companies have been hit three or more times. Most of these companies mentioned in their survey that ransomeware was their most concerning threat as far as cyber threats go. Companies explained that even though they have good employee security training, cyber insurance, offline backups, and risk assessment plans, they still feel threatened by ransomware. Ransomware is a type of malware used to block access to a system until a sum of money is paid.
October 19, 2021 at 11:23 pm
While I see in the press that we are living in an unprecedented time of cyber attacks and penetration events, the number 67% still seems very high to me. It means that 2 out of ever 3 companies have been hacked: a very high number!!
The 2nd statistic of repeat hacks is disappointing – you would think that once you have been cyber penetrated you would take steps to prevent recurrence…..
Michael Duffy says
October 19, 2021 at 11:11 pm
My mentor sent this to me in a discussion about insider threats being a much higher risk than people realize. Since the recent chapters focused more on accidental leaks via phishing followed by hacker intrusion. I thought this made a much more interesting as this was an insider threat who intentionally sold atomic secrets for money.
I also find it funny because honest people worry so much about filling out background history information when giving it to different organizations or agencies. What people fail to realize is that most of the time these agencies are checking your credit score to ensure that you do not have outstanding debt. Because people with gambling addictions or over their head in loans typically are liabilities with sensitive information. They also check to see if you have felonies for obvious reasons, since that is an indicator of criminal behavior and likely means you cannot be trusted with sensitive information. But, a lot of background checks fail to catch adversaries that are politically motivated.
The article does not mention this, only how this operation unfolded. But when coming across articles like this it does amaze me that this individual most likely has Top Secret clearance and will still risk his career and quite the amount of jail time for his motives.
Michael Jordan says
October 19, 2021 at 11:58 pm
The article that I am summarizing for this week is titled “How to Survive a Ransomware Attack”, written by Bob Violino on CFO.com.
It describes how a recovery from a ransomware attack, one of the most prominent form of disaster that organizations face today, is best done (from the perspective of a CFO). It still makes some pretty good points that apply from an IT perspective.
The article says the first step is to act out a pre-defined “IRP”, or Incident Response Plan, which I took as an exact substitute for the term DRP. It then proceeds to go through the other steps of identifying and fixing the immediate problem, contacting law enforcement, deciding to pay / not pay the ransom (on which i disagree from the article), and recovering and changing systems and policies.
A quote from the article that I found very relatable to DRP, a topic from this week, was “The IRP provides a defined set of step-by-step instructions to help staff detect, respond to, and recover from network security incidents’, says Jeffrey Wells, co-chair of the cybersecurity, data protection, and privacy team at law firm Clark Hill PLC.
Olayinka Lucas says
October 19, 2021 at 11:59 pm
COVID-19 Impact: Global Disaster Recovery as a Service Market to Hit $57,133.1 Million at a CAGR of 42.9% from 2019 to 2026 – Exclusive Business Current and Forecast Opportunity Report by Research Dive
We learned from the COVID pandemic that most organizations have now realized that what they had in place as a disaster recovery plan was either not practical or did not exist at all. I came across this article and was astonished to discover that one of the positive outcomes of the COVID pandemic is that the demand for DRAAS (Disaster Recovery As A Service) would now be on the rise, albeit DR is a necessity.
What is DRAAS (Disaster Recovery As A Service)? This is when 3rd parties and professionals with DR program implementation capabilities and skillsets are contracted/hired by organizations to set up and manage their DR universe for business sustenance.
The COVID pandemic has made us realize that contingency planning is no longer a business want but a need essential for business growth and survival. The need to manage risks, i.e., the consequences of remote work (phishing, internet, endpoint, ransomware, and network security threats), were at an all-time high like never before, creating global awareness. This is the time for IT Professionals and Vendors with Disaster recovery program capabilities to cash in.
kofi bonsu says
October 20, 2021 at 9:13 am
The article talks about developing a plan for business recovery is extremely important for a company to survive in the midst of disaster.
In that regard, it becomes absolutely essential for ,many businesses to have contingency plans in place to help them recover from floods and hurricanes, but who actually plans for computer viruses or month-long power outages? The purpose of this article is to discuss the elements of a Disaster Recovery Plan – why you need a plan, how to get started, what to consider, and where to find help
Victoria Zak says
October 20, 2021 at 5:25 pm
As we know, Facebook, Instagram, & WhatsApp were down for hours earlier this month. Everyone was searching for hours, but none was provided until later. My family members thought it was their wireless connection- however, Facebook points the finger at global outage. The article mentions, “Our engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our datacenter caused issues that interrupted this communication. This disruption to the network traffic had a cascading effect on the way our datacenter communicate bringing our services to a halt.”
Facebook understands many people and businesses have been affected. They are working on to understand more of what happened to create more resilient on their infrastructure.
Alexander William Knoll says
The article I read is about a company called Sinclair Broadcast Group and this article really relates to our topic this week in the matter of DR. Sinclair is a Baltimore-based sports/media group that had a cybersecurity incident earlier this week. On October 16th, they identified/investigated a potential security incident. On October 17th, they discovered that servers and workstations were encrypted with ransomware, disrupting operational networks. Data was taken from the network as well. Currently, they are attempting to determine the importance of the data and have plans to take further action as required. Upon detection of the breach, the company promptly implemented their incident response plan which includes taking measures to contain the incident and begin an investigation. Legal counsel, senior management, a cybersecurity forensic team, among others were involved, as well as law enforcement and other governmental agencies. As they continue to manage the breach, it is currently causing disruptions to local broadcast stations, but the company is working to restore operations quickly and securely. Because the organization is still in early investigative/assessment phases, they are unable to determine yet if the event will have material impact on business operations and/or financial results. They also will look for opportunities to enhance their existing security measures.
You must be logged in to post a comment.