Get counted! Take the Global Knowledge IT salary survey today.

December 8, 2017 at 10:30 am | Posted in Careers, Knowledge | Leave a comment
Tags: , ,

Global Knowledge’s annual IT Skills and Salary Survey is one of the industry’s largest and most valuable tallies of IT salaries across industries. Now in its 11th year, the survey gathers insight on industry salaries and in-demand certifications, and attempts to identify skill gaps in the career landscape that can help you plan future career paths.

Your contribution is confidential, and participants can opt in to receive the report by email when it is released in Spring 2018.

Interested? Click here to take the survey before it closes on December 11, 2017.

The IT Detective – Tale of a data breach

November 21, 2017 at 5:03 pm | Posted in cybersecurity, Knowledge | Leave a comment
Tags: ,

Of all the IT detective agencies in all the towns in all the world, she walked into mine. She was blonde, beautiful, and had eyes so blue they would scorch your soul. And I knew just how much that would hurt. See, I was in love with her once. Hey, maybe I’m still in love with her. How could I not be? She knew her way around a secure IT password policy and she worked for a major credit reporting agency. Even though she was the life of the party, I knew she was all business where it counted.

One look at her and my heart started banging like a bad platter on a Seagate hard drive, but I knew I had to play it cool. “Hello, pretty lady.” I said. “What brings you to my office?”

“Hi there, handsome fella’,” she replied. “I hear you’re investigating that big data hack from September. I figured I’d come looking for you before you came looking for me.”

“A lot of people’s Personal Identifiable Information (PII) was stolen,” I said. “People were outraged. They were mad, and they want answers. They want to know why it happened, and what to do next. And I want to give them those answers.”

“Well, I don’t work for Transfaxian anymore. And I had nothing to do with that data breach,” she insisted. “I just want to help you help the people who got hurt.”

She said she had nothing to do with it, but the timing of her departure was a little too coincidental. Still, if she was willing to sing, I was willing to play backup, so I invited her to Sam’s Pub to tell her story.

Casablanca1942_610_678x380_01252016035421

When she walked into the bar, she lit that dark room up like the activity lights on an overworked Cisco router. Sam poured us some drinks, I tossed him a quarter for the jukebox, and he played our favorite song. It was time to grill this pretty lady. Did I have an axe to grind? Maybe I did. We were a nice couple for a while, but work got in the way.  I spent so much time investigating data breaches that it affected me day and night. How could it not? Who can sleep when their PII is being sold on the dark web?

I was stuck in a dark cloud and depressed.  She got tired of being ignored, and kicked me to the curb. But before the first question came out of my mouth, she flashed me a smile. You know, the smile that melts the most frozen of hearts and makes you feel at ease. The last time I smiled like that, I’d just pulled off a flawless two-day security audit.

“So,” I said. “Why were the hackers able to get the Social Security numbers, birth dates, addresses and some driver’s license numbers?”

“I just know what I read in the papers,” she said. “They knew there was an unpatched flaw with Apache Struts CVE-2017-5638, but their own security team couldn’t find the flaw to fix it.”

“So they knew!” I nearly yelled. I knew she hated black olives, zero-day attacks, and unpatched servers, and when I raised my voice, I could see tears in her eyes.

“Yes, they knew,” she whispered. “But I was just another hard-working sales person trying to make a quota.”

She was one of the best sales people ever; she once sent me a postcard from Cancun after she won a sales contest. I knew this lady could pull the wool over my eyes if I wasn’t careful.

“Did you always use two-factor authentication?” I asked carefully. “When you logged into your computer or a company website, did you have to enter a username and password plus a random 4-8 character one-time code?”

She frowned. “No, I just put in my username and password when I booted up my computer or logged on to the website. I didn’t need anything else.”

“What was your password?” I asked.

“What was yours?” she responded coldly.

“Your name plus the date we met, hashtag smiley face.”

“So, at least 10 characters with numbers and special characters?” she said. “Yes, we followed that standard.”

“Ah, but how often did you change it?”

“It was supposed to be 60 days, but I changed mine every 45 days,” she said.

Clearly, it was time for harder questions. “Did your department use email to send documents like PDFs, Word files, or Excel files as attachments to other employees? Not to customers or people on the outside?” I asked. She looked away. I could see she was stalling. “Or did you use some kind of cloud storage, like SharePoint or Google drive, and just email links to the document locations?”

“Okay, okay. We emailed attachments to other department members all the time. It’s not a crime, even if it can leave cached copies on servers outside our firewall,” she snapped. Like she was a dancer in another life, and she was dancing fast now. “We didn’t use shared storage. I guess we could have emailed the links instead of emailing the documents to other team members, but we didn’t.”

“Did anyone in your department ever get phished by a hacker?”

She looked offended. “We were smart. We had great email filters. Email from customers came to the inbox, and email from spammers went to the spam folder.”

When she talked security, it drove me crazy, and it crushed me that we were not together anymore. I reminded her, “It’s a lot easier than you think to get phished, pretty lady.”

“Well, not me. I followed the company’s rules. I always used the VPN when I was on the road or in the coffee shop. And we were pretty restricted on our laptops. We couldn’t open our personal email accounts on Gmail or Outlook or Hotmail. Oh, and we weren’t supposed to use social media on the laptops.”

“You expect me to believe that?” I pressed.

“Okay, fine. So I would sometimes check Facebook or hit an Ann Taylor sale online,” she said. If she was wearing Ann Taylor now, nobody wore it better than her.

“I just worked a big case involving some Nigerian hackers,” I explained. “They used a company’s email account to send fake invoices to customers that used routing numbers for a bank in Nigeria. The customers paid the invoice, but the Nigerians got the money. Did anybody get hit with ransomware at your company, as far as you know? Or did you hear talk about any other kinds of security issues?”

“No way. The security was tight,” she said.

“Okay, so what if someone at Transfaxian lost their corporate cell phone?”

“They did a remote wipe. You lost the phone, but the data was gone. I didn’t lose sleep over it,” she said coolly.

“Did you ever have to back up your laptop?” I said.

“No, why would I? Most of my work was saved in the corporate app. I never had a device fail on me. I like to play the odds,” she said with a devilish grin.

“Well, how often did your corporate IT department apply Windows updates to your laptop?” I asked. “Large companies typically push updates to their employees on their own schedule. The credit bureau hack was possible because your company did NOT update an Apache server. Do you remember being asked to reboot your computer during the work day on a regular basis?”

“I know I occasionally had to reboot for updates. Sure. I thought we were on top of the security fixes, but I’m really not an expert,” she said sadly. “You believe me, don’t you? It wasn’t my fault. I heard some big-shot officers traded their stock and walked away with a fortune. All I walked away with was a coffee mug and a red Swingline stapler.”

“I believe you, pretty lady. However, there are folks out there who are just trying to make it in this world, trying to see if a little sun will shine on their dreams. So what do you want me to tell those hardworking stiffs who are running scared because their PII is exposed?”

She took a deep breath. “Tell ‘em, you should keep your credit frozen for the rest of your life. Or until they come up with a new kind of credit fix. Freezing your credit will keep you as safe as possible. Right now my former company says they’ll waive any fee to place, lift, or remove a security freeze through January 31, 2018.

“Other than that, make sure to join a service that lets you monitor your credit on a regular basis. I personally use Credit Karma. You also need to know that in the next few months, cyber attackers will take advantage of this incident and launch millions of phishing emails, phone calls, or text messages trying to fool people. Oh, and tell people to read the Ouch! Security Awareness newsletter so they can learn to protect themselves,” she finished.

“That’s a nice speech, but it doesn’t address how the hackers got in,” I said. Her face turned red and that firecracker personality that I’d fallen for came to life. “So what would YOU have done, big shot?” she challenged.

“That’s a hard fix, but an easy answer,” I replied. “After all, that’s why they call me the IT Detective.”

  •  Hide the version and OS identity from errors whether you are running Apache or another server. When an attacker types a nonexistent URL on your server, the version of the server can be displayed in the error message. On an Apache server, you can turn the ServerSignature off to stop the server version to being seen during an error.
  • If your web page will accept comments from customers, validate those comments to prevent cross-site scripting (XSS) attacks.
  • Explicitly parameterize queries to prevent SQL injection attacks to prevent an attacker from using a web form field or URL parameter to gain access to or manipulate your database.
  • And for heaven’s sake, keep your software updated on your server, including third-party software.

When the hail of bullets stopped, she waved away the smoke and said, “I was your bleeding heart. I was your crying fool, but you loved your IT detective job more than me.”

“I was in love with you once, you know,” I told her. “And I’ll always take the blame for why we split. I’m no good at being noble, but it doesn’t take much to see that the problems of two people don’t amount to a hill of beans in a crazy world where people’s PII is being stolen every day. Someday, maybe you’ll understand that.”

She tossed a $50 bill on the bar and stood up. “It’s time to move on, time to get going. What lies ahead, I have no way of knowing. But I told you what you wanted. So this is goodbye, handsome fella.”

“Goodbye, pretty lady,” I said. We hugged. I did not want to let go, but I did.

As I watched her walk away, I knew two things:

She would always have a piece of my heart, and the data breaches would continue. My job would never get any easier. When the most vulnerable piece of any network is the user, it just makes my job harder. It comes with the territory.

I ordered another drink, tossed out another quarter for the jukebox, and said, “Play that song again, Sam.”

313e5679fa35d8fa9f63dd415b238c6b

Stay safe,

George Monsalvatge

 

All Things Being Equifax: A Cybersecurity Awareness PSA

October 4, 2017 at 10:29 am | Posted in cybersecurity | 2 Comments
Tags: , , , , , ,

Over 9 billion data records have been lost or stolen since 2013. In fact, experts believe nearly 5.5 million records are exposed every day. It’s no longer a question of whether a company has been compromised, but when it will happen, and how consumers can take steps to protect their data.

Not every data breach is the same. Sometimes the stolen data is already public, like your name and street address, or is encrypted to prevent its use by thieves. The most dangerous breaches expose plaintext data (data that is not encrypted or otherwise obscured) and PII (personally identifiable information), such as a government ID with an associated date of birth and legal name.

The recent Equifax breach is a serious security concern because of its breathtaking scope and sensitivity. The stolen data included social security numbers, driver’s license numbers, and other PII as well as credit card numbers. Unlike a username and password, PII is meant to uniquely identify you for your entire life and (usually) can’t be changed. If it’s exposed, you face an ongoing threat of identity fraud.

So what can you do in the wake of such a massive breach? What follows are the best security practices we can recommend, including advice from an actual (anonymous) employee of a big-three credit bureau.

(ETA: as sharp-eyed reader Carol points out, there are actually four credit agencies, though Innovis is typically omitted from these types of list. We have updated the post to add Innovis’ contact information as well.)

Continue Reading All Things Being Equifax: A Cybersecurity Awareness PSA…

The Great Password Debate – Where we disagree about password resets and failures (Part 3)

September 20, 2017 at 3:30 pm | Posted in cybersecurity, Knowledge, Technical Tips | Leave a comment
Tags: ,

This post is part three of our reaction to new recommendations in the National Institute of Standards’ Digital Identity Guidelines (NIST Special Publication 800-63), Appendix A – Strength of Memorized Secrets. You can check out Part 2 here.

In the Great Password debate that has been generated by the latest NIST guidelines, we (the trainers and experts on the Transcender team) find we agree with some recommendations and disagree with others. In our previous post, Josh discussed the way password complexity has been found less secure than longer passwords made up of simple words. In this post, we (Robin Abernathy, Ann Lang, and Troy McMillan) want to discuss NIST’s new guidelines for password resets (password age) and responding to password failure/account lockout (failed authentication).

Among the otherwise sound advice in the Digital Identity Guidelines (NIST SP 800-63B), we did pick out three points that cause us some consternation:

  • Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator. (Section 5.1.1.2)
  • Unless otherwise specified in the description of a given authenticator, the verifier SHALL limit consecutive failed authentication attempts on a single account to no more than 100. (Section 5.2.2)
  • When the subscriber successfully authenticates, the verifier SHOULD disregard any previous failed attempts for that user from the same IP address. (Section 5.2.2)
Love it a long time, or leave it every 30-60 days?

How many of you out there work for a company that requires you to change your password at a regular interval, usually every 60 or 90 days? Bullet point 1 states that this is no longer necessary.

Troy says: I disagree with this recommendation. I contend that changing the password at regular intervals DOES increase security because it shortens the amount of time it is available for disclosure. The logic behind this new NIST rule is based a failure of how people implement it, not a failure of the concept of password age. In other words, the concept fails because the users do not use unique or secure passwords. They usually choose a new password that’s similar to the previous passwords with a few character changes. This issue would be resolved with proper security awareness training and policy enforcement. Also, there are solutions out there that can prevent users from creating a password that is too close to a previous password. So while we understand what NIST is trying to do with this change, I personally don’t agree with it.

Ann says: I disagree somewhat. The theory is that if you’re ALSO making people choose much longer, easier-to-remember character strings for passwords, like IlikebigpasswordsandIcannotlie! Twoyears beforeI changeit lala hooray!, then you still have the advantage of the password being much, much harder to crack or guess from a mathematical standpoint. After reading through their breakdown of Authenticator Assurance Levels (AAL), I’d be okay following their password age recommendations for any site that’s operating at AAL2 or above.

(For what it’s worth, Microsoft’s 2016 Password Guidance for IT Administrators both counsels you to lose the mandatory periodic password reset, AND to educate users on choosing appropriate passwords and banning commonly used passwords.) Continue Reading The Great Password Debate – Where we disagree about password resets and failures (Part 3)…

The Great Password Debate (Part 2): Longer, Simpler Passwords Are the New Black

September 8, 2017 at 4:03 pm | Posted in cybersecurity, Knowledge, Technical Tips | 4 Comments
Tags: , , , , ,

This post is part two of our reaction to new recommendations in the National Institute of Standards’ Digital Identity Guidelines (NIST Special Publication 800-63), Appendix A – Strength of Memorized Secrets. You can check out Part 1 here.

Which of the following two passwords is more secure?

p@$w0RdCh34Tr#
ILikeSimplePasswordsICanRememberAndUseNotComplex

The first password is 14 characters long, well over the recommended minimum of 8 characters. It also meets many, if not all, of common password complexity requirements: it contains multiple special characters like @ and $, numbers like 3 and 4, and mixes uppercase and lowercase letters in for good measure. It does not contain a username or any repeated characters. At the Password Meter, I get the following rating:

password1_strength

The second password is a lot longer (over 3x), clocking in at 48 characters. If you think that is crazy long, section 5.1.1.2 of the new NIST  800-63B Special Publication suggests passwords of least 64 characters! But this password is pretty awful when it comes to complexity: it has no special characters or numbers, and it contains easy-to-read dictionary words. So you’d expect a really low score from the Password Meter.

But you’d be wrong:

password2_strength

What is going on? In a nutshell, according to the latest research, password size matters more than character complexity, even if the password strings together easy-to-read words. This is a harsh truth, to be sure, and the reason why requires a quick trip back to mathematical set theory and the world of bike lock combinations.

Continue Reading The Great Password Debate (Part 2): Longer, Simpler Passwords Are the New Black…

The Great Password Debate (Part 1)

August 22, 2017 at 4:49 pm | Posted in cybersecurity, Knowledge | 1 Comment
Tags: , ,

Are you overwhelmed by having to remember too many passwords? Why do some experts recommend using special characters like %, $, or @? Do you really have to change your password every 90 days? Which password method will keep your accounts and data safe from hackers?

Do you ever just feel like you’ve fallen into the password abyss?

Welcome to our new blog series, “The Great Password Debate!”

If you’re sick and tired of being sick and tired of keeping up with password complexity advice — which says to maintain dozens of unique special-character passwords that change every 90 days — you’re not alone. Bill Burr, who helped first come up with these password standards for National Institute of Standards and Technology (NIST), is right there in the password abyss with you:

I have maybe 200 passwords. I can’t remember all those obviously […] It’s probably better to do fairly long passwords that are phrases or something like that that you can remember than to try to get people to do lots of funny characters.

Currently, most authenticators make users create a combination of numbers, letters and symbols for a “safe” password. However, Mr. Burr has stated recently that he believes making passwords more complicated is NOT the best way to protect your information. He now recommends longer, simpler, and more unique phrases—and, apparently, so do the recently updated NIST standards.

So, what are you to do? Go with the tried and true methods of the past ten years, or step out with the new password approach? In our upcoming blog posts, we’ll delve into this issue, presenting various password rules and seeing how they compare with the latest suggestions from security experts. It promises to be a very L1v3LY D38473.

Stay tuned…

Shahara Ruth

Logical Operations’ CyberSec First Responder (CFR-210) Certification Is Now U.S. DoD-8570 Compliant

July 7, 2017 at 1:15 pm | Posted in cybersecurity, Knowledge, Logical Operations, Vendor news | Leave a comment
Tags: , , ,

Logical Operations has announced that the CyberSec First Responder (CFR) certification is now approved by the United States Department of Defense (DoD) as DoD Directive 8570 compliant. CFR is now an approved Baseline Certification for the CSSP Analyst and CSSP Incident Responder categories, and verifies the skills necessary to perform these job functions.

The CyberSec First Responder certification exam (CFR-210) tests the cybersecurity practitioner’s ability to prevent, detect, analyze, and respond to security breaches in the organization.  Transcender is the authorized practice test provider for the CFR-210 and provides the CFR-210 practice exam, which includes 260 practice questions and over 300 flash cards covering the exam’s four main objectives:

  • Analyze Threats
  • Design Secure Computing and Network Environments
  • Proactively Defend Networks
  • Respond/Investigate Cybersecurity Incidents

According to Joe Mignano, VP of Channels for Logical Operations, the DoD approval “allows individuals fulfilling crucial information assurance functions for the United States government or their contractors to validate their Analyst and Incident Responder job skills with our certification program.”

The CFR certification already met the ANSI/ISO/IEC 17024 standard and was accredited by ANSI (American National Standards Institute) in 2016.

Logical Operations also provides a CFR training course, developed to prepare IT professionals with the knowledge, ability, and skills necessary to provide for the defense of those information systems in a cybersecurity context – including protection, detection, analysis, investigation, and response processes.

U.S. Department of Defense Directive 8570 provides guidance and procedures for the training, certification, and management of all DoD employees involved with Information Assurance functions in their line of duty.  Other providers of certifications that meet DoD Directive 8570 are Cisco, Computing Technology Industry Association (CompTIA), EC-Council, International Information Systems Security Certifications Consortium (ISC)2, Information Systems Audit and Control Association (ISACA), and Global Information Assurance Certification (GIAC).

 

Ransomware! What is it, and what can I do about it? (Part 2 of 2)

April 10, 2017 at 4:55 pm | Posted in cybersecurity, Knowledge | Leave a comment
Tags: ,

In my first post (Part 1), I went over the basics of how ransomware exploits your computer, and the #1 weird trick that computer experts use to avoid the pain of ransomware: namely, always have a current, offline backup of your files where the thieves can’t encrypt it in the first place.  Backups can save you from the pain, the agony, and the grief of ransomware. You may have to reimage your computer and copy a known set of good files from a backup set, so the more often you back up, the better off you’ll be.

However, if everyone always had a current backup, there’d be a lot less ransomware out there. The criminals who spread ransomware know that most people don’t back up their data. According to the FBI, attacks by ransomware accrued over $18 million by June 2015, and ransomware attacks are expected to boom in 2017. Crime pays, and pays well.

GGordonLiddy

Also, cybercriminals attack new and surprising venues every day (like Android screen lockers that demand payment in Amazon gift cards), so you may be the next victim. And while backups are good, you don’t want ransomware (or malware of any kind) on your computers in the first place.  And finally, if you’re in IT, you’re always going to field the eventual call from your mom, your brother, or your college roommate, saying “Help! There’s a message on my computer screen that says ransomware has infected my router and I have to pay $200!”

In this post, I’ll go over some general suggested practices to harden the various areas of your computer or network where malware might enter in the first place. I’ll also list the better resources to turn to for ransomware news and solutions that may help you extricate someone from a ransomware attack.

(Note: the first part is mostly Windows-based, but the second part applies to all computer users.)

Reveal it all

If you run a Windows machine, you should always show hidden file extensions using Windows Explorer. The average user – your college roommate, Joe Lunchbucket – has been warned a zillion times by the IT department never to open an executable file from email or a URL, and believe it or not, he won’t. But if he unzips an attachment, say an automated email from the local printer, and sees a file named BillJones_Resume.PDF, he’s going to think it’s really a PDF file. If file extensions are hidden (the default behavior) he won’t realize the file is actually BillJones_Resume.PDF.exe.

File extension viewing can be enabled by opening Windows Explorer, choosing the View, choose Options, and choosing Change folders and search options. On the View tab of the Folder Options window, uncheck Hide extensions for known file types. (The exact path may depend on which version of Windows you run.)

FolderOptions

Keep executables and known bad links out of email, and keep updates current

Ensure that your email service filters out EXE and script files. This may not protect you from someone hiding an EXE in a ZIP file, though. At work, your corporate infrastructure should have in-mail protection such as antivirus engines that check mail and attachments before the email is sent to the inbox, and checks web links to see if they are dangerous or spoofed.

If you’re operating in a Windows enterprise environment, you or your IT administrator can use Group Policy Objects (GPO) to prevent ransomware like Cryptolocker from executing its payload in the \USERS folder, AppData, Local App Data folders, or Temp directories.

Check if you have any Remote Desktop Protocol (RDP) ports open and disable these ports to prevent access to your desktop remotely. (TrendMicro reported a sharp uptick in the number of brute-force RDP attacks in 2016.)

Patch or update your software and browsers regularly. Windows Update ensures that you have security patches and fixes for your operating system. Remember, if you have Windows 10, your free malware/anti-virus protection app is Windows Defender. To get updated malware and virus signatures, and to update Windows Firewall, you have to run Windows Update.

On a related note, make sure your device firmware (even routers, streaming devices and smart TVs, and refrigerators) are updated regularly.

Axe the non-essentials and known vulnerabilities

Remove Adobe Flash on computer. Do you need Adobe Flash? Lots of malware attacks come from fake pop-ups that tell the user to update their Adobe Flash or from malvertising that uses Flash. If you do keep Adobe Flash, make sure that your antivirus/ antimalware system actively checks for malware files. Other common browser hijacks will pop up a message saying you need to download an emergency update to Firefox or click to install free anti-virus software. Ensure that these kinds of applications update silently in the background so you won’t be fooled.

What to do if you think a ransomware attack is underway

If you suspect you’ve just landed on a site that’s infected with ransomware, disconnect your machine from the outside world. Unplug your Ethernet connection. Turn off your WiFi. If you move fast enough, you may protect network-attached drives from being affected. Get off the network and fire your anti-virus and anti-malware engines up immediately.

First – as I already stated – it’s a mistake to pay. (If you do decide to pay, it should always be a last resort.) Your first step should be to verify that it’s REALLY ransomware or malware, and not a browser hijack or a scareware popup that goes away when you close your browser and restart your computer.

It’s really ransomware: where to go for help (or to help others)

Ransomware can be divided roughly into two groups: sophisticated proware, and amateur hour. Even if it’s not just a scareware popup, some ransomware can be circumvented with built-in system tools. I know someone who was recently hit with Spora, a nasty and sophisticated cryptoware for which there’s no current fix. However, she managed to retrieve some of her files using Windows Previous Versions and volume shadow copies (VSS).

DON’T start with a random Google search. A huge number of search results from “how to fix ransomware XYZ” will be spurious or links infected with malware. (Criminals work the SEO to try to direct you back into their web.) Using another computer if you have to, go directly to the blog or forum maintained by your anti-virus or anti-malware solution provider and search for information there. In fact, major antivirus providers offer free ransomware discovery or decryption tools on their websites, and non-profit sites exist that will help you identify what’s infecting your system, so any of these links are also a good place to start:

Subscribing to security newsfeeds is a good way to keep your background knowledge high. If you want to read up on ransomware before you’re hit with an attack, Digital Guardian released its list of The Top 50 InfoSec Blogs You Should Be Reading (including authorities like Krebs On Security).

If you or someone you know is a victim of ransomware, it will tell you there’s a deadline of 48 to 96 hours to pay the ransom to get a private key. After the time has expired, the private key is gone and your data is forever encrypted. It’s possible to set the BIOS clock back in an attempt to delay the process and explore options. However, once the data is encrypted, you may not be able to access the files. If you can, make a new backup image of your files, even if they’re encrypted – you can always try decryption now, or at a later date once new solutions are released. (This is exactly what I told my friend who was a Spora victim to do with the rest of her hard drive that’s still encrypted.)

While this can’t be a comprehensive guide to fixing ransomware, I hope it was able to point you in the right direction. Before I leave, I want to share this amazing timeline of the varieties of ransomware released between May 2016 and today.

Until next time,

George Monsalvatge

 

Ransomware! What is it, and what can I do about it? (Part 1 of 2)

April 4, 2017 at 3:08 pm | Posted in cybersecurity, Knowledge, Technical Tips | 1 Comment
Tags: , ,

Ransomware! What can I do about it?

We live in dangerous times. Your cranky grandfather was right: they are out to get you – but who are “they,” and what the heck are we talking about? Ransomware, of course. It’s out there, and its coming for you.

Mobsters extort money from people. You may be a fan of mobster movies or the Sopranos on HBO, but it’s only fun to watch mobsters at work when you’re not the one getting the shakedown. I don’t know Tony Soprano, and besides, I like Joe Pesci’s character in Lethal Weapon III better than his characters in Casino or Goodfellas. Extortion could be coming to a PC, Mac, or even Linux box near you in the form of ransomware.

Mobsters

It’s fun to watch these guys on TV. It’s not so fun to be a victim in your own home.

First I’ll go over the basics of how ransomware works.  I’ll explain the most common mistake you may be making – even if you’re an IT professional – that might leave you a victim of a drive-by drive-locking. And, of course, I’ll tell you the best ways to prepare to fight ransomware.

In my follow-up post I’ll go over some specific strategies to harden your e-mail and firewall against malware attacks and share a recommended reading list for infosec news.

How the shake-down starts

You can be extorted on the Internet without being infected with ransomware. Hijacking someone’s social media account (like Instagram), changing their login, and then demanding payment for the user credentials is extortion, but it isn’t ransomware.

Ransomware is a type of malware that infects your computer and encrypts your files or blocks access to your own data. The ransomware displays a message stating that the attacker will unlock your files for a price, and that payment should be rendered through a nominally untraceable electronic currency, such as BitCoin or MoneyPak. It usually gives you a time limit and threatens to permanently destroy your data if you don’t pay before the deadline.

For home users, that price is usually set between $150-300 USD or Euros. For business victims, the demand might start at $500 – or it could be $10,000 and escalate from there.

How did the ransomware get there?

The malware that carries the encrypting payload is loaded on your computer in a number of ways. The malware could have come from a downloaded file or from a browser hijack. The malware could be hidden in another program. Any web site that hosts third-party ads, like recipe blogs and your favorite vintage car forum, can be a huge vector for malware no matter how innocent the site itself is; just visiting the site or clicking an ad by accident can expose you to a silent malware download.

No operating system is immune (not even mobile phones or home appliances). Ransomware can affect PCs running any operating system and Macs. Yes, I said Macs. A ransomware called KeRanger was found in a BitTorrent software that was designed to install on the Apple OS X operating system. The KeRanger malware will encrypt files on your computer and try to encrypt Time Machine backup files to prevent you from recovering the data from a backup. The KeRanger malware attackers want $400 for the private key.

[Note: If you frequent Bittorrent sites, you know they have pirated files for download from shady servers. Don’t be surprised when you lie down with dogs and get up with fleas.]

What happens when the ransomware activates?

A majority of active ransomware uses a variation of Cryptolocker. Once the malware is loaded on your computer, it first contacts a central server on the Internet. That server creates a unique encryption key pair. A public key that is kept on the local computer and the private key used for decryption that is kept on the attacker’s central server. Once the public key and private key are created, the malware will begin encrypting files locally on your computer and any mapped drives.

The attacker has the private key and will sell it you to use to decrypt your files. If you have ransomware on your computer, you will get a pop-up that instructs you to pay money via BitCoin, MoneyPack, or something similar.

CryptoLocker

When ransomware is an offer you can’t refuse

Ransomware is common because it’s cheap to implement (for the attackers) and hugely effective. Steve Perry of Journey once sang the wheel in the sky keeps on rolling. Well, when it stops rolling, everybody raises hell. If your business has an outage, the data has to be restored. Money never sleeps; your network has to hum along 24 hours day. The Internet is like Waffle House: it never closes. (I can go on and on in this vein. Don’t try me.) In short, your customer expects that you will never be closed and that your (and their) data will always be there. Ransomware that locks your data up has kneecapped you right in the business income.

Many business victims would rather just pay the ransom and get access restored. The logic goes that it’s better to pay rather than to lose an unknown amount of revenue from the downtime they’ll incur while trying to root out the infection and restore systems.

Unfortunately, this is EXACTLY why ransomware continues to flourish, and exactly the wrong response to an attack.

Whatever you do, if at all possible: DON’T. PAY. THE. RANSOM. There are two very important reasons why this is a bad idea:

  1. You are dealing with criminals. There is no guarantee you’ll even get the private key to unlock your files.
  2. If you pay, you only encourage this crime to continue.

However, it’s easy for me to lecture you on this. I didn’t have my laptop full of all my kids’ photos, my graduate thesis, the last video of my late wife, or some other valuable data extorted from me. I can honestly say that if I was in that situation, I don’t know whether I would pay to get that data back.

The #1 mistake that leaves you vulnerable to ransomware

Pirating movies. Frequenting shady websites. Buying a “smart” refrigerator and letting it connect to your home wireless router without changing the default settings. Failing to keep your anti-virus programs updated. All of these are bad ideas, but they’re not the #1 mistake that makes you most likely to shell out the (bit)coin and retrieve your data.

Sure, our goal should be to never get infected with ransomware. But given the speed at which these attacks evolve, it’s not realistic to assume that our firewalls and anti-virus software will be 100% effective. The best offense is always a good defense; with ransomware, the best defense is a secure recent backup.

Threats only work if you’re afraid of the consequences. With a secure external backup, you can wipe your system and walk away from the demands.

After all, if you have a full image of your system and a secure external copy of your data, you can risk losing a few days’ worth of files while you wipe and reimage your system to remove the malware.  You could use a snapshot to restore your system, or clean your machine and restore your data.

Unfortunately, home users (and many small businesses) rely on cloud-connected file servers like OneDrive and Dropbox to back up the physical copies stored on our hard drive. Or we never keep a local copy of our files, assuming that our cloud providers have better intrusion security than we could provide for ourselves.

Rest assured: backing up to the cloud won’t protect your data. Malware like Cryptolocker can encrypt files on mapped drives and external drives. This definitely means your Dropbox, OneDrive, Google Drive or cloud service that is mapped to your machine can also be infected and your cloud-based files can be encrypted just like your local ones.

You should treat the personal data on your laptop or desktop, company data on your company’s laptop, or data on your company’s devices just like the data on corporate servers and schedule regular backups. Furthermore, you need to back up to external drives.

You should have your drives backed up to an external drive on a regular basis or use a backup service that does not use an assigned drive. Why does it have to be an external drive? Variations of Cryptolocker can check for shadow files on your computer and disable or delete them.

How often you perform backups will determine how much you lose.

In our next post…

In my next post I’ll share a few ways to harden your OS, firewall, email, and end users – even your grandma – against some common ransomware entry points. I’ll also suggest ways to handle the dreaded “friends and family support call.”

Until next time,

George Monsalvatge

 

Kaplan IT Training Announces New Blog Column Focusing on Women In Technology

March 30, 2017 at 10:58 am | Posted in Certification Paths, cybersecurity, Knowledge, Uncategorized | Leave a comment

Welcome!

Women At Work In Engineering and Technology is our new blog column created especially for women working in these specializations and those who are interested in taking on the challenge. As we bring Women’s History Month 2017 to a close, this is the perfect time to introduce our new column. Let’s make Women’s History Month every month for women in technology.

Worker Shortage

Although many women are currently work in the area, education and corporations are investigating ways to encourage more women and girls to choose tech as a career option. Women have played a large part in engineering, technology, science and math, but until recently were often overlooked. The recognition is growing and so are the opportunities. There are definite shortages of technology workers, most assuredly women are missing at larger rates than men. How can we address this?

There are companies and institutions that have chosen to provide virtual classes for beginners as well as advanced learners that teach coding. Coding literacy is in demand and companies are finding innovative ways to fill the void. This is an example of how important technology has become in our world. Currently, there is a lack of employees that can take on the roles of software engineers and system administrators. Fortunately for those who acquire these skills, the need is increasing.  Other areas that contain critical shortages include cyber security and data management.

Educational Efforts In Public School Education

There are efforts in K-12 education in many schools across the nation to bring coding and advanced technology classes to students. These efforts are boosted by the United States push towards S.T.E.A.M and S.T.E.M.

S.T.E.A.M. is education’s way to encourage students’ to embrace careers in Science, Technology, Engineering, The Arts, and Math. This usually takes place in lower grade levels through middle school. S.T.E.M. is the acronym given to Science, Technology, Engineering and Math studies in high schools. Students are surrounded by technology, but oftentimes they are not aware of its power or relevance. Many educational institutions believe that if introduced early enough, students will take advantage of the knowledge over the course of their education and be more apt to be successful in an increasingly technical world. Girls, in particular, are targeted because of the scarcity of females that continue to enroll and stay on track in these courses.

Women Where Are You?

As young women and girls enter the technology field it becomes quite apparent that they are surrounded by fewer female faces. Support is often lacking, and roadblocks appear because of lack of access to find pathways to assist in continued progress.  Mentorship and encouragement is extremely important,

We Want To Help

Our goal with our new column is to provide information that can uplift women and girls in the field of technology. We will be discussing technical trends, careers, certifications, and training. We will keep you up to date on what it takes to find yourself and be successful in a technology focused career.

We will also reach out to our readers to find out your challenges, issues, personal stories as you navigate the world of technology. Technology surrounds us. We are mastering it and thriving. It’s time for us to let the world know while encouraging others. Look for us. We are here to share your stories and give you information that you can use.

 

 

Next Page »

Blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: