Ransomware Spreading Like Crazy Worms

Read on NextGov.com or Levick.com

It All Just Makes You Wanna Cry

Curiosity, turned blind luck, saved us from something far worse from what we saw on Friday.  Had it not been for a British malware researcher registering some gobbledygook of a domain name (www [dot] iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea [dot] com to be exact), who knows what we would be writing about today. At the rate we are going, if we were cats, we would be burning through our nine lives faster than Tony Stark builds Ironman suits.

In our last post, we said to stop sensationalizing.  We mean that. So by no means should you think that we are a tad bit overly hysterical, because WannaCry did spook us all out. Friday’s episode is proof positive of three things:

  • Things can get wildly out of control real fast.
  • Cyber weapons have made it out into the wild and will be used against us.
  • We were horribly unprepared for this attack; we are still horribly unprepared for the next attack. 

Luck – while a critical aspect of life – is not an effective resilience strategy.  WannaCry has already been modified and there are variants with no “kill switch” in the code. More hurt is in order for the unprepared.

What should concern us all was the brazenness of this attack.  Everything was fair game, from telecom to banks to healthcare to universities, and latest count is that people “wanna cry” in 150 countries.  That’s some aggressive foreign policy when you negatively impact 75% of the world’s nations in 72 hours.

The attack on healthcare is particularly disturbing – losing money is never fun, but losing lives is worse – but not unexpected and perhaps even a bit overdue.  Healthcare is a peculiar industry because of competing interests.  Specifically:

  • Patients and users require speed, but information security often takes time to process, putting the needs of front-line staff in opposition to the wants of security staff.
  • Management must be committed to quality care and their fiduciary duties, no easy task in an environment of competing needs.
  • Effective sharing of confidential patient information among primary care physicians, hospitals, and medical specialists has myriad benefits, but sharing introduces numerous potential points of failure.
  • Budgetary constraints which are felt more than in most industries as healthcare funding is becoming more difficult to secure and cybersecurity costs keep rising.

There is this issue of course that applies to all leading-edge firms, not just those in healthcare: if you want to be recognized as the “leader of your field” you also have the biggest juiciest target tattooed to your back.

And of course, there is this thing called emotion.  It is quite possible you will dial your “freak out factor” to 11 if you are already in a life-and-death situation and suddenly find out your computer is useless to you.  Should you find yourself in this situation, scrambling to find $300 worth of these funny things called Bitcoins may be a cheap way out.

We need to underscore how lucky we were and it is quite possible that by the time you read this, we are feeling second and third waves of WannaCry.  So here are some quick solutions and things to think about:

  • Back up your crown jewels like it’s going out of style. If you did not back up your data this past weekend, whether offline or on the cloud (or both) you deserve a failing grade.  Malicious actors have proof that ransomware pays off.  So long as there are people that are willing pay, malicious actors will keep on putting out ransomware.  The only way to stop this tactic is to eliminate the incentive.  Losing one day’s worth of data is a whole lot less painful than your entire digital library.  Over the long-term, the costs of doing nothing are exceedingly higher than doing something, so find an option that keeps your data out of harm’s way.  Backing up your data should become as regular and mundane as brushing your teeth (and you know what happens when you do not brush your teeth).
  • Have a recovery plan that can be activated in minimal time. Have clean images of operating systems and critical applications ready to be installed in a moment’s notice.  Of course, this is under the assumption you have your data backed up and ready to follow.  And by the way, if you have not tested your plan, you do not have a plan.  If you decide not to test your plan, make it out of wood and knock on it for good luck.  You may increase your chances of success.
  • Prepare for the Stone Age. We are actually very serious here.  For anybody born before 1989, there is a pretty good chance you used a pencil and paper somewhat regularly while growing up.  This may come as a shock to some, but for a good 5,000 years or so we got through life without electricity and digital technologies.  It was not pretty at times, but in a pinch, it works.  Remember, your success depends on your ability to bend while others are breaking.  If you are able to operate with “Stone Age technology” for 72 hours, you are ahead of the game.  If we are all down for more than 72 hours, chances are we have a much bigger problem on our hands (like, war).
  • Look before you cross the road (think before you click!). Would you cross a busy freeway of speeding cars going in both directions without looking?  Alright, so why would you just click something out of curiosity or because you are too lazy to look where it could take you?  Hover over a link and make sure the link goes to where it says it will go.  Read the email closely (one of us received an email from “concast.com” this week).  And if it feels wrong, just press delete.  Do not become the next “phish” that gets hooked!
  • Do not wait for the dam to come apart before you start patching. Enterprises are notoriously slow at patching their systems.  This is particularly true of small-to-medium businesses.  If you cannot do this, team up with a managed service provider (MSP) or managed security service provider (MSSP).  If you are not “patching and praying” on a regular basis, you are committing “sin” and will likely be punished for your misdeeds.
  • If you can afford it, seriously consider Artificial Intelligence, Machine Learning, and Cognitive Computing. We are still early into the wide-spread commercialization of these offerings, but they are the way of the future.  If you identify and stop (or even slow down) an attack before it ruins your day by using any one of these technologies, it is a win for your organization.
  • Putting all your eggs in one basket means they can all break at once. Sometimes keeping things apart is a good idea.  In our mad rush to connect EVERYTHING perhaps we overlooked some basics.  We really need to ask questions such as: do I really want the sales department to have the ability to connect to our super advanced R&D department?  Logical and physical segmentation of network and data assets needs to be looked at in more depth as a viable strategy (and remember you can use the cloud in this strategy).
  • Sharing is caring. The need for enhanced public/private cooperation will be critical in maintaining a knowledge base to track and counter future ransomware cyber threats. The new NIST Framework in conjunction with the Department of Homeland Security’s (DHS) cyber-threat information-sharing program implemented as part of the 2016 Cybersecurity Information Sharing Act (CISA) is a good basis to encourage more sharing of information threats.  And the cybersecurity Executive Order from May 11th is a good step in the right direction.
  • Time to have a serious policy discussion on Zero Day vulnerabilities and other exploits. Zero Day vulnerabilities and other exploits should be treated like neutron bombs able to run amok.    Note: we are all patriots first and understand that our nation’s military and intelligence agencies require – need – the ability to take advantage of these exploits, but if we are to keep a cache of these weapons in a stockpile, they need to be protected like the launch codes.  And if we do catch wind that of vulnerabilities that get out into the wild, patch them up at warp speed.

We offer these practical solutions to you in order to protect and secure what matters most to all of us.  We dodged a serious bullet on Friday and by no means are we in the clear.  Let this be a lesson to us, because by the time you read this, we may be feeling the #MondayBlues thanks to WannaCry Vol. 2.

In Defense of the United States of America,

The #Cyber Avengers

Fixing the Federal IT Mess Before it is Too Late

Read on Levick.com

Let us take a headcount of recent events: the attack on the Ukraine’s electric grid, a LinkedIn data dump as a result of a 2012 breach, the information warfare campaign surrounding the US Elections, a peculiar “Google Docs” app involved in a massive spear-phishing campaign, and most recently, another information warfare campaign aimed at the French Elections. Do not forget our ”good ole friends” – North Korea, Iran, and Syria, just to mention a few – are well into the cyber game and ready to pounce on the next database which has been left unguarded, unencrypted, and unprepared to thwart an attack.

As the disc jockey says, “and the hits keep on playing!”

Despite increased “cybersecurity talk” since the Office of Personnel Management (OPM) breach, great strides in Federal IT security improvement are not apparent.

Despite loads of Congressional attention, there is only one piece of credible legislation to show for, the Cybersecurity Information Sharing Act (CISA).

And despite the billions spent on cyber defense measures, we seem to wake up every morning to news of some type of new breach, making it feel like Groundhog Day.

With each new breach, some nation state, cybercriminal, or terrorist group has gotten their hands on our personal information (and that of our spouses, kids, and parents) all in an effort to exploit us further, whether it is a wire transfer scam or an attempted run at the crown jewels of whoever employs us. Coupled with publicly available information that we – and our family, friends, and co-workers, and businesses, services, and not-for-profits – post online, and that which is available through workplace and government listings, seemingly tiny and unrelated pieces of information, once collated, become a powerful weapon for the adversary.

The adversary will not hesitate for one moment to use this information against us should it meet their interests.

We cannot overemphasize this issue enough: spear-phishing and pretexting tactics work and they work extremely well. And government employees are by no means exempt or necessarily protected from these social engineering attacks. Once that email makes it past the firewalls, the spam filters, the anti-virus and the artificial intelligence onto your device (which it can and does), you – and you alone – are the last line of defense.

So why have we been so completely unsuccessful in defending our data?  There are enough reasons to numb you:

Silo mentalities of various agencies, groups, and companies;

  • Unsubstantiated hype of vendor strategies designed to work together, but in practice are disjointed;
  • Never-ending shortage of skilled cyber professionals;
  • Perpetual lack of money, time, and attention the issue truly needs;
  • Basic naivety of the user; and
  • A fundamental misunderstanding of issues and terms.

Do people really understand the intricacies and complexities the cybersecurity challenge presents?  How much do the US House and Senate really care to understand these intricacies and complexities?

We do not need to spend another year, or election cycle, or decade debating across party lines or through political filters when there are actionable steps that support a unified American interest, regardless of party or ideology.

The country’s most important secrets are at stake.  The country’s ability to function relies on these backbone networks. And the country’s inability to find common ground or develop a basic understanding of the challenges – for decades – has gotten us into this mess.

For these reasons, we offer practical and actionable steps to help defend the nation. We offer a five-point plan, much of it easy to implement, but will require effort. We are not asking anyone to move mountains. Rather, we ask those responsible to take the necessary and sufficient steps to move some of the valuables to higher ground.

  • Get all non-essential, non-sensitive, non-confidential, non-classified data to a public or hybrid cloud.  This has been done in other government agencies, particularly within the Intelligence Community.  Some of the largest companies put tremendous amounts of data in the cloud because it is efficient, cost effective, and safe. An abundant amount of capacity and infrastructure exists to support this transfer, most of it already blessed by FedRAMP, the Federal Risk and Authorization Management Program, a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. This approach is the only feasible way to manage the large amounts of “big data” we continue to produce. Throwing billions of dollars at 30-year old network security systems that should be in “cyber assisting living” or six feet below is just throwing more good money after bad.  And we simply do not have money to throw around.  This shift to the cloud can be done quickly and efficiently. Will it be worth it? Yes. Will it make data safe? Yes.  Are there any caveats? Yes: we need to adopt full-scale Identity and Access Management (IAM) protocols.
  • Institute cloud-based IAM solutions for hybrid clouds and then train the heck out of each employee on the threats of social engineering attacks. Spear-phishing, pretexting, social media policies. All these need attention and mandatory IAM provides a great deal of defensive support.  Mandatory multi-factor authorization (it is time to seriously consider incorporation of biometric solutions in order to achieve Triple-Factor Authentication). After IAM, mandatory spear-phishing training, done quarterly, with reporting packages to agency executives charged with keeping their agency’s data secure. Access control, password management, and spear-phishing are the banes of cyber existence. Time to jump all over these issues and put them to bed.
  • Get confidential, non-public, and classified data to a private top secret cloud. The Intelligence Community (IC) and Amazon Web Services (AWS) have been working together since 2013 to build a secure workspace that moves information off legacy networks. The IC is not the only government entity that has valuable data which must be protected.
  • Train leaders and influential persons on the terminology. Improper use does much more harm than good. Like, a lot, of harm. What is the difference between something hacked and something leaked? What is the difference between something stolen and something copied? What is the difference between unauthorized access and authorized access by an unauthorized user? These nuances matter and when decision makers and influential persons misuse terminology, intentionally or not, the result is a conflated problem.
  • Demystify “cybersecurity” and stop the sensationalizing. Some things have been around longer than you think. The word “cyber” has intimidated far too many people and emboldened select others. The word has made some – who really need to be a part of the conversation and solution – shy away from the issue for fear that “cyber” is some “hyper-technical” problem that cannot be solved by a layperson. Conversely, “cyber” has made others feels as though “they” are the only ones capable to solve this issue – a completely irrational posture – and feel all those who lack their technical prowess are somehow unworthy. This is a team game. Get over it. We all need each other.  And stop the hysteria. Yes, there is a serious problem that must be addressed, but loud accusations, waving arms, and misguided statements of effects and capabilities do little.
  • In fact, they play right into the hands of the adversaries. “Information” was not weaponized in 2016. Information has always been weaponized, since ancient times, only the tools have changed. The US was the information dominance global leader throughout the 20th Century, but has weakened over the last three decades. This posture must change in order to succeed. The US must reclaim is dominant position in order to remain the leader of the Free World and to protect its interests.

Are these hard tasks? Some more so than others, particularly the last two, but generally speaking, no, they are not hard to implement and they are achievable. We know, because we have done them before. Segmentation works. Indeed, the more we move data to the cloud, through virtualization and micro-virtualization of cloud-based networks we can “ring fence” our most important data. Education, regardless of pre-existing knowledge level, does wonders when presented in a non-threatening, non-technical, easy-to-understand manner. No easy task, but again, we know it is doable and works. You would be amazed how lightbulbs go off over peoples’ heads when we say “think of cybersecurity like this: network security + information security = data security.” Cybersecurity suddenly seems less threatening.

When should we take action? “Today” is the right answer.  Do we have any reason not to take action today? No, apart from our own lackadaisical notion that we are actually good enough to keep out most important data on premises and keep it safe. History (OPM for example) shows we cannot.  And recent hacks show that even if we could, we still need to step up our game and move onto next level solutions in addition to the cloud, such as Artificial Intelligence and Machine Learning.

In a recent Walt Disney movie, the protagonist – played by Dwayne Johnson aka The Rock – told another character, “buck up buttercup!”  The #CyberAvengers have a similar to our government: time to buck up!

We do not need committees upon committees.

We do not need to build anything to support this effort.

We need to just get it done!

In Defense of the United States of America,

The #CyberAvengers