Ransomware & More Quick Note About Me Michael Zimmer, Director of Information Security Services at • Northern Arizona University Working in IT at NAU 23 years, from Help Desk to Deskside Support • to Sys Admin to InfoSec WHEN, not if Right now it’s ransomware, • tomorrow it will be something else… Not every combination of • vulnerabilities can be solved for - they are infinite… There are some tried and true • steps you can take – I hope to illustrate these. I am very interested in your • thoughts, concerns, questions and learning what can help.
Ransomware & More Ransomware attacks continue to increase in 2019 and from quarter to quarter. • Ransomware payments have increased by 184% during Q2 of 2019, to $36,295 average. • • Bigger costs can come to reputation and customer trust… regulatory fines… downtime. Average duration of downtime has increased, too, from 7.3 days to 9.6 days. • Most common method of attack? Most assume it’s phishing, but phishing is second to RDP. • • Ransomware developers run campaigns like a military operation… how can you defend that?? Hospitals, cities, colleges, k- 12, government agencies… • Not just ransomware – high school student hacks into school district’s network and copies • students’ Social Security numbers; 13 -year old deletes student records; two students steal a password from a teacher’s computer to change grades; storm -related damage to single backup (or no backups at all )… Estimated 2,000+ programs or scripts running on the Internet, night and day, poking and • probing for openings, vulnerabilities, and security holes… once found, it becomes something of interest to an attacker to look closer at…
Kill chain – “phases” of an attack More ID, Recon Poss. If you are here, too late! Random or Targeted Payload is Delivered After Installation Encrypt Files, Ransom Infected Link/Attach Outbound Comm’s More Lateral Moving Phishing Emails More Infections Destroy Files if no pay Open Firewall Rules Escalate Credentials External IP, Domain Spread for Coverage Data Loss, Theft Account Brute Force Remotely Install Inbound Commands More…? Worm, Lateral Move Data, Instructions Not all Ransomware Harmful Websites Kill chain disruption – steps that may dissuade attacker Revoke Admin Levels Be Less Interesting! User Awareness Firewall / Port Rules Revoke Admin Levels Anti-Virus, Updated Anti-Virus, Updated Block Common Ports Revoke Admin Level Network Monitoring Don’t Store Data Locally Educate Users Updates & Patching Anti-Virus, Updated Firewall / Port Rules Have Multiple Backups Email Filters Anti-Virus, Updated Intrusion Detection Updates & Patching Network Monitoring Have a Recovery Plan Web Content Filters App Control, Macros Alerting
Recap & Steps to Consider Not every combination of vulnerabilities can be solved for - they are infinite • • Best Approach = assume compromise, assume breach, will occur Be Ready = know your inventory, know your risks, prioritize them, leadership and IT in collaboration • Be Ready = have a disaster plan, have multiple backups, be able to recover • What you can do • Assess your risks • Backup, and test backups of, your data regularly • • This protects you from much more than ransomware! If you assume it is when rather than if, best bang for buck is ability to recover… therefore backups! • Patching and updating – operating systems, applications, web browsers • • Firewall rules and port blocking Training and awareness • Remove unnecessary administrator permissions (for most it IS un-necessary) • Anti-Virus/Firewall – installed and up to date • Have a recovery plan and test it or review it annually • Bonus Items – if you can: • Application Whitelisting, Disable Macros, Intrusion Detection, Network Monitoring, Alerting, Vuln Scans • • What if you are attacked? Isolate / remove from network; shut system down • Check for, confirm, your backups for affected systems and plan your recovery • • Change passwords, lock accounts, contact insurer and authorities/peers, follow your recovery plan
Filtered List for Quick Reference Know your inventory, know and prioritize your risks • • Maintain a disaster recovery plan Backups!!!!! – multiple, including offline • Patching and updating • • Firewall rules and port blocking Anti-Virus • Training and awareness • Remove unnecessary administrator permissions •
References & Additional Resources AASA, School Superintendents Association article • https://aasa.org/SchoolAdministratorArticle.aspx?id=8606 • AZ Auditor General Ransomware Alert • https://www.azauditor.gov/sites/default/files/DFI_19-405.pdf • AZ Cybersecurity Team, ACT • • https://bc.azgovernor.gov/bc/arizona-cybersecurity-team CoSN, Consortium for School Networking – Home, Self Assessment document, Free webinars • https://www.cosn.org/ • • https://cosn.org/download-cybersecurity-self-assessment https://cosn.org/advancement/webinars • Department of Homeland Security – Stop.Think.Connect • https://www.dhs.gov/stopthinkconnect-toolkit • Department of Homeland Security – Student Resources • https://www.dhs.gov/publication/stopthinkconnect-student-resources • Department of Homeland Security, CISA – What is Ransomware and Steps to Take • https://www.us-cert.gov/ncas/tips/ST19-001 • • Department of Homeland Security, CISA – Ransomware Brief https://www.us-cert.gov/sites/default/files/2019-08/CISA_Insights-Ransomware_Outbreak_S508C.pdf • Stay Safe Online (user awareness, tips) • • https://staysafeonline.org/
References, Additional Resources Awareness Help… See if your password has been in a breach (reminder: do not reuse passwords) • https://haveibeenpwned.com/ • Awareness Help… How Passwords Can Be Stolen • https://www.sentinelone.com/blog/7-ways-hackers-steal-your-passwords/ • Awareness Help… October is National Cybersecurity Awareness Month • • https://niccs.us-cert.gov/national-cybersecurity-awareness-month-2019 CBS 60-Minutes Ransomware Segment – Replayed Sunday August 25 2019 •
Questions & Discussions Any questions … that aren’t hard? If needed, some questions I have to help us get started: How many have a risk assessment, prioritized risks? • • Who would you call / did you call in an event like this? Do you have someone on retainer for response? Is it tied to membership in The Trust, alongside insurance? • Do they recommend paying or not paying ransom? • • Is there a $ amount threshold that helps decide? Funding and budgets • Higher Ed isn’t much better off, but I can’t imagine… • Grants, Awards? • Microsoft, Boards or Departments of Ed • • State of AZ, ASET AZDOA Governor’s AZ Cybersecurity Team, ACT • September meeting (September 19 2019, 9am – 11am) • • Anyone have contacts? I have approached mine. Anyone familiar with or participating in CoSN, Consortium for School Networking? (I do not see AZ as a chapter) • What role(s) do you see, think, wish, want… NAU ETC filling or trying to fill? • What would this look like? Individual relationships or consortium level? •
Recommend
More recommend