One of the most nasty and sinister malware threats to come out of the minds of cybercriminals has been the creation of ‘ransomware’.

Ransomware is a type of malware that encrypts data, and then extorts money from the victim. Infection is carried in either an email, as an attachment, or using an exploit kit on a website where the malware will be downloaded and executed. Once infected with ransomware, the files, on your computer, across the network and even on remote file storage like Dropbox, are encrypted. When the malware has done its job, it then is programmed to pop up an onscreen message letting you know that if you pay X amount, within X days, your files will be decrypted. The x amount is usually $500-$1000, but can be much more, and payment is expected in the form of bitcoin; they ask for bitcoin because it is less easily traceable than a traditional money transfer.

Cryptowall is probably the most infamous of all ransomware. Cryptowall is up to version 4 and according the Cyber Threat Alliance the malware had, by version 3, made at least $325 million worldwide from infections. Each version of Cryptowall becomes even more sophisticated than the last. Cryptowall 3 was built to hide from detection and Cryptowall 4 changes filenames so users can’t even find out which files have been encrypted.

Ransomware: The Impact

People are paying the hackers. If you suddenly find all of your data: customer records, intellectual property, documents, flow charts, presentations, accounts, etc. are encrypted and essentially gone, you’ll pay up. The fear that the ransomware hackers instill in people is real. The FBI reported losses in the U.S. alone of around $18 million between 2014 and 2015. And that’s just in payments out. This doesn’t include material losses through lost time and network issues that ensue. And of course there is no guarantee that just because you pay the cybercriminal that they will decrypt your data – we are dealing with a criminal mind here, after all.

The FBI research was from a year ago, but MacAfee in their 2016: Threat Predictions report state that: “Ransomware will remain a major and rapidly growing threat in 2016…. we predict that the rise of ransomware that started in the third quarter of 2014 will continue in 2016. “.

It is hard to read the mind of a cybercriminal into the 2020’s, but the likelihood is that with a successful money-raising venture, like Ransomware, it will only proliferate. The Internet of Things being an area that will likely be utilized by cybercriminals as a means of infection. IoT devices have a very wide security surface to attack and thus far security of the IoT is still far from perfect.

Who Is Being Affected by Ransomware?

Ransomware hackers are targeting rich nations. They need to find companies that can afford to take the risk of paying $000’s to get their data back. The target sector the hackers are after is widespread and getting wider. They are coming after businesses of all sizes, rather than just being a consumer problem.

One of the most insidious ways ransomware is getting onto a network is via ‘malvertising’. Hackers are using the ad placement network and actually paying for infected ads to be served up on legitimate websites. Major websites like the New York Times have run infected ads. The most worrying thing about much of ad-based malware is that it is based on ‘exploit kits’ like ‘Angler’. If you access a site running a malicious ad and you happen to also have a vulnerability in your browser or Flash, then you have a very high likelihood of becoming infected with ransomware without even clicking a mouse. Scary stuff.

U.S. SMB’s are as much a target as their larger cousins because the hackers know that they are a ‘soft target’. Smaller companies are less likely to have a dedicated security team and systems in place to handle such an attack.

And no one is safe, in the past few months several U.S. hospitals have been infected with ransomware and one, the Hollywood Presbyterian Medical Center had to pay out $17,000 in bitcoin to the cybercriminals.

Is There Hope?

You can help prevent a ransomware infection by making sure that:

1.     Your staff is well trained in the way that malware infections work – make them aware of the danger of attachments in emails for unknown sources.

2.     Keep your OS and other software up to date and patched

3.     Keep backups of your data (but be careful not to use certain backup software that synchronizes with your directories as this can also become infected with ransomware)

4.     Have a security strategy in place to deal with the complexities of ransomware prevention and infection

Of course, if you do get infected, one thing is apparent. Even if you pay to have your files decrypted, the chances are that the cybercriminals behind the scam have already exfiltrated any data using remote access and will be selling that data, especially personal information, on the dark web. So simply put, the best way to deal with ransomware is to avoid infection in the first place.

A while back a colleague of mine was spear phished. It was really clever how they did it. She was contacted, not through a direct email, but via a message system of a professional group she was a member of. The message purported to be from a ‘worried colleague’. They had seen her profile on the professional group website and had also noticed that a Facebook account had been created using her photo. The Facebook page was real, her professional photo was being used and a variety of less than complimentary Facebook posts were in the timeline.

The person, who sent the phishing email, came across as being ‘a friend’ trying to help out and pointing to the abuses made in my colleagues name. They offered help saying that they’d also been a victim of this sort of identity theft and knew how to counter it. They asked my colleague to email them and they’d show her what to do.

It was a very convincing email. It used some of the oldest tricks in the book; tricks that conmen have used for centuries. It attempted to build a connection with my colleague, to find a common ground. The email was from a trusted source – her professional network. The writer created a scenario shrouded in fear, uncertainty and doubt, to cause my colleague to feel anxious and that her reputation was at risk. The phisher then held out a helping hand to make it all go away. It was a perfect example of highly targeted social engineering, in other words, using normal human behavior to manipulate a person into revealing far too much.

The case above had a happy ending. My colleague is a cyber security professional and recognized the signs of a sophisticated spear phishing attempt. But not everyone is so lucky and human behavior manipulation has become the pivot upon which cyber security attacks are based.

To Err is to Be Human

Social engineering is a technique used to manipulate a behavior. It isn’t new. As mentioned above, conmen and tricksters have been using this in one form or another for centuries. One of the most famous cases of social engineers was Frank Abagnale; the film “Catch Me If You Can” was a portrait of his life as a confidence trickster. Frank used people’s natural need to trust to commit fraud.

Social engineering in the context of cyber crime has been used extensively. One of the most infamous examples was the ‘I Love You’ virus. This was an email born malware infection, which swept the world in 2000. The email contained the subject ILOVEYOU and contained a ‘love letter’ which when opened ran the malicious code and infected the computer. This trick played on our own vanity – how exciting to get a love letter, almost impossible to resist opening it, just in case it was a secret admirer. And that is exactly what happened with the virus infecting about 45 million computers within 2 days of its release into the wild.

Since then, cybercriminals have embraced social engineering and human behavior manipulation turning it into almost an art form. The whole area of phishing is based on this very concept.

The Big Phish: Business Email Compromise

Phishing and its rich cousin, spear phishing, is arguably the most successful cyber security vector ever with 123,972 unique phishing attacks in 2015 (and since then, it has only been increasing). Phishing emails are very cleverly pulled together by the cybercriminal. In the mass mail out, less targeted ‘phishing’ variant, the hacker makes the email look just like a legitimate site, one that you’d enter login credentials; these credentials then being stolen by the hacker behind the spoof site. According to research by APWG Internet Policy Committee into Phishing, PayPal, Apple and TaoBao are the most popular spoofed sites for phishers, with 54% of all spoof sites representing one of the big three.

But the true art of phishing is seen in spear phishing.  Spear phishers have to spend quality time getting to know their target. The emails are crafted to reel in their prey, using full personalization and creating trust and connection between the phisher and the victim. One of the latest scams to be based on the principles of manipulation of human behavior is the Business Email Compromise or BEC. BEC scams have been hitting business, of all sizes, big-time.

A BEC is a form of spear phishing. It has a complicated profile. Firstly, deep reconnaissance is made to identify a business owner, or key employee, that will become the proxy for the phish. This individual then has their email account either spoofed or compromised.  The phisher will then learn as much as they can about their victim and the company they are targeting. They use this information to create highly convincing emails and instructions – using the ‘personality’ of the victim to come across as real. An example of the type of information that is really useful to phishers would be the calendar of the victim- are they away on business on certain days and so on. This allows the phisher to build up a personal profile and so mimic the person more precisely.

Once they have control of the email account, they can then apply email rules to make sure they don’t get detected when they utilize the account. Or, if they spoof the account, they make the email look like it is from that individual. With account control they can then enact their plan, which goes something like this:

1.     Create an email from this key staff member, to ask for a wire transfer of monies to a new creditor.

2.     This email will go to one of the compromised users subordinates. So for example if the CFO’s account is compromised the email might go to the finance controller.

3.     A variation on the above is where the phisher asks Human Resources for ‘employee details’ and thereby stealing identities which they can use for fraudulent tax returns and so on.

There are a number of different tactics being used, based on a compromised business account. Each one of them uses our natural trust system to trick us into performing actions we’d normally be reticent to do. BEC attacks are working.

Controlling Our Behavior

Phishing is so popular and successful that phishing is moving into other spheres. ‘SmiShing’ is the new phishing; with mobile devices being targeted with SMS based phishing messages – like this one. When checked the ‘Apple’ link goes to a spoof site in Romania where you are requested to enter your Apple login credentials. If you did so, they would be stolen and used to login to the real Apple site. Variants on this attack type also include a SMS message from a bank asking you to call a number to talk about a possible fraud attack on your account. When you do, you are asked for various details including your online banking password – the result being your bank account is cleared out.

There are ways that we can use to counter this abuse of our humanness, but it means being more aware of ourselves, how we react and how cybercriminals operate. Some basic checks include:

• Caution is the watchword for anyone receiving an email requesting a funds transfer (for example).

• Do not click directly on a link in an email, but instead, if it refers to an account, go to that account through the browser first.

• Check email addresses – if you expand the address you may see it has unusual characters or is simply not the name it pretends to be.

• Build a robust security strategy across the whole organization, taking both technologies and human behavior into account.
  

Business as well as life is a balance. It was the Chinese New Year on the 8th of February, so it seems pertinent to use the philosophy of yin and yang to discuss the interactions of critical controls in the enterprise procurement process. The idea of yin and yang is that opposite/contrary ideas can in fact be complementary and build a stronger whole. This approach may well be useful in providing the right balance between the various control systems that come into play as any procurement process develops.

The Elements of Critical Control During Procurement: The Yin

There are a number of ‘critical controls’ within any given procurement program. Security is often seen as the main critical control and one, which can have the greatest impact on assets and infrastructure. However, security is not the only element that can have a potential impact on the procurement process and on vendor risk management. Of course, the criticality of each part is dependent on the industry. But in general, the type of things that you need to know about a vendor before procurement choices can be made include:

Security:   If you read this blog regularly, you’ll know that data and privacy breaches often have their origin with a third party supplier. A number of studies corroborate this, including the 2013 Trustwave study, which found that 63% of the investigated breaches began with 3rd party administration exposure. There is also a general and historical problem in the communication between procurement and security, security being seen to ‘slow down’ procurement.  However, this is starting to change as more breaches, like those mentioned above, occur. In a previous post we have talked about how KPMG have found that 70% of procurement managers now realize how important it is to know how a third party will handle their client data. This is a move in the right direction. An end-to-end security strategy, across the vendor/client eco-system is increasingly important and often needed for compliance with industry regulations.

Legal:   The legal aspects of vendor onboarding can be arduous. It seems that once you involve the lawyers, everything comes to a standstill. There are, of course, good reasons for this; legal needs to make sure that all eventualities are covered. This is never truer than when you have regulations to comply with, which often extend outwards to your suppliers systems. Other factors, such as competition law and the legalities around origins of goods, personnel and services, need due consideration.

Social and environmental:   As green laws take effect, a number of environmental constraints can come into play in the procurement process. You may need to develop a sustainable procurement policy to comply with regulations around these areas and to make sure the vendor choices you make, fit in with this overall strategy.

Having effective know your vendor (KYV) policies in place before making final decisions is part of your supply chain risk assessment. This is a key part of the procurement process as it offers a way to minimize the future risks and protect the business against uncertainty. Gartner in their recent evaluation of the role of the CIO and risk, have stated that “Procurement teams develop contracts that improve security agreements with cloud vendors and security managers” to be able to meet the challenges facing business today, especially when dealing with Cloud based data.

What Prevents Efficient and Accurate Procurement Choices?

Procurement choices that are educated and based on checks and balances will ultimately benefit the company, because they reduce the risks associated with unknowns. Getting this process right is a challenge. For example, procurement and security need to work together for the greater good. The SANS Institute in their paper on “Combatting Cyber Risks in the Supply Chain”, recommend a combination of ‘people, processes and technology’ to deal with the problem of good vendor evaluation for procurement. Communication and transparency is the key to risk reduction. It may seem like a slower process to add in the assessment stage, to audit vendors’ data security procedures, but in the long term, this will benefit your company, through informed choice – the old adage, “more haste, less speed” is highly applicable to the procurement process.

Procurement is the natural place where communication can start. It is often the main channel between the enterprise and the vendor and as such, can create effective dialogue to manage critical controls, like security, and ensure they don’t slow the process down any more than necessary. Seamless, clear communication in this area can also help to identify any hurdles. For example, if the vendor needs to go through a certification or validation process this needs to be identified early on. It is only be having open discussions and actively building frameworks to work to, that we can ensure we have those critical controls incorporated into the procurement process.   

Get it Right, Now, Not Later: The Yang

Getting your procurement controls in place before you sign that purchase order is vital. If you do it after knowing your vendor and any critical exposure points they may have, then you may well end up with security or compliance issues down the line. Once the ink is dry on the contract, it is much more difficult to put controls in place. This can result in overall increased costs, as well as a risky project that potentially could end in a catastrophic data breach. Putting controls into the mix, at the right time and to the right level, is part of a good, holistic approach to procurement. Getting the yin-yang balance right will create the type of vendor eco-system that gives you true value for money, whilst minimizing your risk of privacy and data breaches.

One of the topics this blog likes to explore is how to make the whole supply chain process more efficient, less risky and ultimately more profitable for everyone involved. We look at this from a real-world perspective, using our deep knowledge of this area, especially around automation and security. So it is really good when external sources back up your own knowledge and experience and this has been the case looking at the report by PWC on “Next Supply Chains: Efficient, Fast and Tailored”. In today’s post I’ll take a look at some of the findings of this survey by PWC and discuss their implications on supply automation, chain management and risk.

Supply Chain Trends

The PWC report had a particular pertinent and insightful finding. This was that the supply chain is regarded as an actual strategic asset by 45% of organizations. Strategic assets are vital for competitive edge and keeping them well managed is therefore an important business consideration.

In their report, PWC has identified a number of supply chain trends, all of which show an expectation of increasing in importance and which have a material impact on the effective management of the supply chain. The following graphic, taken from the report, shows the 12 most important trends; noticeably all are expected to increase in importance.

In this post I’ll concentrate on two of these top trends, which we come across time and again, “Implementing techniques to automate and increase transparency” and “Managing supply chains security and risk”.

Automation to Increase Transparency

In the PWC report, they noticed that the most successful companies had a program in place to reduce supply chain complexity and to use automation methods to make supply chain processes more efficient. This has been instrumental in the leaders identified in the survey, having delivery performance figures of over 96%.  Part of this comes down to transparency across the supply chain. Transparency greatly helps to improve the smooth running of a supply chain. A report by electronics manufacturers, Jabil, found that 96% of the surveyed respondents said that an opaque supply chain put efficient operation at risk.

Gartner analysts concur with PWC and identify automation of supply chain processes as a supply chain trend. In a recent supply chain conference, Gartner linked automation and the Internet of Things (IoT) arguing that this has the potential to impact transparency across the chain. Gartner stated that, “functions such as procurement, logistics and inventory management often operated in silos with not enough coordination or focus on the end result”. Gartner reiterate this sentiment in their latest supply chain predictions of 2016, saying that automation will double in the next 5 years due to increased digitization of companies. 

The PWC report shows clearly that automation leads to better performance, and Gartner is backing these findings up. This comes at a time when the digital landscape is moving underneath us all, as digitization of services and the IoT grow in importance – this makes the move to automation of supply chain processes inevitable as the complexity needs to be countered by transparency. In fact, the idea of having greater control over the processes and bringing all of the steps together in a seamlessly connected manner should be the goal of any eco-system. The PWC report stresses that digitization and automation of supply chains will create greater transparency, if managed correctly, which will ultimately result in reduced costs and efficiency.  They also point out that automation is seen by two thirds of respondents as a “vital” part of the supply chain process. In fact, PWC show that automation is seen as one of the best ways to differentiate a business across a number of industry sectors including automotive and retail, giving them a method to “optimize their logistics and distribution operations”.

Managing Risk

The supply chain has not been immune to the global challenges we are currently facing. These challenges extend to financial market turbulence and the increasing cyber security pressures felt by all enterprises.

Growing risk from the supply chain is something that the vast majority of organizations seem to suffer from. Zurich Insurance found that in 2014, 81% of companies suffered a supply chain disruption, an increase of around 4% since 2010 and almost a quarter of survey respondents saw losses of around $1million due to such disruptions – cyber security being one of the most concerning.

The PWC survey identifies the management of chain security and risk as a top trend. They point out that to have a successful supply chain operation, an organization has to take personal responsibility for tracking the risks across the chain. The complexity of risk management rears its head most noticeably when the supply chain is a global one. Risk come in many shapes and sizes and a global chain can involve environmental, financial and certainly cyber-security risks. Ensuring stability of the extended supply eco-system is a management challenge and one, which requires a holistic approach.

PWC found that risk mitigation, through close management of supply chain partners was one of the top differentiating practices of effective and high performing supply chains.

A Transparent Approach to Risk Management

The two top trends we have looked at here are not mutually exclusive. Both of these trends impact each other. By using automation to improve transparency, you can in turn enhance the management of risk across the chain. A move towards automation is a leap forward to take your supply chain to the next level, but it will afford greater rewards in the guise of more optimized, efficient and risk minimized processes.

When you deploy IBM Security Secret Server and IBM Security Privilege Manager across your organization, you unlock the full potential of PAM with solutions that are:

Partner with IBM for incredible service and benefits

• 24/7 access to IBM support
• Unlimited feature set within IBM Secret Server
• Simple pricing and packaging options
• Quick time-to-value—install in minutes and see value immediately
• Supports large-scale distributed environments from on-premise to cloud environments
• Integration with the IBM Security portfolio including IBM Cloud Identity, QRadar®, Guardium® Data Protection, and IBM Security Identity Governance & Intelligence.
• Access to IBM Security PAM Professional Services
• Access to IBM Security Expert Labs for deployment and configuration

Protect privileged accounts to reduce your attack surface. Sign up for a free trial of IBM Security Secret Server now.

Least Privilege Policy

Security regulations call for a least privilege policy, which means limiting access to reduce your attack surface. Least privilege requires that every user, application and system account have the minimum access to resources needed to do their job. Many customers, users or applications have admin or root privileges with access to sensitive data/operating systems. Under a least privilege model, administrative accounts with elevated privileges are given only to people who really need them. All others operate as standard users with an appropriate set of privileges.

Regulations like PCI DSS, HIPAA, SOX, and NIST and CIS security controls recommend or require implementing a least privilege model as part of a compliance solution. During an audit, you may have to demonstrate how the principle of least privilege is applied and enforced in your organization to control administrative accounts.

To successfully comply with a least privilege policy, you must know which privileges you need to manage. That means finding out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Imagine how much damage and risk you will take away if you remove your business users from local admin groups, yet provide them with a way to install approved applications. IBM Privilege Manager helps with just that.

Get started with IBM’s free endpoint application and least privilege discovery tools.

To successfully comply with at least privilege policy, you must know which privileges you need to manage. Find out which endpoints and local users have admin or root credentials, identify which apps are in use and if they require admin rights to run and understand your risk level for service accounts and apps with an elevated set of privileges.

Can you imagine how much damage and risk you will take away if you can remove your business users from local admin groups – yet provide them with a way to install approved applications? IBM Privilege Manager helps with just that.

Secure your largest attack surface with a single agent

IBM Privilege Manager can communicate with hundreds of thousands of machines at once. You can check policies and execute 24/7 control across every device and application under your purview through a single, streamlined dashboard.

You can discover which users and endpoints have local administrative rights, including hidden or hardcoded privileges across domain and non-domain machines, and automatically remove these rights as needed. This helps you control the exact membership of all local groups and users to reduce the risk of backdoor accounts.

Define flexible policies that ensure a frictionless user experience

IBM Privilege Manager automatically elevates the applications and data that users across your organization need—without requiring credentials or forcing users to request IT support. It provides granular policy-based controls that determine and maintain access to trusted applications and processes.

Through advanced real-time threat intelligence, the solution whitelists, blacklists or graylists your applications according to flexible policies you define.

• Whitelisting – Trusted applications are whitelisted and elevated, so users can easily access them without IT support.
• Blacklisting – Blacklisted applications are blacklisted based on real-time threat intelligence and are blocked from running.
• Graylisting – Potential threats are graylisted, meaning they’ve moved to an isolated sandbox environment for further testing.

Additionally, any application can be quarantine and “sandboxed” at any time, as you deem necessary, regardless of its list designation. A quarantined application can be safely executed and tested without the risk of exposing system folders or underlying OS configurations.

Easily manage and remove local administrative rights

Determine which accounts are members of any local group, including system administrators. If necessary, you can quickly reset all endpoints to a “clean slate” by removing all local administrative privileges at once.

Boost productivity for users and support staff

Since policy-based controls are enacted on the application level, users can access the trusted applications, systems and data they need without local administrative rights or the hassle of submitting tickets to IT support.

Achieve audit compliance through transparency

Share an easy-to-understand auditable trail of all application policies, administration credentials and privilege elevation activities with auditors. You’ll provide a clear picture of your compliance levels and what actions, if any, should be taken.

Read the last part tomorrow!