Why ‘WannaCry’ must be a lesson for all

Oct 24, 2017 by infocon in  cyber security Security

May 12, 2017 is one of the most dreadful days of the year for cyber experts and its stakeholders. About 150 countries across the globe suffered a cyber-attack, affecting 200,000 computers.

It was the infamous “WannaCry” ransomware in which hackers locked people out of their computers, demanding a ransom of $300 in bitcoins. Medical care became inaccessible and factories were shut down for more than 2 days to minimize loss of confidential and further damage.

Here goes a brief on one of the most dangerous ransomware attacks in the Cyber-verse:

What is “WannaCry”?

“WannaCry” appears to have utilized a flaw in Microsoft’s software, discovered by the National Security Agency, which was quickly leaked by hackers. The malicious code that relied on the victims opening a zip file emailed to them, spread rapidly across networks locking away files one by one. From then on, the programme used Microsoft’s flaw to thrive.

Microsoft had released a security update which addressed the vulnerability in the sixteen year old Windows XP operating system, in March 2017. This update was exploited by the hackers to trigger the massive ransomware attack.

 

 

Who got affected?

Several computer networks worldwide were affected, including Telefonica as well as other major organizations in Spain. The British National Health Service (NHS), too, was forced to cancel scheduled patients.

FedEx, Deutsche Bahn, the Russian Interior  Ministry and Russian telecom MegaFon were barred from normal operating services. According to Quartz the three bitcoin wallets used in the attack received just under 300 payments totalling a sum of 48.8635565 bitcoins, which is the equivalent of about $101,000.

 

What is a ransomware attack?

The term ‘ransomware’ appeared in 2005 in the US with the first notable biggest threats to security. While cyber experts maintain it to be 2005, the history of ransomware goes back to 1989.

 

PC CYBORG advisory from 1989. Screenshot via Security Focus

 

According to Becker’s Hospital Review, the earliest ransomware attack occurred in 1989, targeting the healthcare industry. Tracing the same, the healthcare industry still remains a top target for such attacks even after twenty eight years.

Ransomware is a cyber-attack wherein hackers gain control over a computer system and block access to it until the demanded ransom is paid. Hackers get control of systems by downloading a type of malicious software onto a device within the network. This is usually done by getting a victim to click on download link by mistake. The link is normally attached with an email, which once opened, encrypts the hard drive. Once the software gets into the victim’s computer, it enables the hackers to launch an attack that locks all files it can find within that network.

The recent ‘WannaCry’, also known as Wanna Decryptor is a ransomware programme that locks all the available data in the system leaving the user with only instructions on what to do next and the Wanna Decryptor programme itself.

When the software is opened, it tells the users that the files on their computer have been encrypted. It then gives them a few days to pay up, warning that their files will otherwise be deleted. It generally gives them instructions to pay in Bitcoin, providing the Bitcoin address for it to be sent to.

 

 

What is the way out?

Larger organizations should ideally follow the guidelines provided by concerned institutions:

  • Apply the latest Microsoft security patches for this particular flaw.
  • Ensure all outgoing and incoming emails are scanned for malicious attachments.
  • Ensure anti-virus programmes are up to date and conducting regular scans.
  • Backup all key data and information.
  • Organize education programmes on malware so employees can identify scams, malicious links or emails that may contain hazardous viruses.
  • Run “penetration tests” against your network’s security at least once a year.

Many experts even suggested restoring all files from a backup. If that isn’t possible, there are tools that can decrypt and recover some information.

Bringing Information Security to book – Infocon initiative

Oct 21, 2016

How much information security is enough security ?

Infocon is an initiative by Prime Infoserv, Kolkata and Wordsmith has been a collaborator in the initiative. Any contemporary CXO who is not concerned with the theme and confusion called Information Security is either non-existent or soon will face bankruptcy judge.

Billions are lost by private and public institutions worldwide through loopholes in securing information. Information is literally money. If you are a financial institution and if your customer database is compromised, then the fall-out can be seriously embarrassing to catastrophic.

The Problem of Mr. K, a CIO of the castle called Kolkata 

Mr. K is a  CIO of a large healthcare company in Kolkata. His 60% life was spent without internet and when his career is at the matured peak, he finds that he needs to reckon with information security. His CEO has instructed him to “do something”. What he should do ?

In case of an enterprise, any “doing” needs management time, money and attention (follow-up). More important, no vendor appears to be able to answer the question : “How much information security is good security ? “How much I should spend, considering the solutions are correct ?” 

Mr. K, found to his great confusion that he is not able to get these “figures”.

In a autumn morning in Kolkata, post-Durga Puja last year,  I and Sushobhan, CEO of Prime met Mr. K in his East Calcutta office, overlooking the wetlands of Calcutta that appear to be merging with the Sunderbans.  Mr. K narrated his predicament, especially the most important one – “How much money and resource he should ask for approval ? ” from his top management to implement the solution selected. The problem with the solution was its very nature : the solution is directly connected to the threat – real, perceived, imagined or enmeshed in the business interest of the information security vendor.

The Mathematical Model

In other words, we need an analytic framework backed up by the cold, austere and objective mathematical perspective other than paranoia, vendor interest, disaster porn, technical jargon, hardware and software vendor with their exotic offerings lined up in the form of priests of some esoteric cult.

There is a mathematical model called Gordon-Leob model that does exactly that. It uses mathematical tools like probability, confidence interval, distribution to produce a mathematically verifiable statement

After the coffee, I and Sushobhan told Mr. K that he should spend no more than 37% of the amount X, where X is calculated by

X = Cost * Maximum probable vulnerability * Impact Constant * Quantified Risk

Mr. K was delighted. He is now at least dealing with arithmetic, not anxiety-metric.

In due course, we did find out X for his organization by using a 4 step method which is basically a combination of police work + detective work. In the first step, we did a vulnerability analysis and logged all known risks, in the 2nd step, we had assigned some metric to those risks in consultation with the company. In the 3rd step, we calculated the probabilities of such events, in the final step, we tabulated the impact and then estimated X.

Since then, we have been working in this area with clients in India, Bangladesh, UK and everywhere we found one common aspect : lack of awareness. Then the idea of Infocon was born.

Infocon 2016 is happening on 18th November – a platform for sharing our confusion, triumph, fear, best practices and combining our torches in a same direction to create a path in the literal jungle of information which not only has exotic fruits, flowers and scenes but ferocious enemies.

A brief on India’s Cyber Security Status

Oct 17, 2017

The biggest story of 2016 is undoubtedly the alarming rise of cyber crime. A look at global IT industries explains that we’re facing a lack of efficient professionals. According to the Cyber Security Ventures ‘Cyber Security Jobs Report’, there were 1 million cyber security job openings in 2016. The number is expected to grow to 1.5 million by 2019.

Against the backdrop, the scenario of India’s cyber security industry is no exception. A quick glance at one of the most notable security breaches in the country shows:

1)   Cyber criminals breached the country’s largest government site – the Indian Railways Catering and Tourism Corporation (IRCTC) website, stealing around 10 million records from the server of the e-ticketing portal.

2)    A cyber criminal by the name ‘Faisal’ allegedly breached the website of Canara Bank, defacing it by inserting a malicious page and blocking some of its payment services.

3)    Fraudsters broke into the email account of Binny Bansal, CEO of Flipkart, sending two emails to the Chief Financial Officer (CFO) demanding a sum of $80,000.

Further look at similar incidents show that majority of these attacks happened in the e-commerce and banking sectors. The reason for this is found to be a high value of personally identifiable information )PII) in these industries.

According to ‘M-Trends 2016, Asia-Pacific Edition’ by Mandiant Consulting, Indian organizations are more susceptible to data breaches. Poor investments in high-end security solutions are to blame, as experts say. This must sound caution to smaller and bigger organizations both.

In the wake of this, the Indian government has started to invest money in recruiting cyber security experts. Partnerships with top international security firms have also been registered. The recent Memorandum of Understanding (MoU) between the national cyber security agencies of India and the U.K. is a step in the direction. The exchange of technical information on cyber attacks, security incidents and solutions will benefit both countries in fighting cyber crime together.

5 Strategies for Cyber Security in Small Business Organizations

Oct 16, 2017

If you’re a small business organization, there is absolutely no reason for you to neglect cyber security. Not spending on security or relying on outdated software to protect your data – both are equally bad ideas.

Here are a few ways you should undertake to prevent damage to the reputation of your business repute:

Backups: Cyber attackers and hackers never leave an opportunity to take your data “hostage” and demand a ransom before releasing that data. Hence, small organizations must practice backing up data in the cloud or a hybrid data centre.

Update IT Systems: As malicious attacks are evermore wreaking havoc in the cyber-verse, it is essential for organizations to protect their business data at all costs. A top to bottom evaluation with an emphasis on vulnerabilities is important. Key assets like information about property, confidential personal data, etc. must be guarded against.

   Cyber security education: In any data-security effort, any individual can intentionally or not become a “weak-link”. More often, an employee nursing grudge against the organization may compromise security. To avoid such incidences, smaller organizations can always undertake a rigorous cyber security education program.

Proper planning: Included in the data-security education program should be procedures teaching employees how to react in the event of unauthorized intrusions, example, phishing or malware attempts. A detailed incident response plan that redirects to helpdesks or IT teams can have a significant impact.

Mobile device security: A lot of times employees in small organizations use their mobile devices for work and work-related communication. The thought of data passage through unsecured channels is nightmarish enough for organizations to establish policies like – (i) Categorizing and restricting the types of information that can be shared or accessed through these devices, (ii) Enforcing network access control wherein employees can access your business’s VPN and email in a reliable manner, (iii) Determining whether mobile devices provided by the business can be taken off-site.

Leave a Comment

Your email address will not be published. Required fields are marked *

Comment *