Adevonix

adevonix

By

Ransomware: Being prepared

Ransomware is still a top concern for many businesses and organizations. The proliferation of Ransomware is less about noble pursuits from a cause or a political issue, but as with most things, it is all about the “money”. One of the best things you can do is plan for and be prepared for the possibility that Ransomware will affect your organization. In this post, I aim to share my perspective on how to prioritize your efforts. In almost every case, the most essential item is the asset of data, so prioritize protecting it in your prevention strategy as you are simultaneously working on your remediation strategy. Utilizing the NIST Incident Response Framework is an effective way to address Ransomware.

Preventative basics

  • Regularly conduct IR exercises to flush out what works and what does not in your incident response planning.
    • There is no substitute for an incident exercise to help you be prepared
    • Do tabletop minimally, but also look to do actual exercises as well
  • Regularly perform Data Backups (offline is a must) and Recovery Planning/Testing
  • Regularly update your systems and software
    • Use vulnerability scanning to ensure that subcomponents of software are not overlooked.
  • Access Controls and Network Segmentation
    • Use a tool if you have it, but any segmentation is better than nothing if budget constraints exist
    • Think about the design here, e.g. don’t put IoT devices on the same network segment, and allow any access to any systems
  • Deploy XDR/EDR/ADR depending on your mission operations needs.
  • Regularly conduct Security Awareness Training for employees
    • Conduct this using gamification if possible
    • Or whatever your employees find engaging, not off-putting
  • Deploy cloud-based email Security Controls to help defend the most used vector
    • Use as many controls as possible that don’t impact your business!

Detection and Analysis

  • Instrument systems, networks, and logs, and analyze for suspicious activity or anomalies.
  • Use Data Loss Prevention systems to identify/stop data that should not travel out of the organization
  • Use intrusion detection/prevention systems (IDS/IPS), security information and event management (SIEM), and threat intelligence to provide current threat insight
  • Identify and analyze indicators of compromise (IOCs) and attack precursors
  • Triage and prioritize alerts based on potential impact
  • Document incident details and evidence collection
  • Notify appropriate stakeholders and escalate as needed

Containment, Eradication, and Recovery

  • Contain events using a short-term isolation strategy to limit incident spread
  • Remove malicious files, unauthorized access, or malware from affected systems
    • Rebuild them if necessary
    • Ensure even if rebuilt nothing persistent remains (See Validate Systems)
  • Apply patches or configuration changes to close vulnerabilities
  • Restore systems and data from clean, verified backups (if needed)
  • Validate systems are clean and fully functional before returning to production
  • Monitor for signs of reinfection or residual threats

Post-Incident Activity

  • Document the entire incident lifecycle for compliance and post-mortem
  • Conduct a post-mortem review
  • Report to management and regulatory bodies
  • Update incident response plans, policies, and controls based on findings
  • Provide additional training based on incident outcomes

Summary

Planning for any IR, even if it isn’t Ransomware, is just as lengthy a process. Continue to Evolve Your Integrated Technologies (Part of Adevonix Motto) to address concerns and risks as you find them. I added some key items in the prevention stage that are essential for data backups. However, what I provided is not all-encompassing, so don’t think you’ve got everything covered by using this blog post as an end-all be-all. My recommendation is for you to look at every step using a Failure Mode Event Analysis (FMEA) with the context of your business’s operations. This way, you are thinking proactively about the possibilities, and you will likely be in a better shape than most. As I mentioned, this post doesn’t cover a comprehensive process, but it aims to get you thinking about how to handle Ransomware and other malware incidents when you encounter them in your career.

By

How good are you at protecting your own privacy?

As I write this post today, social media platforms continue collecting extensive user behavioral data. Here’s a simplistic overview of the personal behavioral data on a select set of prominent mobile communication platforms. The list is simply a sample based on what I see first-hand people use on their mobile phones.

CAVEAT: I am not creating an all-inclusive list but an ad-hoc sample to get you thinking when using these types of applications!

LinkedIn

LinkedIn is known to gather professional and career-related behavioral data, including:

  • Profile views and interactions
  • Job search activities
  • Content engagement (posts, articles, comments)
  • Connection patterns and networking behaviors
  • Skills endorsements and recommendations

TikTok

TikTok collects a vast array of behavioral data:

  • Video viewing habits and duration
  • Content creation patterns
  • Engagement metrics (likes, comments, shares)
  • User-generated sound and hashtag usage
  • Device and in-app activity information
  • TikTok’s data collection is pervasive. The app retrieves information about users’ devices, geographic locations, and network connections.

Instagram

Instagram, owned by Meta (formerly Facebook), gathers substantial behavioral data:

  • Photo and video viewing patterns
  • Story and Reel engagement
  • Direct messaging activities
  • Shopping and product interaction behaviors
  • Location check-ins and geotags
  • Instagram tracks user interactions with content, including likes, comments, and saved posts. It also collects data on the accounts users follow and their engagement with hashtags.

Snapchat

Snapchat focuses on ephemeral content but still collects significant behavioral data:

  • Snap creation and sending patterns
  • Story viewing habits
  • Discover content engagement
  • Bitmoji usage and customization
  • Lens and filter application behaviors
  • Snapchat can access detailed information about users’ interactions, including who receives snaps, how often users are online, and even metadata from images.

All these platforms and others on the Internet use the collected behavioral data to personalize user experiences, refine content algorithms, and deliver targeted advertising. Users should be aware that their activities on these platforms contribute to detailed behavioral profiles, which can be used for various purposes, including marketing and product development.

To protect privacy, users should regularly review and adjust privacy settings on each platform, be mindful of the content they share, and consider using more privacy-focused alternatives for sensitive communications.  This is not only because you should not trust these organizations with your behavioral data, but most especially when, not if, they get breached, your behavioral data will be collected and then used for far worse and nefarious purposes by a malicious actor. 

It is a complex digital world out there. Think before you communicate on a platform about the information’s potential use by the vendor’s “good guys,” a debatable concept, but never forget about the bad guys either!

By

Solaris 10 & 11 PAM Vulnerability October 2020

Pluggable Authentication Module (PAM) Vulnerability

Oracle Solaris 10 & 11 operating systems have a pretty small market share today compared to other operating systems such as Linux and Microsoft Windows. However, over 50% of Solaris deployments are at medium and large organizations in the United States.

In Oracle’s October 2020 patch update, (CVE-2020-14871) is a level 10 (the highest) critical vulnerability in the pluggable authentication module (PAM) of Oracle Solaris. The flaw is locally and remotely exploitable without user credentials, requires no user interaction, and can be implemented as a “low-complexity” attack. Although there are no currently known published exploits, the low-complexity nature of the vulnerability combined with privilege escalation is why CVE-2020-14871 received the CVE level 10 criticality rating.

If you are a business or government agency that relies on Oracle Solaris for your computational workload, be sure you get this patch applied to your systems as soon as possible.

Linked Information

If you use Oracle VM VirtualBox, the same PAM vulnerability applies as well. Download the latest VirtualBox 6.1.32 from Oracle to address the patch.

The entire 2020 list of Oracle vulnerabilities patched in the October patch update. https://www.oracle.com/security-alerts/cpuoct2020.html

The specifics for Solaris 10/11 in regard to CVE-2020-14871 https://www.oracle.com/security-alerts/cpuoct2020.html#AppendixSUNS

By

Microsoft Vulnerability CVE-2020-1472 “Zerologon”

A patch was released by Microsoft in August of 2020 for this level 10 critical security vulnerability reported by Tom Tervoort, Senior Security Researcher at Secura.

When the patch was released in August, there were no reported exploits publicly published. However, on Monday, September 14th, The Cybersecurity and Infrastructure Agency (CISA) reported finding a publicly published exploit of “Zerologon”.

Best practice is to always “patch early and often” but the publishing of the exploit raises the urgency to get systems patched. The service “Netlogon” is the vulnerable service that has the “Zerologon” vulnerability that can be exploited.

If you haven’t patched your Windows servers and especially your domain controllers, we highly suggest you get it scheduled ASAP!

You can read more detail from the Software Engineering Institute’s CERT Coordination Center. Additionally in the CERTCC report, there is content on further mitigation that can be performed that will also be part of a second round of patching from Microsoft in the February 2021 timeframe.

By

Cybersecurity in cloud-based infrastructure – It’s inherent when I choose to use the cloud. Right?

Well, no.

Cybersecurity in cloud infrastructure is a shared responsibility model. What most businesses don’t realize is that the majority of the shared responsibility is on the company, not the cloud services provider.

The cloud services vendor provides a core level of security, high-availability, and physical security of its resources that constitute its cloud infrastructure services offerings. It is up to the business to leverage the solutions they provide and also integrate their tools to provide comparable security capabilities to what is sometimes easier to do with on-premise computing.

Just like the on-premise model, the business is responsible for the deployed cloud computing systems and their updates, patching, and general management to include the associated data that is also in the cloud. Whether your business uses Google, Microsoft, or Amazon or another provider’s cloud services, there are a lot of cloud security and management solutions available.

At Adevonix, we are here to help you make decisions about acquisitions and deployments that are right for your business that takes into account your budget and risk. Contact us!