Thursday 28 August 2014

To click or not to click…………

We recently assisted one of our clients during an information security incident, a server monitoring system had picked up unusual file access activity on one of their network file stores, upon further investigation they discovered that a piece of malware was encrypting files on a user’s network share.

By the time we arrived onsite they had already started to contain the outbreak, taking the infected network drives off line, identifying the user whose network drive was being infected, removing the user’s PC from the network and disabling their network account.
At that time they were in the process of rolling out new anti-malware definitions across the network so they immediately commenced a full network scan using the latest definition files concentrating on the offline network shares.

Investigation of the user’s machine, indicated they have browsed to an external URL minutes before the unusual activity was logged.  The user had received an email, from a reputable postal service reportedly saying the organisation had a parcel that was awaiting payment and delivery, being a member of the accounts payable team, the user clicked on the link that opened a copy of the postal services website.  Unbeknown to the user malicious files were being downloaded initiating the malware infection using the win32 crowti ransomware variant and subsequently starting encrypting of all their files.

The email itself was very well crafted using good English and corporate branding of the postal services company, only upon closer inspection and hovering over a link to unsubscribe did we notice that the link misspelt the word “unsubscribe” as “unsubscrube”.  Checking the email headers revealed the IP Address and checking the registration confirmed the URL was located in Russia.

Whilst the incident was being Triaged the client asked, what they could have done to stop this kind of attack, we recommended they block the IP address in their firewall and block the domain on their SMTP relay but once the cyber criminals move to a different IP address or domain these defences would be useless, enabling smart screen filter as a group policy setting on their browsers could afford them an extra layer of security.

But in hindsight all of these enterprise and perimeter security controls are great but the user decided to click on the link in the email, not maliciously but in the normal duties of their role.  Users are the last line of defence….right?
Correct they are the last line of defence, but far too often organisations treat users just as that last in the line, security/awareness training as just another tick in the box to ensure some form of compliance.  Organisations can have the best of breed technical security controls in place at the perimeter, but these are only as good as the speed and efficiency of the vendor releasing signature or definition files and the IT department’s diligence at deploying updates.  During this incident the infected PC and network drives were disconnected from the network with ten minutes during which time approximately 50K files were encrypted.
The user however is the one constant that is always present and one that the cyber-criminal is relying on to perform an action or act that provides them with the backdoor they need.
Is annual security refresher training enough, when compared to how the security landscape changes in our view no!  Too many organisations use this as a tick box exercise, a cyber-criminal is relying on the end user, this is the mechanism that allows them to not brute force the front door spending 100’s of hours reconnoitring a target company and then trying to push an exploit through the front door.

How many times have you done something you were told not to do, “Don’t walk on the grass!”

“Don’t bite your nails!” humans have individuality and intrigue these are some of the traits that make society the great place it is so why would we curtail it.  You cannot tell someone not to do something, their very inquisitiveness will ask well “what will happen if I….” rather demonstrate through past experience, constantly building security awareness into their daily habits, so that they become accustomed to questioning the norm.
Large organisations have layers of security to protect their important information, with the abundance of social media and on-line interactions “the general public” does not have these controls to protect them, with the internet all around us, we need to make all users of the internet aware of the inherent dangers of its use, many of the day to day natural things we do to protect our homes, cars, handbags/wallets etc, if we applied the same common sense approach to the internet we would make the cyber criminals job that much harder.

End users may well be the last line of defence, providing real life examples of fake, imposter emails will go a long way to help improve security awareness, long gone are the days of the Nigerian 419 badly written scam emails, cyber-criminals content scrap websites to make the html content look real, but end users are the one control you can influence and educate daily providing an important proactive security control, beating any vendor zero day response, ignore them at your peril.

Neil Bray
Senior Security Specialist
www.cqr.com

Wednesday 6 August 2014

What is Privacy? OAIC are showing us the way.

When looking for a new home we like to see photos of what the house looks like but for a tenant/home owner are there any rules that govern what photos the real estate agent takes and is there anything you can do if you are unhappy about the photos they have taken.

The OAIC's fifth video in their Privacy series tell us,'Is my real estate agent aloud to take photos in my house?'


________________________________________________________________________________ If your neighbour has a security camera and you are concerned about your Privacy the OAIC's latest video gives you some advice on what you can do to apease the situation.

The OAIC's fourth video in their Privacy series tell us,'What can i do about my neighbours security camers?'


________________________________________________________________________________
We all have personal information held by organisations, but how do you access that information, are you able to just ask for it or might you have to pay or wait for an extended period of time, and then what if it is incorrect are you able to make changes where you need to?

The OAIC's third video in their Privacy series tell us,'How do I access my personal information?'


________________________________________________________________________________
If you know that personal information about you has been mishandled what should you do, and how do you go about making a complaint?

The OAIC's second video in their Privacy series tell us, 'How do I make a privacy complaint?'


_________________________________________________________________________________
Following on from PRIVACY AWARENESS WEEK in May 2014 when CQR were partners of the OAIC (The Office of Australia Information Commissioner), the OAIC have released the first a series of 5 video's which are designed to help individuals learn more about PRIVACY and the common concerns they may have.

All of the video's are to be release over the next 2 weeks and we will be here to support the OAIC in spreading the word on PRIVACY.

The first in the series is 'What is Privacy?'



Further information on the changes to the PRIVACY ACT can be found on the OAIC website.

Sarah Taylor
www.cqr.com