“There’s not much chance your customers are going to search for you and land on an Albanian copycat site.”
Raxis VP of Engineering, Brian Tant
If you get an email warning you that another (usually overseas) company is vying for your brand’s domain name with various country extensions – cn, .hk, .af, etc. – be assured it’s not someone aiming to help. Instead, they’re most likely scammers trying to convince you to send them money in order to secure your hold on yourbrand.nz before some evil corporation in Uzbekistan snatches it right out from under you.
As you might expect, people do fall for it and spend hundreds and even thousands of dollars only to discover that a) there is an exhaustive list of domain extensions out there and b) the people they’ve paid won’t really secure any of them. Fortunately, that last part is mostly a nonissue.
The truth is, very few US-based companies have a need to own foreign domain extensions unless they have a physical presence in the country. Even then, it may not be necessary unless a competing brand is actively trying to damage your business, in which case most countries have laws in place to prevent such malicious activity.
Search engines are sophisticated enough now to distinguish between legitimate, established domains and pop-up imitators, so there’s not much chance your customers are going to search for you and land on an Albanian copycat site.
Still, the emails can sound very convincing, and, believe it or not, they are really a modern update to a scam that flourished in the late ‘90s and early 2000s. That one involved the Yellow Pages and was made possible because AT&T never trademarked the name or the iconic walking fingers logo.
Here’s how it worked: Just days after a new company incorporated or applied for its licenses, an official-looking invoice would arrive from The Yellow Pages. No business wanted to be left out or forced to wait a year to be included, so many quickly filled out their information and sent a check.
Weeks later, unfortunate business owners would get another Yellow Pages invoice, this time the local version – the one people actually used. When they called the phone company to complain, they would learn that their first checks had gone to a group that published a perfectly useless national version of the yellow pages. It listed only those businesses that had fallen for the scam and was distributed only to them.
Word about the faux yellow pages eventually got around and made it much harder to sell. We can only hope the same will be true of the domain name scam. Of course, the great irony here is that the internet has all but made the yellow pages irrelevant to modern businesses. At the same time, it has made possible a high-tech, international version of its most annoying racket
In these uncertain times, many companies are allowing employees to work from home more than ever before. Essential personnel onsite at the workplace are kept to a minimum and are offered remote support when issues occur. The scope of remote work is unprecedented and brings up a lot of questions for managers aiming to support their employees.
This series will discuss security testing and consulting options that Raxis offers to help companies work as securely as possible while employees work from home using home wireless services and systems or jump on the company VPN in unprecedented numbers.
Phishing
Raxis expects a rise in phishing attempts — emails, texts & phone calls — as attackers realize that employees are at home and not as easily able to verify that requests are legitimate.
Let’s start with your VPN itself. It’s likely at least a few of your team members are going to have problems logging on. Though they may be overwhelmed, your help desk workers are inclined to be helpful. Verification is a step that might easily be skipped in a rush to get an exec or senior manager online.
Finance is another point of vulnerability. Say that you receive an email from your boss saying to approve a new vendor payment. Normally your boss would never send that in an email . . . but these are not normal times, and you’re both working from home. You think of giving her a call, but she just told you she’s busy setting up her children’s new online school meeting. Do you approve the request? How are you sure that it’s legitimate?
What if it was a phone request from a customer who is working from home? He’s on his cell phone. Are you sure it’s really him? Should you verify before telling him customer financial information? Sure you should, but you’re out of your normal environment and he sounds really annoyed. What do you do?
And what about your teammates? Your employee texts you and asks for the password to an old system with a shared password. Do you text them back? Do you check the number first? Send it in email?
These are different questions than you ask when you’re in the office and can lean over the cube wall. It pays to make sure all your employees know the answers (or at least ask the questions) before they face them in the real world from home.
Where to start
Raxis has a number of phishing tests that fit these scenarios, and we are happy to work with you to customize a test that fits your needs. We provide a report and a debriefing call to help you educate your employees with real world examples. Whether they pass or fail, it’s an opportunity to safely assess their readiness and reinforce their training.
Take a look at our social engineering offerings. As always, Raxis is happy to advise you and work with you to customize a test that meets your needs. If you have concerns, we’d be happy to chat with you about options that work for you.
Our Chief Operating Officer, Bonnie Smyre, was interviewed on Fox 5 News in Atlanta in a story regarding a Facebook scam involving Tyler Perry. Essentially, the scammers behind the Facebook sites and accounts are “data mining to get your information”. If you clicked the Facebook scam link, it’s probably too late to reverse it, but try to avoid it next time – if something seems too good to be true, it almost always is.
Many of the external network and web application penetration tests that we perform list ‘clickjacking’ as a vulnerability. We find that many website developers, as well as many users, do not fully understand what clickjacking is. While clickjacking is not exploitable to gain system access on its own, this web configuration vulnerability can be used to gather valid credentials that can lead to system access when paired with a social engineering attack such as phishing. Clickjacking falls under the A6 – Security Misconfiguration item in OWASP’s 2017 Top 10 list.
A LOOK AT HOW IT WORKS
Clickjacking uses a genuine webpage, usually a login page, to trick users into entering private information such as credentials. To show how this works, we created a sample login page for a great little app called Not a Secure Site.
As the page does not implement clickjacking protections, an attacker can quickly and easily clone the page by placing it within an HTML iframe on their own website. By overlaying their own username, password, and sign in button elements on a layer above the iframe, the attacker can capture any credentials the user believes they are entering into the original login form. The example below shows how the attacker’s cloned page might look. Can you tell the difference between the real site and this malicious site?
Without inspecting the source code of the malicious page, the content of the page appears identical to the legitimate one. Now, let’s highlight the overlaid text fields and button fields in blue so we can see where the magic takes place:
Those fields are in a layer of HTML that is physically sitting on top of the iframe containing the Not a Secure Site’s log in page. When an unsuspecting user enters their credentials on this page, they are entering them in the attacker’s text fields and clicking the attacker’s button.Let’s add a border around the iframe on the attacker’s website:
Here we can clearly see where the attacker has embedded Not a Secure Site’s log in page into the malicious site.Using Burp Intercept, we can watch the HTTP Request. For this example, I just set the attacker’s form to POST to the Raxis website. In the intercepted request below, we can see that the user’s credentials entered into the form are being sent to the attacker’s site instead of to Not a Secure Site.
This is all very clever, but it doesn’t mean a thing if a user never enters credentials. This type of attack must be used as part of a larger attack, which is generally a phishing attack that encourages the target to click on a URL in an email.The HTML code on the malicious page can be remarkably simple. The attacker needs only to create and properly position text fields and a button on the page, and the iframe does the rest!
In more advanced clickjacking attacks, an attacker can log your credentials as you type them, capturing your username and password before you even submit the form.
WHAT WEB DEVELOPERS CAN DO TO PROTECT THEIR SITES
So, what makes this webpage vulnerable and what could the website’s developer do differently to fix it? It all comes down to preventing the page from being embedded in the iframe. Modern browsers look for the X-Frame-Options header to determine when an external site is permitted to be presented in an iframe. Looking at the HTTP response for Not a Secure Site’s log in page, we see that the site does not set the X-Frame-Options header, which defaults to allowing any site to be embedded in an iframe.
The X-Frame-Options header can be set dynamically in server-side code or configured on a global level through the web server or proxy configuration. The X-Frame-Options header allows three possible values:
DENY
SAMEORIGIN
ALLOW-FROM uri
If the website never needs to be embedded in an iframe, the developer should use the DENY value to block all iframes. Here’s what the attacker’s website looks like when Not a Secure Site has set the X-Frame-Options response header for the entire website to DENY. The header prevents the login page from rendering within the iframe.
The SAMEORIGIN value can be set if the webpage needs to be within an iframe on its own site. The ALLOW-FROM uri value is not recommended because it’s not supported by all browsers.While the X-Frame-Options header is the best defense against clickjacking attacks, the Content-Security-Policy directive can use the frame-ancestors property to restrict which domains are allowed to place the website in a frame, though frame-ancestors is not yet supported in all major browsers.OWASP has a great Clickjacking Defense Cheat Sheet explaining these options in detail, as well as explaining old methods that will not work well and are not advised. The OWASP Secure Headers Project is another great tool that you might want to check out.Raxis offers several penetration tests that alert customers to websites that are vulnerable to clickjacking. Check out our Web Application Penetration Testing service to get a start. If a full penetration test is not within your company’s needs or budget, take a look at our Baseline Security Assessment option, which also highlights clickjacking vulnerabilities.It’s important to note that some phishing attacks will copy webpage code, instead of embedding the page in an iframe, to achieve the same results. Depending on the webpage, this can be complicated and may require an advanced knowledge of HTML, JavaScript, and CSS. When an attacker is able to produce a convincing clone of a website without using an iframe, any form of clickjacking protection, including X-Frame-Options, cannot prevent this form of attack.
WHAT USERS CAN DO TO PROTECT THEMSELVES
Clickjacking recommendations are often focused on what web developers and website administrators can do to protect users, but what can you as a user?Keep in mind that the attacker has to trick you into using their website. Whether they do this through an email, a flyer, a poster on a wall, or casually mentioning it in a conversation, it’s always a good idea to verify that the link you are using is legitimate. If you’re at work, check with your IT department; if you’re a user of a consumer site, go to the genuine site and use the contact form or the phone number there to verify the link.Remember that links can be masked to look like something else. Hover over links in emails and webpages to see what URL they truly point to. Look at URLs carefully to see if they are legitimate. Attackers will often buy domain names that look a lot like the true website’s domain in the hopes that their targets will not look closely.See our recent phishing blog post to learn more about protecting yourself from phishing attacks.
We’ve all heard of phone scams such as Rachel at card services offering to help us out of a jam we didn’t even know we had. Scams such as this have become common in the workplace as well. These scams, called vishing or phone phishing, are a type of test we often perform for Raxis’ customers.You may be surprised to hear that often we achieve a high success rate with these phone phishing assessments. During one particular assessment, we called a large number of people throughout a company and told them we were contractors performing the annual credential check and asked the employees to please provide their email username and password. Often those credentials are used to login to their computers as well. Providing this information yielded more access than the targeted user was aware of. During this assessment, approximately one fourth of the people we called provided their credentials.
PREPARATION
This type of phishing is different from the email phishing attacks that most people are familiar with. First, a telephony-based phishing campaign requires additional preparation to sound convincing. We rehearse what we plan to say as well as how we will respond to questions, suspicion, and anger. We invent a story and background as part of a convincing pretext. It is said that the devil is in the details. A sense of legitimacy can be borrowed by peppering the conversations with specific information. Are we saying we work for the same company as the target? Then we’d better be able to say what office we work in. We’re calling from IT? Who’s our manager?Unlike email phishing campaigns, it is imperative to hook the target as soon as the call starts. Once the target hangs up, it’s unlikely they will call back or take another call from our number unless they trusted us (though I once had a person call me back to check who answered the phone). For this we prepare a persona.
We need a name, possibly an accent, a department, a purpose for calling, and just enough back story that we never say “umm”.
When we call our target, we’re unlikely to provide most of these details, but we need to be in character. Our target is likely to start off suspicious and will only get more suspicious if we say we work at the IT Help Desk and then act like we’re a high level manager telling them what to do. I’ve also had targets question me on what building I work in as well as my manager’s name. If I have a number of people to call, I often make small talk to gather more information to use in my next calls. Every bit helps in establishing rapport and building trust.Another part of preparation is technical. While it’s illegal to spoof (imitate) a phone number maliciously, in phishing campaigns it’s all part of the test. We use services like SpoofCard to display the phone number of the company that we claim to be calling from to make the call seem even more real.
A SIMPLE, MULTI-TARGET VISHING CAMPAIGN
Many companies hire us to call a large number of people in various departments to see if they reveal private information. The goal is to get something simple like their username and password for the email system or the direct phone number for an employee who doesn’t have that listed publically. We often seek to check the effectiveness of their security awareness training by evaluating employees’ responses to the attack. As an employee, knowing that a company tests employees in this way can be a great incentive to exercise vigilance when handling unknown calls.In campaigns like this, I like to make myself a low level contractor. This job is so lowly that they don’t even make the lowest level employees do it! My goal is to establish rapport and then elicit a sense of empathy. Maybe you feel sorry for me. Maybe you realize that I get paid by results, so I will keep calling until you give me what I ask for. Most importantly, I have an excuse for not knowing answers to all your questions or not having a phone number that looks familiar.So back to my sad, lowly contractor. I make the call. I’m friendly. If they don’t believe me, I sound like I am used to hearing this and hate my job. I don’t tell them I’m a contractor; my goal is to get their credentials, but if they push back or ask me questions like “what building do you work in?, I “admit” that I’m just a contractor. I look for any opportunity to ask the best way to get a job there. I ask if my target likes working there. Are the managers nice?This allows me to keep the target engaged without knowing all the answers and makes people feel important because they possess information that the caller doesn’t have. If they refuse to answer, I’m polite and tell them that is no problem at all… but someone will have to come to their office in person, and it will take longer. Sometimes that threat of someone physically coming to see them is enough to change their mind.These types of campaigns can be conducted under a myriad of personas. Some people mumble a lot so that it’s easier to act like you know answers you may not know. Think of calls you’ve received from spammers that you believe are legitimate at first. Sometimes it’s hard to say no.
SPEAR PHISHING CAMPAIGNS
Spear phishing campaigns, whether using email, phone, or a combination, are much more complex to set up but can be well worth the effort when all the pieces fall into place. In these campaigns, we focus on a small number of specific targets and spend a great deal of time researching them to tailor the campaign specifically for these individuals.We start with research, and it may surprise you what we can find from the comfort of our own home using the Internet. I’m not discussing the dark web here; I’m talking about search engines like Google and Bing, social media, such as LinkedIn, Facebook and Twitter, and even the websites of your own company and your customer companies.A few years ago I was hired by a small firm of about fifteen people who each worked with two or three customer companies. I won’t reveal the specific industry, but they worked mostly with financial information. I was tasked with using only phone calls and calling as few or many people as I wished as long as I extracted any type of critical, private information.My first step was to look at the company’s website where I found a list of key employees along with a small write-up about them. Many companies do this… it’s a great way to show prospective customers that your team has experience and would serve them well. Even Raxis has a page like this: Using Raxis as an example to illustrate the value of seemingly extraneous information, from this web page I gathered names, and I made short bullet lists of personal and professional information that might be useful in my calls.I also looked around the webpages and got an idea of the company itself. Sometimes information is revealed about products or companies that work closely with our target company. The Raxis webpage lists our partners, Rapid7 and GE Digital Cyber Security, giving an attacker an idea of who might be calling us, as well as lending a sense of importance to the calls that are believed to originate from them. Next I looked at LinkedIn and found many of the same people. LinkedIn is used by most people when they are looking for a job, and, because of this, many LinkedIn profiles have a great deal of information about people and what they do at work. School and work history give an idea of the target’s age as well as their interests. We look for any connection that we could exploit to build a bond.
You went to Carolina? I can’t believe it. I did too! What year did you graduate? Go Heels!
LinkedIn also can provide detailed information about our target’s job. Part of my LinkedIn job history is shown below. You’ll see that I once worked at a PBS station and a university. All of this type of information can be helpful as we enhance the target’s attack profile and determine under what pretext the attack will take place. In the case of the company I was researching, two people stood out. Each of them posted names of their customers on either the company website or LinkedIn. Next, I researched these customers. Immediately one customer stood out. Their website showed an org chart showing the structure of all of the top management.Since I’m female, I picked a woman on the list and decided to call my target using her name. I also found two other names that were higher in the org chart. With this information, I made my call.
Hi, this is Stephanie Smith. I hate calling you at the last minute like this. My phone died, and I’m running around trying to get all the financial statements together for our annual planning meeting. Rich and Jim decided at the last minute that they need statements for the full fiscal year, and I can’t find them anywhere. The meeting starts in thirty minutes. Is there any way you can fax them to me ASAP? You can? Great! Our fax machine is actually broken too. Would you use this number instead?
When you have time to sit and read this, it sounds ridiculous. There are red flags throughout. I never even said my company name, but I had enough information that I hooked my target into believing that I was trustworthy because she believed me when I gave my name, which happened to be a name that the target had been conditioned to view as a very important client that she wanted to please. She did not expect the call and made a split second decision to comply, rather than risk alienating a customer.She sent over 50 pages of financial statements to my fax machine.Of course, this was a security test. I deleted all of the data and provided my customer with a customized report that they used to train their staff. If I had been a malicious attacker, that one call could have broken the trust that company had with all of their clients.
GET THEM TO CALL YOU – THE REVERSE PHISH
In Part One I talked about email phishing. Why limit ourselves to emails or calls when attackers will use any means they have at hand?When customers allow us to combine emails and calls, one method that we’ve found value in is asking targets to call us. It may sounds silly, but think about it. Something you use daily on your computer to get your job done stops working. You call the help desk, but they are already swamped. You’re waiting unproductively and your work is piling up. We’ve all been there, and we all hate it.So along comes an email with a link in it. The wording in the email gives you a special number to call. This webpage is so important that there is a priority number for it. This type of hybrid vishing campaign makes it easy to target a large group of people. Once someone calls back, we know they, at least partially, buy our story, and we can hook them in even further. When people call us they are more likely to trust us. They have no proof of who we are, but most people feel more comfortable with the person on the other end of the line when that person is answering them on their own terms at their own time.
WHAT YOU CAN DO TO PROTECT YOURSELF
When someone calls us, it often takes us off guard, and we are deciding if we should trust them at the same time that they are talking and encouraging us to get this over with by giving them what they want. We are conditioned to comply, especially in the work environment. But it’s important to maintain a sense of vigilance when dealing with any electronic communication including phone calls.
Remember that you can hang up on people. Tell them no or just hang up the phone. If you don’t trust them, just hang up.
If you don’t want to be rude or worry that they may really be who they say they are, put them on hold. Think about what they’ve said. Ask a manager or call the IT help desk and ask. IT often can help you decide if a call is legitimate.
Calling from a different number? Even if the calling number looks right, an attacker may be spoofing it. Before giving any private information, tell them you’ll need to call them back at the number you already have on record.
After hanging up, call the number you already have and verify that they just called. If the call was false, they’ll appreciate you checking. Call the department they say they’re from and ask. It’s obvious you have their security in mind. Most people appreciate that.
Are they asking you to send to a different fax or email? Tell them you can send to known ones you already have.
Most importantly, report it. Make note of the number and any details they provide. They may call other people, so the sooner you alert your company the better. If your company does not provide a way to report possible phishing and vishing attacks, report them to your IT department.
Raxis provides social engineering tests, including phishing and vishing tests, that are tailored to your company. See our Social Engineering site at https://raxis.com/redteam/social-engineering for more information.
Social engineering testing such as this is a critical part of compliance testing for companies in the financial sector. Learn more here https://raxis.com/industry/financial.If you have questions or ideas for further blog posts, contact us at https://raxis.com/company/contact.
Gone are the days of Nigerian princes who left you their fortune. Today it’s much more difficult to separate the genuine emails from the malicious ones that are out to steal your information and your money. While many of us deal with the spam that ends up in our personal email inboxes, Raxis helps many companies avoid corporate and customer information leakage from phishing emails targeted at unsuspecting employees.
Identify
Knowing how to identify suspicious emails is the first step in protecting your information as well as that of your employer and customers. I’ve performed many phishing campaigns for our customers, and I’ve heard multiple stories of smart, conscientious employees falling for clever phishing campaigns. The fallout, including public relations pitfalls, can be large enough that IT budgets get redirected to secure the environment and regain customer trust.I always tell our customers that it doesn’t hurt anyone to take a little extra time to react to an email. When I run phishing campaigns for our customers, I like to send the email out at the start of the day or at the end of the lunch hour. At these times most of us don’t want to be bothered by a new email request. We have work to do, and we’re focusing on getting to it and accomplishing our goals for the day.I make sure the tasks in the phishing emails are quick, simple, and easy to finish:
“Just in time for the holidays, we’ve implemented web mail so that you can be home with your family and still answer emails! Your account will only activate if you log in at the following URL by the end of the day!”
Well, maybe your IT department wouldn’t be quite so excited, but you get the idea.Phishers know common systems that most businesses use, and it’s often easy to find sample login pages online. Several free and paid tools exist that help companies perform phishing tests… and that help phishers steal your data as well. For this article, I spent about ten minutes finding email addresses and creating an email and website to steal credentials from my fellow Raxis employees. Just ten minutes, then I sit back and see if anyone responds.Step one was to find email addresses. Sound difficult? You’d be surprised. Search engines such as Google or Bing are a huge help, and social media sites, such as LinkedIn, provide employee names even when they’re not your connections.Manually searching for email addresses was taking too long, so I logged into my Kali Linux box and fired up theHarvester. In less than a minute, I had the full list of Raxis email addresses pulled from various search engines. There are also free tools that allow attackers to discover the format of a company’s emails, such as “[email protected],” so that I can create my own mailing list if I know some employee names.Now that I have a list of email addresses, I need those folks to give me their login information. There are tons of great tools that make it easy for users to set up a phishing campaign in minutes, such as the open source Social-Engineer Toolkit. This time I use Rapid7’s Metasploit Pro phishing tool.I start with a simple email. In some cases, I research the company’s culture and target a campaign at specific employees, but most of the time I can good results by setting up a generic campaign that does not require me to know a lot about the company. In this case, I pick an Outlook Web App (OWA) site and hope that employees find it familiar enough to fall for my story without looking too closely. Using the phishing tool, I add a number of features that make the email look legitimate, such as using a fake raxis.com email address and including the recipient’s name. Think about it: if I found your email address, I likely know your name, but it still looks official to add it to the email.If the recipient clicks the link in the email, they are taken to a page that appears to be a legitimate OWA webpage. If they enter their login information and click submit, they move onto an error page that I built. It tells the recipient that there was an error, and all they need to do to resolve it is click on a handy link that can do the fix for them while they continue with their work. Unfortunately for anyone who clicks on the link, a malicious file meant to open a remote session to the user’s computer will be downloaded, effectively giving me background access to that machine and potentially the network where it is located.
React
This is scary stuff, but the real question is: “What can I do about it?”First, there are some clues in the email itself. When I hover over the link, I see that the URL starts with “http://” instead of “https://.” A real OWA webpage would almost certainly use an encrypted “https” connection. The site also doesn’t have the company name in the domain: it’s just an IP address. That’s a big red flag as well. However, many phishers know that vigilant employees will look for these issues, and configure the malicious website to use an encrypted connection, and register a domain name that might trick employees if they don’t look closely, such as “https://rax1s.com” or “https://raxls.com.” Make sure you look closely at the link!If you find an email strange or unexpected in any way, ask about it. Most companies are concerned with phishing and would much prefer that you ask IT if an email is real rather than clicking on the link. Some companies have phone numbers, email addresses or websites that allow you to report a suspicious email. If not, give your IT helpdesk a call or forward the email to them asking them to check. Have you ever received an email from IT notifying you that you may have received a phishing email and asking you to delete it? Someone likely reported it in time for IT to nip it in the bud, thwarting the attacker.What if you clicked on the link in the email and then became suspicious of the website? This is dangerous, as webpages are far more likely than emails to host malicious files that may not be caught by company controls. Immediately report the email and the fact that you clicked on the link to your IT department. They will likely be grateful that you told them quickly so that they can check for and mitigate any threat. Never enter credentials or other private information on a suspicious website until you get the official go ahead. In past customer phishing campaigns, I have listed my phone number on the website saying that they can call to confirm that the site is legitimate. Never trust the email or the webpage! Contact your IT department in ways that you know internally before trusting the site. If you call the phisher during a phishing campaign, they will definitely confirm that you should enter your credentials on the site!
Next Steps If You Fall for the PHISH
So what happens next if you entered your credentials, or even clicked on the malicious link on the error page?
Step 1: Report the Phish and Your Actions
First of all, I’ll repeat it again, contact your IT department. They may have a process, and they need to get started as soon as possible. The sooner you tell them, they more able they will be to contain the threat.
Step 2: Change Your Password
Next change your password. Change your password on every system, company or personal, that uses that password. Attackers love to try credentials in any place that they have access. They might login to your email account and delete the email that IT sends telling you what to do next, or they might email a customer to scam them from your account. Changing your password as quickly as possible helps contain the threat. Here’s another handy post written by one of my colleagues with tips about creating a strong password: https://raxis.com/the-weakest-link-in-the-password-hash/
Step 3: Reboot Your Computer
Finally, reboot your computer. If you clicked on the malicious link in the error page that I created, a reboot would break my remote session to your computer. This doesn’t always work, but it also doesn’t hurt. Let your IT department know exactly what saw and what you did. In a case like this, they will want to look at your computer and make sure they remove any threat. That may seem like a lot of work, but it also sounds a lot better than someone watching you through your computer’s webcam or using your computer to attack other machines on the network. Once they have access, the attacker likely no longer needs your password even for extended access. It’s always best to report the issue to be sure.
Ransomware is the hot topic today. Malicious actors infect your system with sinister code that hijacks your information. In its most pure form it encrypts your data and yanks it from within your very grasp. Leaving behind only a message – a ransom note. If you ever wish to see your precious data ever again, you will pay. If you don’t pay, your data will be deleted and you will find yourself in the unemployment line.It’s the kind of thing that keeps business owners and managers up at night.The question is – what do you do to guard against it? Once the ransom appears on your screen, you’re done. There are several steps you should be taking to safeguard against ransomware.
1. Prevention
The number one thing you should do to guard against ransomware is to seal up the cracks. Find a good penetration testing company and have your internal and external networks evaluated. The right penetration testing company is going to come in with no credentials and attempt to exploit every weakness your network has. Don’t confuse this with a vulnerability scan – a true penetration test (pen test) approaches your system just like a real hacker. A real person is working your network and looking for exploits.Include social engineering (email phishing, vishing and spear phishing specifically) to your assessment. Ransomware often infiltrates your system by malicious code unintentionally installed by an employee. Using a found USB stick, visiting a malicious website, giving up credentials to an official sounding phone call, clicking a link in an email, etc. etc…. All of these are inadvertent ways an employee may infect their system.The report and remediation recommendations you will get from a pen test are priceless for patching the holes in your security. Evaluate your pen test company carefully. Ask to see sample reports and determine the depth of analysis you will truly get. Do not be guided by price alone.Along with assessing the network for vulnerabilities you should also consider a robust endpoint protection solution with an awareness of ransomware and zero-day vulnerabilities.Patching as a component of a comprehensive vulnerability management program should also be considered as a foundational element in any ransomware mitigation strategy.
2. Anticipation
Remember the saying – “failing to plan is planning to fail”. Ransomware is becoming more and more prevalent. You need to know what data you have, where you have it, and when it was last backed up. A completely audited data system will be much easier to restore. This will also help you get a grip on what has been compromised.
3. Backup, Cloud backup and Services
Once the thief has your data, the jig is up. Your data is encrypted, and there is a ransom to get it back. You’re not going to hack the encryption. If you pay – you’ll usually get your data back (not to mention a target on your back). If you don’t pay – they delete the data and you’re likely out of business.Once the attack happens you have three choices – pay the ransom, go out of business or restore from a backup.You DO backup, right? Surprisingly many companies don’t, and the ones that do often don’t have good practices in place for consistency. It’s critical this backup be separate from your network. You have a few options with backups:1 – Consistent internal backups to off-site drives isolated from the network.2 – Cloud based backupsWhile many experts agree that ransomware has not yet made the leap to the cloud, the issue is getting the data back in time for a reasonable restore. Normal data transfers aren’t reasonable with typical large companies. There are services available that will overnight a hard drive to your door once you’ve been attacked.
4. Restoration Plan
You need a plan in place to restore the data once you get it. Regardless of how you choose to backup and restore – you need this plan. You will have to wipe the entire system and systematically restore it. You also need to keep in mind the data you are restoring has the same vulnerability that got you hacked in the first place. So a smart hacker is likely to get right back in – and the game of cat and mouse continues.You can’t afford to keep playing the game. Restore the system and immediately get it assessed and patched. By now you should see why step 1 is so crucial to avoiding ransomware. You are also likely seeing why step 2 is important.Ransomware is here to stay for a while. It’s the new age stagecoach heist. The hi-tech way of bank robbery. Your best defense is a strong offense, good preparation and a plan for business continuity if and when it happens to you.
