It’s not a matter of ‘if’ your organization will experience a cyber-attack, but ‘when’. That’s BSI’s approach to cyber security and information resilience, through either our advisory services or certification and training. We help thousands of organizations around the world embed excellence with a focus on Organizational Resilience. One of the best ways for organizations to manage and protect their information assets is to implement ISO/IEC 27001, the internationally recognized information security management standard. Cyber-attacks are commonplace at this point; the blog post below discusses one of the most recent; an attack on twenty-two local governments in the state of Texas. Unfortunately, this is just the latest in a string of attacks on government entities, which includes the attack on the City of Baltimore earlier this year. Below, Stephen Haywood and Tim Jensen, discuss what companies should be aware of, what they need to think about, and what they can do to prepare for data breaches.
Much has been written about ransomware over the last few years. In the beginning, ransomware was aimed at individual users who failed to patch their machines. Attackers became emboldened by their success and looked for more lucrative corporate targets. But, as the abilities of the attackers evolved, so too did their corporate targets’ ability to fight back. As a result, the attackers moved to seemingly softer government targets, typically at the local level. Up until now, attackers have targeted a single government entity at a time, but that has changed within the past couple of weeks when “a single threat actor” attacked twenty-two local governments in Texas with ransomware.
Unfortunately, it seems that many local governments do not have the resources to maintain a robust internal IT department and therefore choose to trust and contract with third-party Managed Service Providers (MSPs) to help manage and secure their networks. Although MSPs are an essential partner for any organization, there can still be vulnerabilities. For instance, it appears that for the city of Keene, Texas, one of the local governments effected by the recent mass-attack, one of their MSPs may have been compromised and used to pivot into the city’s systems. Having worked for and with MSPs previously, and having carried out penetration tests against them, I would not be surprised if the attack originated with the MSP as they would have full administrative access to the systems they manage. In addition, in my experience, sometimes weak admin passwords can be used and then shared among all their technicians. In many cases, an attacker who can compromise a single technician could easily gain access to all the MSP’s clients. Soon, large governments may find themselves in a similar situation as the smaller local entities, like those in Texas. With many state governments consolidating their various IT departments into a single entity, if an attacker is able to compromise an employee in the centralized department then the potential exists to access the network for every other state department.
This latest ransomware attack may leave many organizations asking a number of questions. I reached out to my colleague Tim Jensen, who is a Senior Penetration Tester at BSI, to share his thoughts on how organizations can best prepare for these types of situations.
Q: Why do you think ransomware is becoming more prevalent?
Malware has always been prevalent, and the common quote in the industry is “you’re compromised, you just don’t know it.” Unfortunately, a lot of malware is not caught by antivirus software until it becomes so common that its useless to attackers. As such, most organizations have sleeping or dead malware on their networks and don’t know it until a signature gets made for antivirus, which may never happen if the attack was against only a few organizations. Ransomware changes the game by encrypting files and causing a denial of service to the system very rapidly and, in many cases, infecting other systems internally while doing so. This worm-based and destructive method is intended to gain the attention of the organization and to take it to its knees, so they have no option but to pay a large ransom to regain access to their data. This is the exact opposite of the “low and slow” method most attackers use to try to extract data while going unnoticed.
Q: What do you think is different about this recent attack in Texas from previous ransomware attacks?
From what I’ve read, and my knowledge of similar previous attacks, the difference is that up until now, we’ve been seeing attackers using ransomware in more of a ‘convenience store robbery’ style; meaning they were refining their tools and techniques a single entity at a time. Using that method, as their techniques are refined, and when new exploits are identified that can infect an organization quickly without user intervention, then the attackers can be more impactful by targeting centralized IT groups and causing massive downtime. This could of course result in bounties being demanded from both the MSP and each individual managed organization.
In March 2017, a Windows file share vulnerability named MS17-010, or EternalBlue, was released that easily allows an attacker to gain administrator privileges on a Windows machine, which has been used in Cryptolocker campaigns to great effect. In May of 2019, a similar vulnerability was released for Windows Remote Desktop (RDP) named BlueKeep, and while public exploits aren’t refined yet, multiple people have public Proof of Concept code released on the Internet that could be used by attackers to create new ransomware campaigns.
Q: In responding to the recent attack, the Mayor of Keene said, "They got into our software provider, the guys who run our IT systems." What are your thoughts on his comment?
I see the point the mayor is making; however the reality is that the person who is ultimately responsible for a system and the data which resides on it, is the owner of that data. This used to be a more straightforward concept, but with the rise of MSPs, Cloud Providers, and centralized IT across state government entities I tend to see more finger pointing and not enough planning and preparedness. That planning is the key. Whether you are managing your own IT, or outsourcing it, you still need an impartial Security Architect and security operations team on your side to ensure that networks and systems are setup securely and maintained properly, and to ensure decommissioned data is destroyed securely. This is especially true with regards to how third parties connect to your systems, which is often forgotten. In addition, it is also critical to have properly trained staff. This is where ISO/IEC 27001, the information security management standard, can be a valuable roadmap and tool for organizations. This standard helps organizations prepare for attacks by helping to identify risks and develop procedures to quickly address breaches for continual improvement.
As attackers have begun targeting small governments with more frequency, I’m concerned about states which have centralized all of their IT into a single department. Although this can be great in terms of cost savings, tremendous care must be taken to segregate privileges, networks, and data so that an administrator who is compromised doesn’t cause all of the networks within the state to fall. This could potentially be catastrophic from both ransomware and state or terrorist sponsored attacks looking to cripple the entire country.
Q: What will it take to stop ransomware?
The best way to stop ransomware is to stop paying the ransoms. If unethical people see massive paydays for conducting these fairly low-tech attacks, then more and more of them are going to occur. If organizations continue paying ransoms, they could conceivably end up in a situation where they are paying $100,000 a few times a week to unlock their systems. Remember, even smaller sums of money, in the $30,000 range, which may not seem like a lot of money for a government entity to pay out in order to resolve the issue quickly, is like winning a major lottery in some developing parts of the world and can lead to copycats trying to get the same payday. As an example; this past May, the City of Baltimore was crippled by a ransomware attack – the city did not pay the ransom, which was reported to be $80,000 – refusing to “reward criminal behavior.” The costs of the attack are estimated to be around $18 million including remediation, new hardware, and lost or deferred revenue; at that figure $80,000 seems like a bargain, but the precedent would have been much more damaging and costly in the long run.
If you are looking to prevent ransomware as well as ensure recovery from malware, the following recommendations will start you on the right track:
- Ensure you have a robust Business Continuity (such as ISO 22301) and Disaster Recovery Plan. This includes ongoing backups of critical data and systems, and regular testing of backup and recovery processes and procedures. Backups which can be rolled back to specific points in time are the most important recovery measure for ransomware.
- Ensure your systems are being patched and maintained securely. Included in this is ensuring you have a functional and effective vulnerability management program.
- Building a strong organizational resilience model based on a trusted information security management system standard, such as the aforementioned ISO/IEC 27001, and reviewing the measured growth year over year to ensure the standard is functioning to increase security and to ensure continual improvement.
- Hire or contract with a trusted Security Architect to ensure networks are designed securely to protect from insider attacks, external attacks, and other scenarios such as natural disasters. Make sure your architect is up to date on real world attack strategies, as attacker methods change rapidly; do your research and ask for references.
Q: If I am using an MSP, what can I do to ensure they are not the weak link in my information resilience plan?
As a Penetration Tester I’ve seen a number of networks utilizing MSPs, where the provider has a site-to-site VPN bridging both networks. With this kind of set-up, if anyone at the MSP is compromised, the attacker can then attack all of the MSP’s clients in one attack. This could be what we’re seeing with the attacks in Texas, and I know it has happened in malware outbreaks in the past, but other malware attacks aren’t as visible or talked about since systems continue to operate.
A better access control solution would be to require the MSP to VPN into your network and set a max VPN duration of 12 hours. Once connected, the vendor must Remote Desktop to a management virtual machine (VM) which can administer the network. As an added measure of security, the VPN and the Remote Desktop session should both have two-factor authentication enabled, where the two-factor authentication is on a phone or a device not connected to the MSP’s network so it can’t be easily compromised at the same time. This is just one example of a control that a Security Architect would implement in this situation, but certainly not the only thing that would need to be done.
Something else you may want to ensure is that the MSP maintains the same level of security that you both want and need, such as PCI, ISO/IEC 27001, FISMA, etc. Requiring the MSP to send yearly or bi-yearly penetration testing reports is another good way of ensuring security. Note, conducting your own independent penetration testing and including the MSP’s connected systems is common practice for secure organizations, and as such most MSPs will allow and encourage this. However, there is a lot of variance in skill between penetration testing companies; it’s important that you feel comfortable and trust the company your MSP is hiring; again, ask for references and do your research, and most importantly if you are not comfortable, then seek a company you do trust to provide an impartial opinion.
Q: A lot of organizations are moving to centralized IT for cost efficiency. Is there a hidden cost for security which we are now seeing?
Something to consider when going to an MSP is that many don’t have any sort of information security management program. As such, they should apply security updates to the OS and maintain the hardware as part of their service, however there is no guarantee unless it is explicitly required within the contract. In addition, vulnerability scans, penetration tests, and asset management are often not included, or are just logs going to a central server with minor alerts setup. Custom software such as non-OS managed webservers and applications are also often not updated leading to the degradation of the overall security of the organization as time passes. Even riskier is that many MSPs don’t have a dedicated defensive security team looking for potential system compromises and tasked with conducting incident response. Sometimes, systems are only flagged for system cleaning when antivirus triggers, which, as we discussed earlier, is often way too late. Additionally, if you are worried about your system data – antivirus software saying the malware is cleaned, is rarely accurate, since before the antivirus cleans the malware additional packages are often loaded onto the system. Without the defensive teams looking for and repelling compromises, your organization is going to be very vulnerable if you become the target of a motivated attacker.
Q: What do you recommend organizations do to increase their Organizational Resilience?
My short list for increasing your organizational resilience and preventing attacks is twofold:
- One key question to ask is, does the system or user have to be connected to the network at all? And if so, how can you segment users and systems to prevent chained catastrophic attacks? For example, the front desk person likely does not need network access to the entire internal network. Best practice is to divide your networks in to as many segments as makes sense, and only open holes between the segments when absolutely necessary. In today’s age, internal networks are almost as hostile as the Internet. Note that I speak in terms of preventing attacks, but I don’t feel you can fully mitigate attacks; however you can raise your difficulty level in terms of how vulnerable your organization is in order to notice and respond to the attack before major damage can be done.
- Another important question to consider and evaluate is, how are you approaching your regulatory or organizational compliance? Many organizations are required to follow some sort of security compliance program and we often see PCI being used. However, one of our major concerns with regulatory compliance is that many organizations may treat it like a high school homework assignment and aim for the equivalency of a barely passing grade. PCI is a minimum-security standard that was never intended to be an all-encompassing security framework. It was designed to raise the security bar and reduce risks to the payment card industry, not to be an end all hack proofing standard. If you aim for a secure organization, regulatory compliance should be trivial, with only needing minor changes, if any, from what you are already doing.
If you are really worried about your organization, I suggest you choose a compliance program that is flexible and allows your organization to see measurable security growth year over year. As mentioned, ISO/IEC 27001 is excellent for this because it is an overall information security management standard that will help improve the information resilience of an organization. The standard is not technical, but rather gives categories for you to implement in the organization and tailor fit a security program to your unique business. It’s a great way for organizations to raise their security; remember, you are not checking boxes on a chart, but rather you are aiming for overall improvements. If you keep this in mind while implementing and upgrading your security program you will be in a much better place against cyber and non-cyber-attacks.
About the cybersecurity and information resilience business
BSI’s cybersecurity and information resilience business helps organizations manage and secure their corporate information by providing expertise to clients on the identification, protection, compliance and management of their information assets through a combination of consultancy, technology, research and training. With a mission to help clients achieve Information Resilience, - an environment where infrastructure is protected and secure, regulatory and compliance obligations are met, people are safe and reputation and trust is maintained – BSI’s experience and expertise of its highly qualified consultants traverses the entire Information Governance landscape. BSI’s credentials are enhanced by adherence to internationally recognized accreditations and certifications (OSCP, CISSP, Payment Card Industry Data Security Standard Qualified Security Assessor), and as is the originator of the ISO/IEC 27000 series of Information Security Standards and the global leader in providing training and certification to ISO/IEC 27001, the established best practice in Information Security Management Systems (ISMS).
To learn more, please visit: www.bsigroup.com
Authors: Stephen Haywood, Director of Penetration Testing, BSI; and Tim Jensen, Senior Penetration Tester, BSI