April 18, 2016 at 11:16 pm
Comments posted to this topic are about the item Crack that Encrypted Data
April 19, 2016 at 12:51 am
I know from the various contracts that I have signed that if I mentioned anything like we were hacked or had ransom ware I would get fired for bringing the company into disrepute. I work in the UK which doesn't have the obligation of disclosure that US Federal law requires.
And without a name I would be very mistrustful of any recommendations of how to remove a threat because I wouldn't know enough about their skills or bias. Without trying to get these two on their respective soap boxes who would you trust about securing xp_cmdshell, Jeff or Orlando? I only choose these two because they have good reputation and their bias is known about xp_cmdshell.
April 19, 2016 at 1:07 am
This is a wicked problem and is just like the ransom dilemma with human hostages (just a lot less important, generally speaking). If you pay up it just encourages more ransomware but who can afford to lose that data?
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
April 19, 2016 at 2:52 am
These attacks are just Theft and the people doing them should be hunted down. But that does not solve the issue of protection and prevention.
This sounds dire, but assume you will be compromised. A Zero Day exploit IS real.
A start at a checklist of actions. (In no way exhaustive)
Critical Actions that have provided protection.
Disable the default LAN > WAN Anything Rule in your firewall..........
File permissions: Ensure users only have access to what they need. Get departments to identify the data and structure and then lock down the folders and files
Delegate "GateKeepers": People that will be responsible for the implementation of file permissions
Utilise tools such as FSRM built into the OS: Create an event that will notify admin and key personnel of activity such as creation of the "Decrypt.txt" file. If this is created you need to be alerted as to who did it and from what system.
Consider the creation of batch scripts that will disable the incoming connection (or even the file share if required)
Educate Users and keep them informed of threats and behaviour that an infected system may exhibit.
Do not presume Anti Virus (AV) will catch the compromise
Update AV on a daily basis. Ensure you understand the product. A product you do not understand but has a 99.9% success rate in reviews may be less effective than a product you truly understand.
Check AV Exclusions
Check that Heuristics and actions on Encryption by your AV Suite are correctly configured. It may be that a separate configuration area exists for Ransomware type actions.
Update Windows Critical Patches on a regular basis. Do not accept a system onto the network until it is patched and AV.
Do not allow 3rd Party to attached systems to your network.
BACKUP
This is the failsafe. It is the ONLY option you have if compromised.
Do not rely on Network attached Storage
If using Network attached Storage use a folder with account permissions that are restrictive.
Backup the NAS to Tape or removable Media
Tape or RDX style devices allow removal of the Media from the network.
Create Point in time on Monthly and Yearly basis
19 Tapes appears to be the minimum for a year (12 Monthly) 4 Daily (Assuming no weekend) and the 3 Weekly.
Retention Policy ensures that Tapes are not overwritten so media sets and labelling are critical
Read security updates and try to keep in touch with what is going on
April 19, 2016 at 3:00 am
I suppose one problem is if the ransomware sits dormant for a couple of weeks and then activates. A restore from a 2 week? or 5 week old backup would be lethal to a lot of companies.
April 19, 2016 at 3:15 am
No Data is potentially worse ?
And the users limitations may have reduced the damage. This is a very real issue though what you describe.
How do we "Check the validity" of data. Our designs may not be reviewed for ages after completion of a project ?
April 19, 2016 at 3:30 am
join an organization like https://www.infragard.org/ this is a partnership with the FBI. It has chapters in most cities. Supposedly my Houston chapter is better than most but it provides you access to secret clearance data about malware and breaches that are not released to the public including mitigation and heuristic details about bad actor actions/ip addresses etc.
April 19, 2016 at 3:40 am
bthomson (4/19/2016)
join an organization like https://www.infragard.org/ this is a partnership with the FBI. It has chapters in most cities. Supposedly my Houston chapter is better than most but it provides you access to secret clearance data about malware and breaches that are not released to the public including mitigation and heuristic details about bad actor actions/ip addresses etc.
Anyone heard of a UK equivalent?
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
April 19, 2016 at 4:54 am
Gary Varga (4/19/2016)
bthomson (4/19/2016)
join an organization like https://www.infragard.org/ this is a partnership with the FBI. It has chapters in most cities. Supposedly my Houston chapter is better than most but it provides you access to secret clearance data about malware and breaches that are not released to the public including mitigation and heuristic details about bad actor actions/ip addresses etc.Anyone heard of a UK equivalent?
Sorry but you aren't cleared to know.... 😀
April 19, 2016 at 5:03 am
Yet Another DBA (4/19/2016)
Gary Varga (4/19/2016)
bthomson (4/19/2016)
join an organization like https://www.infragard.org/ this is a partnership with the FBI. It has chapters in most cities. Supposedly my Houston chapter is better than most but it provides you access to secret clearance data about malware and breaches that are not released to the public including mitigation and heuristic details about bad actor actions/ip addresses etc.Anyone heard of a UK equivalent?
Sorry but you aren't cleared to know.... 😀
:w00t:
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
April 19, 2016 at 5:15 am
I think the point of the article is right on. The more people know how to combat the problem, the less power the attackers will have. Granted, people will still ignore it and go with whatever they want anyway (SQL injection is still successful) but at least sharing techniques will give the individuals who want to do something to combat the problem something to work with.
I think the right way is to prevent it from happening in the first place. If the underlying OS didn't allow such things, it wouldn't be a problem. I know that's a gross over-simplification, but it's another layer. The attackers would then have to find another way and the cycle would start all over again. In the end, there's a cycle of attack and defense with both sides trying to stay one step ahead of the other.
April 19, 2016 at 5:19 am
Yet Another DBA (4/19/2016)
I know from the various contracts that I have signed that if I mentioned anything like we were hacked or had ransom ware I would get fired for bringing the company into disrepute. I work in the UK which doesn't have the obligation of disclosure that US Federal law requires.And without a name I would be very mistrustful of any recommendations of how to remove a threat because I wouldn't know enough about their skills or bias. Without trying to get these two on their respective soap boxes who would you trust about securing xp_cmdshell, Jeff or Orlando? I only choose these two because they have good reputation and their bias is known about xp_cmdshell.
Like anything, I would assess both approaches, test everything that each one of them said, consider what hasn't been said and then make my own decision. It would be based in fact, not emotion.
BTW, that's exactly what I did. If you don't know the topic, you can't make an educated decision. Personally, I think that's the best way to deal with anything.
April 19, 2016 at 5:28 am
Ed Wagner (4/19/2016)
Yet Another DBA (4/19/2016)
I know from the various contracts that I have signed that if I mentioned anything like we were hacked or had ransom ware I would get fired for bringing the company into disrepute. I work in the UK which doesn't have the obligation of disclosure that US Federal law requires.And without a name I would be very mistrustful of any recommendations of how to remove a threat because I wouldn't know enough about their skills or bias. Without trying to get these two on their respective soap boxes who would you trust about securing xp_cmdshell, Jeff or Orlando? I only choose these two because they have good reputation and their bias is known about xp_cmdshell.
Like anything, I would assess both approaches, test everything that each one of them said, consider what hasn't been said and then make my own decision. It would be based in fact, not emotion.
BTW, that's exactly what I did. If you don't know the topic, you can't make an educated decision. Personally, I think that's the best way to deal with anything.
Agree, but... What may appear to be on the surface to be correct can hide a costly mistake. Getting rid of ransom ware may not be a job for a DBA it may be more suited to those of CISSP mind set who may find the vector of infection. Or else it might be "yep, removed the ransome ware" followed by "what backdown tojan./route kit???"
April 19, 2016 at 6:50 am
This is scary stuff. And it can be just as devastating as taking real human hostages. This was a hospital with real people whose health, maybe lives, were in jeopardy. Yes, sharing can help foil this. I know they build a better lock but we should pick it. They've been doing that to us forever. Now we should do it to them.
April 19, 2016 at 6:51 am
Degradable (4/19/2016)
These attacks are just Theft and the people doing them should be hunted down. But that does not solve the issue of protection and prevention.This sounds dire, but assume you will be compromised. A Zero Day exploit IS real.
A start at a checklist of actions. (In no way exhaustive)
Critical Actions that have provided protection.
Disable the default LAN > WAN Anything Rule in your firewall..........
File permissions: Ensure users only have access to what they need. Get departments to identify the data and structure and then lock down the folders and files
Delegate "GateKeepers": People that will be responsible for the implementation of file permissions
Utilise tools such as FSRM built into the OS: Create an event that will notify admin and key personnel of activity such as creation of the "Decrypt.txt" file. If this is created you need to be alerted as to who did it and from what system.
Consider the creation of batch scripts that will disable the incoming connection (or even the file share if required)
Educate Users and keep them informed of threats and behaviour that an infected system may exhibit.
Do not presume Anti Virus (AV) will catch the compromise
Update AV on a daily basis. Ensure you understand the product. A product you do not understand but has a 99.9% success rate in reviews may be less effective than a product you truly understand.
Check AV Exclusions
Check that Heuristics and actions on Encryption by your AV Suite are correctly configured. It may be that a separate configuration area exists for Ransomware type actions.
Update Windows Critical Patches on a regular basis. Do not accept a system onto the network until it is patched and AV.
Do not allow 3rd Party to attached systems to your network.
BACKUP
This is the failsafe. It is the ONLY option you have if compromised.
Do not rely on Network attached Storage
If using Network attached Storage use a folder with account permissions that are restrictive.
Backup the NAS to Tape or removable Media
Tape or RDX style devices allow removal of the Media from the network.
Create Point in time on Monthly and Yearly basis
19 Tapes appears to be the minimum for a year (12 Monthly) 4 Daily (Assuming no weekend) and the 3 Weekly.
Retention Policy ensures that Tapes are not overwritten so media sets and labelling are critical
Read security updates and try to keep in touch with what is going on
Great list, thanks.
Viewing 15 posts - 1 through 15 (of 47 total)
You must be logged in to reply to this topic. Login to reply