Saturday, August 26, 2017

Five steps to prepare for a ransomware attack

Like many information security firms, Rendition Infosec has worked many ransomware attacks over the last several years.  If you’re reading this post, you probably know about the obvious things you can do to prepare for a ransomware event.  We often talk about having good backups (and testing them).  We also know that most ransomware is distributed through phishing, so having good phishing defenses helps too.

When it comes to ransomware, an ounce of prevention is worth a pound of cure…

But lets assume that you’ve checked those two boxes (as well as anyone can).  Let’s face it, sooner or later you are likely to have to deal with a ransomware threat in your environment.  So what else can you do to prepare for the inevitable ransomware compromise?  In this post, we’ll detail a few things that can be done to quickly ensure security for your machines in the event of a ransomware attack.

The five preparation steps are:

  1. Enable Volume Shadow Copies and increase allocated space
  2. Remove users from the local administrators group
  3. Limit the number of shares that a user has write access to
  4. Use hidden file shares
  5. Only map file shares while in use

In the rest of the post on the Rendition Infosec blog, we’ll discuss the rationale for each of these recommendations.

Wednesday, August 23, 2017

The need for cyber security in law firms

An interesting article came through our feed today mentioning the need for cyber security in law firms. As an information security company that works with law firms, we couldn't agree more. The article makes a number of points, but leaves a couple of critical things out, and we'd like to cover those here. It's worth noting that the advice here applies to practically any organization (not just law firms).

The article suggests the following five items for all law firms to increase their security:

Use password managers
Update computer software
Use encryption software
Use encryption software
Use multi-factor authentication (MFA/2FA)
Risk landscape for law firms

At Rendition Infosec, we don't fundamentally argue with any of these. We do however think that this falls well short of information security best practices for most law firms. The reality is that lawyers deal with sensitive data every day and that makes them a target for attackers. Sensitive data might include mergers and acquisitions information from clients. This data, if compromised, can have major economic impacts to both the law firm and the client.

Attackers may also target law firms for more than just the data they have. Many users, even those at the most secure organizations, expect email communication from external counsel. Attackers may target law firms as a way to get into other networks more easily. Law firms should think of this as extending their cyber risk to their clients.

Read the rest of the story at the Rendition Infosec blog.

Sunday, August 13, 2017

The need for dump analysis in Cyber Threat Intelligence (CTI)

Over the last year, there have been numerous dumps of stolen classified data posted on the Internet for all to see.  The damage from these dumps has obviously been huge to the US intelligence community.  In this post, we won’t discuss the actual damage of the dumps to the intelligence community (many others have already pontificated on that).  Instead, this post will focus on the need for CTI analysts to perform analysis of the dumps.

For the first time, CTI analysts have a view of what appears to be a relatively complete nation state toolset in the Shadow Brokers dumps and insight into tool development and computer network exploitation (CNE) tool requirements in the Vault 7 dumps.  These are game changers for CTI analysts. We define threat as the intersection between intent, opportunity, and capability.  These tools and documents highlight the capabilities of an APT adversary. Whether you believe the US intelligence services have the intent to attack your network, it is likely (almost certain) that other nation state attackers have developed similar capabilities.  Analyzing the data you have available (Shadow Brokers and Vault 7) can help shed light on what you don’t have available (every other nation state attacker’s toolset in a single dump).

Note: We understand that this is a sensitive topic. When classified data is released, it is still considered classified until declassified by a classification authority.  There is no evidence that any classification authorities have declassified the data in the Shadow Brokers or Vault 7 dumps.  It is likely that they remain classified to this day.  The advice in this article may put those with security clearances at odds with the advice of their security officers.  Please proceed with care.

Read the full post on the Rendition Infosec blog.

Saturday, August 5, 2017

Software plugins/extensions should be part of your threat model

Over the last few months we’ve seen multiple cases of warnings about plugins and extensions for various software packages threatening the security of users.  We’ve recently seen the Copyfish and and Web Developer Chrome plugins compromised and used to push malware to users.

While Chrome is likely safe and should probably not be considered a threat, perhaps your plugins should be.  Plugins are developed by potentially malicious third parties. Even if your plugin developers are not themselves malicious, they have security concerns just like everyone else.  And make no mistake about it: when understanding software supply chain issues, their security is your security.

Read the full story here.

Wednesday, August 2, 2017

An important consideration for “bug bounty” programs

The US DoJ recently released guidance on running vulnerability disclosure programs (aka bug bounties).  The document is nothing earth shattering, but does provide some free advice to organizations considering such programs.

Rendition’s advice to organizations considering a bug bounty program? Think VERY carefully about how it will impact your monitoring and detection strategies. People looking for bugs will create noise in your network – a lot of it.  And the noise will look like attacks, because technically they ARE attacks. How will you separate this non-malicious attack traffic from real attack traffic you should be concerned about?

Read the full post here.