ransomware, malware and viruses; how to protect yourself

Ransomware, Malware and Viruses; How to Protect YourselfPresented by Ben Jones Technical Stream One

Ransomware, Malware and Viruses/seminars

Agenda

Cybercrime – What, Why and How?

Prevention – Avoiding Infection

Recovery – Dealing With Infection


Cybercrime1


Cybercrime

“Criminal activities carried out by means of a computer”

What is Cybercrime?


Cybercrime


Currently at a bigger risk than ever

What is Cybercrime?


Cybercrime


Currently at a bigger risk than ever

Over 140m new malware samples recorded in 2015

What is Cybercrime?


Cybercrime

Estimated as a $400bn industry in 2015, rising to $2tn by 2019

The Numbers Behind Malware


Cybercrime


Typically, only 4% of malware alerts are investigated



Cybercrime


Typically, only 4% of malware alerts are investigated

Malware-laced emails claim victims within 82s on average



Cybercrime

Virus

Forms of Malware


Cybercrime

Virus

Bot

Forms of Malware


Cybercrime The Internet Of Things


Cybercrime

Virus

Bot

Rootkit

Forms of Malware


Cybercrime

Virus

Bot

Rootkit

Trojan Horse

Forms of Malware


Cybercrime

Virus

Bot

Rootkit

Trojan Horse

Worm

Forms of Malware


Cybercrime

Virus

Bot

Rootkit

Trojan Horse

Worm

Ransomware

Forms of Malware


Cybercrime Ransomware

“The ransomware is that good… To be honest, we often just advise people to pay the ransom”

-Joseph Bonavolonta


Cybercrime

Ransomware can – and does – stop businesses functioning

Ransomware


Cybercrime


It’s effective and lucrative for attackers

Ransomware


Cybercrime Ransomware – As A Service


Cybercrime



“Safe” platforms like mobile, macOS, Linux etc. are viable

Ransomware


Cybercrime




Cryptolocker extorted around $30m in it’s first 100 days

Ransomware


Cybercrime





It will use your infrastructure against you!

Ransomware


Cybercrime





It will use your infrastructure against you!

Impact caused by downtime can be significant

Ransomware


Cybercrime

How does ransomware execute itself?

Is it possible to tell when ransomware is encrypting files?

Isn’t it just bluffing?

What Does Ransomware Look Like In Action?


Prevention2


Prevention Prevalent Methods of Attack In Education

These are the most common attack vectors RM have seen:

• Opened a malicious email attachment





• Browsed infected sites/ads with outdated plugin versions






• USB pen drive






• USB pen drive

Brute force attacks on RDP sessions have also been seen


Prevention Where Are You Vulnerable?

Firewalls, Security Appliances and Infrastructure

Wireless networks

Wired network points

Anti-Virus solution

Software

End users

Passwords




Wireless networks


Anti-Virus solution

Software

End users

Passwords

Your security is only as strong as the weakest link in the chain


Prevention What’s The Best Solution?

There’s no single “best solution” to malware prevention


Prevention What’s The Best Solution?

There’s no single “best solution” to malware prevention

A balance of software, hardware and education works best


Prevention Firewalls and Security Appliances

Patches for bugs and security exploits




Default passwords




Default passwords

Ineffectively/incorrectly configured




Default passwords

Ineffectively/incorrectly configured

Unsupported and EoL products




Wireless networks


Prevention Wireless Networks

Signal can reach outside your premises




Use secure methods of authentication and encryption





Segregate guest networks from data network





Segregate guest networks from data network

Use managed wireless rogue detection capabilities




Wireless networks



Prevention Wired Network Points

Disconnect/Disable any unused network points


Prevention Wired Network Points

Disconnect/Disable any unused network points

Employ MAC address based port security




Wireless networks


Anti-Virus solution


Prevention Anti-Virus Solution

Centralise management in large environments




Definition updates




Definition updates

Product updates


Prevention Anti-Virus Product Updates

“These vulnerabilities are as bad as it gets. They don’t require any user interaction…”

-Tavis Ormandy, Project Zero




Wireless networks


Anti-Virus solution

Software


Prevention Software

Software patches often fix security flaws, they are important!


Prevention Software


Flash Player and Java are often exploited for weaknesses


Prevention Software



Make updating software part of regular NMTs


Prevention Software



Make updating software part of regular NMTs

Macros are often exploited – disable them in Group Policy




Wireless networks


Anti-Virus solution

Software

End users


Prevention End Users

External storage (pen drives)


Prevention Pen Drives


Prevention USB Pen Drive Study


Prevention Disabling External Drives

Block external drives by Group Policy Object

TEC4341616




Personal devices




Personal devices

Social Engineering


Prevention Social Engineering

“You could spend a fortune purchasing technology and services… And your network infrastructure could still remain vulnerable to old-fashioned manipulation”-Kevin Mitnick


Prevention Psychology Of Social Engineering

Social engineers prey on basic human instincts:




• Fear




• Fear

• Obedience




• Fear

• Obedience

• Urgency




• Fear

• Obedience

• Urgency

• Sympathy




• Fear

• Obedience

• Urgency

• Sympathy

• Greed




• Fear

• Obedience

• Urgency

• Sympathy

• Greed

Often more than one of these emotions are combined


Prevention Phishing Emails


Prevention Social Engineering – Cloned Web Sites


Prevention Social Engineering – Cookies and Identity Theft

“Cookies are insecure, no matter what you do…‘Authentication cookies’ are often exploitable”

-Kevin Fu


Prevention Social Engineering – Cookies & Identity Theft


Prevention Social Engineering Countermeasures

EDUCATION!!!

https://www.sonicwall.com/phishing/



EDUCATION!!!


Implement digital controls to mitigate/block risks



EDUCATION!!!



Destroy paper and digital records securely



EDUCATION!!!




Employ the Principle of Least Privilege



EDUCATION!!!




Employ the Principle of Least Privilege

CC4 Networks – Check your privileged users!




Wireless networks


Anti-Virus solution

Software

End users

Passwords


Prevention Passwords

Passwords are effectively the keys to your network




Encourage, enforce and follow good password practice





Enforcing too much complexity can make things worse






Consider using passphrases rather than passwords


Prevention How Secure Is My Password?



T1ddles14



T1ddles14

4 Days


Prevention How Secure Is My Passphrase?



my cat is called tiddles



my cat is called tiddles

4 Sextillion Years







Password managers minimise risk from website hacks







Password managers minimise risk from website hacks

Configure account lockouts for privileged accounts



Treat your password like a toothbrush. Don’t let anyone else use it, and get a new one every six months.

-Clifford Stoll


Recovery3


Recovery Despite All Best Efforts…

Prevention is still better than cure


Recovery Despite All Best Efforts…

Prevention is still better than cure

Typical mindset needs to change during an attack


Recovery Identify, Isolate, Remove, Restore

Identify the affected user and/or workstation


Recovery Identifying – File Ownership


Recovery Share And Storage Management




Disable the user account, and disconnect the PC





Find out how the malware got in, and deal with it


Recovery Scanning Files and Websites

http://www.virustotal.com






Rebuild infected PCs to remove all traces






Rebuild infected PCs to remove all traces

Restore any affected network files from backup


Recovery What If A Server Is Infected?

Server infections will require more careful planning




Like PCs, servers should be disconnected from the network





Depending on the severity, DR may be the fastest option






Without a DR process, full recommissions may be required!






Without a DR process, full recommissions may be required!

Check if a decryption tool exists as a last resort


Recovery Backup Considerations

Backups are the only guaranteed method of recovery




Don’t rely on backups which are accessible on your LAN





Follow the 3-2-1 rule






Check regularly with test restores







Backups only protect backed up servers, not workstations







Backups only protect backed up servers, not workstations

Don’t rely on Shadow Copies, Snapshots or Cloud Sync!


Recovery Disk To Disk To Tape Backup Model


Recovery Disk To Disk To Cloud Backup Model


Summary5


Summary Cybercrime

Cybercrime can take many shapes and forms


Summary Cybercrime


The best method of prevention is to reduce the attack surface


Summary Cybercrime


The best method of prevention is to reduce the attack surface

It’s important to educate yourselves and others


Summary How Can RM Help?

Network Vulnerability Testing


Summary Network Vulnerability Testing




Free Online Safety Review


Summary Online Safety Review

http://bit.ly/2eKhWOG





Managed Anti-Virus Solutions






Backup Solutions






Backup Solutions

Secure Broadband


Summary

Think, then click.

Not the other way around.

Ransomware, Malware and Viruses; How to Protect YourselfPresented by Ben Jones Technical Stream One

ransomware, malware and viruses; how to protect yourself

Documents