Risk management in Information Security today

Everyday information security professionals are bombarded with marketing messages around risk and threat management, fostering an environment in which objectives seem clear: manage risk, manage threat, stop attacks, identify attackers. These objectives aren't wrong, but they are fundamentally misleading. In this session we'll examine the state of the information security industry in order to understand how the current climate fails to address the true needs of the business. We'll use those lessons as a foundation for developing a business focused information security organization, built around real objectives and metrics.

The state of risk management in information security today.

Organisational objectives Of information Security Management are the projects or objects at the organisational level and Information security operations folks work on day to day operations.

are joined by people. There are vendors there ,who can say that you can bridge this gap between organisational objectives and information security operations with action with a product using technology. There are people who can bridge the gap between the information security and the day to day operations .then there is a third bubble there business objectives. Between the business objectives and the information security objectives ,there is a comprehension gap. There is less communication between the business objectives and information security objectives. There are people in these 2 groups business objectives and information security .There is another gap measurement gap between information security objectives and day to day information security operations. there is often a challenge in putting a measurement of how an organisation is performing to those objectives. even if we cant measure those objectives, it can be done in a way that doesnt satisfy the comprehension gap between organizational objectives and information security operations .So when both comprehension gap and measurement gap exist ,they have a negative impact on the organisation.

The risk management trap-the information security is a process ,not a destination .this statement is a trap in a in interesting and its misleading since its incomplete. the complete statement is -Information security is a process, not a destination intended to help the organisation to achieve its objectives in a world full of risk.

Information security operations

Wanna Cry Timeline

On Friday, May 12, the UKs National Health Service was knocked offline by a massive ransomware attack known at the time as the Wanna Decryptor (later dubbed WannaCry). Within 24 hours, a 22-year-old UK researcher found a 'kill switch' to slow down the global attack, which at that point had affected about 100 countries. By May 15 the number affected rose to 150 countries and a new threat emerged with security agencies warning US healthcare there could be more to come.

How Wanna Cry happened

In March, Microsoft discovered a vulnerability and issued a patch but not everyone updated their systems. Then in April, information was stolen (or leaked, no one is sure at this point) from the NSA that revealed the specific vulnerability and a hacking group sold the information. Despite issuing a way to fix the issue, Microsoft blasted the U.S. for 'stockpiling vulnerabilities' and allowing them to be stolen.

A day later, a new warning was issued for XP systems even though at that point, they were not affected. On May 17, reports that U.S. efforts paid off with fewer than 10 US victims when the dust settled after the initial attack.

Fallout from ransomware attack

The UKs NHS were still using paper three days later while they continued their recovery efforts to get back online. Warnings were issued again for what many have believed is healthcare's biggest vulnerability, medical devices. The US Senate is now floating a bill requiring the NSA to stop stockpiling cyber weapons to help alleviate the risk of another ransomware attack.

HIMSS just happened to be in the middle of the Privacy & Security Forum in San Francisco when the news broke and our editor-in-chief, Tom Sullivan, explains what is was like to host a security forum when WannaCry hit the globe.

Official Statements Issued

1. May 12, a 22-year-old UK researcher from MalwareTech "accidentally stops a global cyber attack" and explains in detail how he did it. 2. May 12, Microsoft issues a critical security update and statement for users operating outdated Windows systems, such as Windows XP, Server 2003 and Windows 8. 3. May 14, UK National Cyber Security Centre issues a statement about the "international ransomware cyberattack." 4. May 14, Microsoft issues another statement to explain some lessons that have been learned from the attack. 5. May 15, Homeland Security Adviser Tom Bossert holds a White House press conference to confirm no federal agencies were affected.

Shadow workers

Cybersecurity experts are searching for answers after an unidentified group claimed on Monday to have hacked into "Equation Group" an elite cyber-attack group associated with the NSA.

The "Shadow Brokers" claimed in a post on blogging service Tumblr to have hacked Equation Group, and say they are holding an "auction" to sell off the "cyber weapons" they were able to steal. Shadow Brokers have also provided a sample of files, free to access, to "prove" their legitimacy.

(Business Insider isn't linking to the files because they are a potential security risk.)

Equation Group, widely believed to be part of the NSA spy agency, was described by security firm Kaspersky in 2015 as "a threat actor [hacker or hacking group, essentially] that surpasses anything known in terms of complexity and sophistication of techniques, and that has been active for almost two decades."

Two things have slowed WannaCry's spread. First, Microsoft released a rare emergency patch to help protect Windows XP devices from its reach. (The company hasn't officially supported XP since 2014.) That helps the many aging systems with no security resource get ahead of infection, if they can download the patch before WannaCry hits. The other, though, was MalwareTech's happy accident.

Kill Switch

As he worked to reverse-engineer samples of WannaCry on Friday, MalwareTech discovered that the ransom ware's programmers had built it to check whether a certain gibberish URL led to a live web page. Curious why the ransomware would look for that domain, MalwareTech registered it himself. As it turns out, that $10.69 investment was enough to shut the whole thing downfor now, at least.

It turned out that as long as the domain was unregistered and inactive, the query had no effect on the ransomwares spread. But once the ransomware checked the URL and found it active, it shut down.

MalwareTech theorizes that hackers could have included the feature to shield the ransomware from analysis by security professionals. That sort of examination often takes place in a controlled environment called a "sandbox." Researchers construct some of these environments to trick malware into thinking it's querying outside servers, even though it's really talking to a bunch of dummy sandbox IP addresses. As a result, any address the malware tries to reach gets a responseeven if the actual domain is unregistered. Since the domain MalwareTech acquired was supposed to be dormant but went live, WannaCry may have assumed it was in the middle of forensic analysis, and shut down.

Building anti-analysis defenses into malware is common, but the WannaCry hackers appear to have botched the implementation. By relying on a static, discoverable address, whoever found itin this case MalwareTechcould just register the domain and trigger WannaCry's shutdown defense.

What we learnt from wanna cry

1. System updates are essential.

WannaCry targeted Windows operating systems and succeeded where those operating systems lacked security updates. Hospitals in Britains National Health System suffered considerable damage because so many are still using Windows XP, a 16-year-old operating system. Contrast that with U.S. hospitals, which were minimally impacted. Indeed, a major concern for hospitals around the world is the use of old operating systems in a variety of settings that are no longer upgraded or supported. Microsoft rushed a Windows XP security update out after WannaCry was unleashed, but its not something the company wants to do or would probably be willing to do with any regularity.

It probably goes without saying, but the use of unlicensed and unlicense-able software leaves hospitals completely vulnerable to malware attacks. In the U.S., this is not a significant problem. However, in China and countries similarly resistant to strong policing of intellectual property licensing and use, computers may as well put out a virus welcome mat. Reportedly, WannaCry impacted around 29,000 institutions in China.

2. Devices are vulnerable

Specifically, WannaCry successfully attacked Bayer Medrad radiology devices in at least a couple of examples, the first known hacks of medical devices. The concern about medical devices is acute simply because they often control something directly related to the patient condition. A hack of the EHR system is problematic and disruptive. A hack of a medical device is potentially life-threatening.

3. Even inept hackers are successful enough to be very disruptive.

Possibly derived from hacking tools originally created by the National Security Agency, WannaCry had certain post-NSA vulnerabilities that researchers and security experts could identify relatively quickly. Using terms like amateur hour and easy fix to describe WannaCry, security professionals said the virus was not a particularly challenging nemesis. But even imperfect malware spread rapidly to more than 150 countries, infected hundreds of thousands of workstations and cost as much as $4 billion. Imagine what kind of damage a more successful hack could do.

4. The most expensive part of ransomware is not the ransoms

Its not unreasonable to see many hackers as anarchists with active minds, time on their hands and a perverse motivation to kick at the pillars of modern society. Most of the ransoms demanded in the WannaCry case were in the $300 to $600 range, and most organizations chose not to pay them. As of Friday, May 12, one consultancy estimated only $100,000 in total had been sent to hackers. No one was going to get independently wealthy off this hack. Still, WannaCry bled an estimated $4 billion dollars from the system. Again, imagine a much more successful effort than WannaCry and you can see how motivated hackers might be determined to bring certain essential industrieshealthcare, for exampleto a grinding halt without getting dollars in return.

5. Subscription services are a viable alternative.

A primary reason WannaCry succeeded at all is because there is so much old software out there running various computing devices. Subscription software is one way to get old software out of the market. With the subscription option, to use WannaCry as a specific example, Microsoft can quickly and easily provide security updates to all applications and operating systems. The company did, in fact, provide updates in March to patch the security hole WannaCry exploited, which made the damage in the United States much less extensive. Clearly, however, those updates did not extend to the millions of Windows instances in use globally. While technology companies have been promoting subscription software options for years, buyers have been slow to sign on. Perhaps instances like this will convince many that subscription is both the more affordable and safer option.

Right now, failsafe responses to malware and hackers are multi-pronged, and subscription software can be a significant component in that defense. Each hospital must develop a comprehensive and stringent security program as a necessary foundation for overall protection.

The security battles will continue into the foreseeable future and each will give us an opportunity to make the defenses more responsive and sophisticated. The hospitals that can learn security lessons without having to pay ransoms or endure systems shutdowns will be those that react rapidly and prepare for the various threats.

Preventing Wanna cry

WannaCry didnt come out of nowhere: It exploited a known Microsoft vulnerability for which the company issued a patch two months earlier. Subscribers to the IBM X-Force Exchange received that fix on the same day it was released.

Its particularly important to patch endpoints, such PCs and mobile devices, because thats where 85 percent of ransomware infections originate. The process can be complex, but IT teams can use endpoint tools to deploy patches consistently, reliably and automatically across a broad range of operating systems.

WHITE PAPERSRansomware Response Guide

A majority of existing endpoint detection and response (EDR) solutions are unable to fully secure organizations from ransomware for three reasons. First, they lack full visibility of endpoints and their statuses, which limits the effectiveness and contextualization of malicious behavior. They also often require complex, post-detection incident investigations, which is a challenge in a cybersecurity field that is expected to see 1.5 million vacant positions by 2020. Some of these tools also lack any remediation abilities whatsoever, which reduces an organizations ability to effectively act upon investigation.

Make sure your EDR solution has the appropriate visibility to not only detect, but also contextualize malicious behavior. Tool sets such as IBM BigFix can help solve those two problems and also provide effective remediation based on investigative findings.

Training Your People

By various estimates, up to 83 percent of ransomware attacks originate when an employee clicks on a malicious link, opens an infected attachment or visits a compromised website. Employees are the first line of defense, so investing in ongoing training about protecting against phishing and malware should be a priority.

Microsoft is to remove SMB1 server software, which was used by the NSA and later exploited by the hackers behind the recent Wannacry outbreak.

Microsoft to remove SMB1 protocol - used by Wannacry - from Windows 10

In the latest Windows 10 Build 16226 for Home and Professional editions, the client side of SMB1 remains to enable users to connect to devices still using the decades-old protocol. All Enterprise and Education editions have SMB1 totally uninstalled by default.

The firm said that the change only affects clean installations of Windows, not upgrades.

We are making this change to reduce the attack surface of the OS, it said in a blog post.

While some Windows 10 can still use the protocol in a limited set of cases, the firm did recommend the uninstallation of the protocol if it is not being used.

The removal of SMB1 means the removal of the legacy Computer Browser service. The Computer Browser depends exclusively on SMB1 and cannot function without it, it said.

The blog referred to a previous blog posting from last September. Ned Pyle, program manager in the Microsoft Windows Server high availability and storage group, said that the original SMB1 protocol is nearly 30 years old, and like much of the software made in the 80's, it was designed for a world that no longer exists.

A world without malicious actors, without vast sets of important data, without near-universal computer usage. Frankly, its naivet is staggering when viewed though modern eyes. I blame the West Coast hippy lifestyle, he said.

He added that there are very few cases left in any modern enterprise where SMB1 is the only option.

Javvad Malik, security advocate at AlienVault, told SC Media UK that SMB1 has been deprecated for years.

It's over 30 years old, and much like many protocols that were designed at that time, security was not factored into it. Also, compared to newer protocols it is neither efficient, nor has any other upsides, he said. So, yes, removal of SMB1 will reduce the attack surface, and improve overall security.

But this isn't just restricted to the SMB1 protocol. Enterprises should look at all the protocols in use, and where possible, ensure they have moved away from the ones that are no longer supported or deprecated, he added.

Although, this is easier said than done. Because so many of these protocols are inherently part of the fabric of the internet, upgrading all, while removing backward compatibility will take time.

Artem Shishkin, senior development specialist at Positive Technologies, told SC Media that SMBv1 is vulnerable in its core.

It's not even about implementation errors, which led to WannaCry. Even if it's implemented without errors, it still has logical flaws that put security out of the question. As far as I know, you can get admin access to files without an admin account via SMBv1. Indeed, Windows security increases when such a vulnerable component is not supported, he said.

Shishkin added that there is another vulnerable component, a graphical subsystem called win32k.sys.

But how can you remove it? Usually, old components (about 20 years) are vulnerable. Vulnerabilities in graphical subsystems are found about once a month. New flaws in font and printer drivers are also detected every now and then. But you can't just remove these components, because it can be difficult to write a new one and backward compatibility can be lost. The problem also occurs in Windows 10, and attempts to block obsolete components are being made in order to mitigate it, he said.

EternalBlue, sometimes stylized as ETERNALBLUE,^[1] is an exploit generally believed to be developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, and was used as part of the worldwide WannaCry ransomware attack on May 12, 2017. The exploit was also used to help carry out the 2017 NotPetya cyberattack on June 27, 2017.

EternalBlue exploits a vulnerability in Microsoft's implementation of the Server Message Block (SMB) protocol. This vulnerability is denoted by entry CVE-2017-0144 in the Common Vulnerabilities and Exposures (CVE) catalog. The vulnerability exists because the SMB version 1 (SMBv1) server in various versions of Microsoft Windows mishandles specially crafted packets from remote attackers, allowing them to execute arbitrary code on the target computer.^[9]

On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010,^[10] which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, as well as Windows Vista (which had recently ended support).^[11] Many Windows users had not installed the patches when, two months later on May 12, 2017, the WannaCry ransomware attack used the EternalBlue vulnerability to spread itself.^[12][13] The next day, Microsoft released emergency security patches for Windows 7 and Windows 8, and the unsupported Windows XP and Windows Server 2003.^[14]

he hacking group that leaked the US cyber weapon used in last week's global ransom ware attack has threatened to publish more stolen computer bugs.

A message claiming to be from the mysterious Shadow Brokers gangsaid it would "dump" more tools developed by the US spy agency every month from June, releasing them to organisations that choose to pay up.

It comes just days after the "Eternal Blue" computer exploit, which the Shadow Brokers had obtained from the National Security Agency, was used to infect hundreds of thousands of computers with the WannaCry virus that threw the NHS and others into chaos on Frida

The Shadow Brokers are not believed to have been behind the ransomware attack themselves, but they released the tool online in April. It was then picked up by the perpetrators of last week's attack, who some security experts have linked to North Korean hackers. Eternal Blue allowed viruses to gain extensive access to Windows computer

MS.Vista.SMBv2.Signing.Insecurity

Description

In Dec. 2007, Microsoft released a security update which resolves a privately reported vulnerability in Server Message Block Version 2 (SMBv2) for Microsoft Windows Vista. The vulnerability occurs when an administrator sets "Microsoft network client: Digitally sign communications (always)" to "enabled". A remote attacker can cause a denial of service or take complete control of an victim's system by modifying an SMBv2 packet and re-computing the signature to run code with the privileges of the logged on user.

Disabling SMB1 after WannaCry? Make Sure SMB2 is enabled

After recent events in the online world, everybody is in a frenzy patching their servers, disabling SMB1, removing the feature from Windows 10 and Windows Server 2012 R2 (after It should have been done way way before). So was I. This weeks priority at the customer Im working for is entirely dedicated to patching servers (if they werent patched prior to WannaCry, which was a small percentage nevertheless) and disabling and removing the SMB1 feature on all the machines.

A lot has been written about WannaCry and how to deal with it. The two most helpfull articles come from big MS itself: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server and WannaCrypt attacks: guidance for Azure customers.

After patching and removing the feature (directly instead of just disabling it first) on a Windows 2012R2 Server, I discovered I couldnt browse to the server any longer. Each time I did a: \\sctxps-01\d$ (which is a Citrix Provisioning Services Server) I got a message the server couldnt be reached:

After hitting some key phrases on Google and finding the recommendations of Microsoft, it struck me. The Set-Command: Set-SmbServerConfiguration -EnableSMB1Protocol $false which configures SMB to be turned off, can also be partially used as a Get-Command to see its current states. And look what we found:

It appeared SMB1 Protocol was still turned on, however due to the removal of the feature entirely from the Server, the machine wasnt reachable any longer through UNC, IP and even localhost. After hitting the command: Set-SmbServerConfiguration -EnableSMB2Protocol $true the server could be reached again.

It appeared someone had configured SMB1 before and turned of SMB2. Due to the removal now the servers SMB shares couldnt be approached any longer over the network.

So please check your SMB status with: Get-SMBServerConfiguration before doing something drastic like removing SMB features. Of-course in an ideal world this would all be planned, risk, impact and analysis etc. But in an ideal world their wouldnt be any Crypto lockers either.

Wire Data Rationale

In summary: Wire data is L2-L7 data spanning the entire application delivery chain. Through real-time full-stream processing, unstructured data is reassembled into structured wire data and mined for insights to strengthen IT ops, security, and business.

Wire data is not the same thing as network data.

Nor is wire data analytics the same as network performance monitoring. When most people think of information off the wire, they think of packet capture tools used by network engineers. Some vendors use the "network data" and "wire data" interchangeably, but they're not even remotely the same thing.

2

Wire data has unmatched depth and breadth.

It gives you visibility across not only the entire application stack, but across the entire delivery chain as well.

3

Wire data is the only way to auto-discover and classify everything on the network.

Wire data shows everything that's generating data on your network, in real time. There's no other realistic way to keep tabs on your hyperdynamic environment.

4

Wire data is agentless.

Agents alter the same environment they're trying to monitor, which means certain data sets are skewed in the process. Only the passive observation of wire data is accurate and doesn't affect your environment.

5

Wire data is created via stream processing and full stream reassembly.

Only ExtraHop does stream analytics for wire data, rather than relying on post-hoc analysis after writing packets to disk. This write-to-disk requirement means the analysis is limited by disk speed and space and the ability of a person to sift through gigabytes worth of network data. Our platform reassembles all packets into full transactions, flows, and sessions in real time. The platform extracts over 3,400 metrics (in addition to custom-defined metrics) for on-the-spot analysis useful to everyone from IT to various business units.

Ransomware Bundle v1.2.6

Login

You must be logged in as an ExtraHop customer to download

Ransomware Bundle v1.2.6
Creator	tomr
Created	Apr 29, 2016
Updated	May 12, 2017
Minimum Version	6.0

Jump to Requirements

Jump to Installation Instructions

Browse More Bundles

Security and Compliance

User Monitoring

Description

This bundle provides a trigger that can help detect Ransomware (or cryptographic) attacks in real-time. There are multiple techniques available through this bundle, but all detection mechanisms are based upon analyzing traffic from the SMB/CIFS network protocol (a file sharing protocol, traditionally for Microsoft Windows systems). The trigger is intended to be highly configurable and is annotated to provide additional information for settings you can modify.

For more detailed information about installing, configuring, and identifying potential ransomware attacks with the Ransomware Bundle, see the Ransomware Bundle Walkthrough.

Note: The v1.2.6 update to the bundle includes the following changes:

Updated list of file extensions and file patterns to include the Wanna Decryptor Ransomware variant:

Installation Instructions

If you have a previous version of this bundle installed, disable the existing trigger, do not uninstall it.

Please write conclusion for this article in your own words