Ransomware: The Impact is Real
-
Upload
nicsa -
Category
Economy & Finance
-
view
112 -
download
2
Transcript of Ransomware: The Impact is Real
www.nicsa.org | #WebinarWednesdays
Presenters:
Ike Barnes, US Secret Service
Brian Fay, Threat Investigation-Hunting, U.S. Bank
Nick Sherwood, VP Cybersecurity, OppenheimerFunds
Moderator:
Ron Plesco, Principal, Cyber Services, KPMG LLP
Panel
www.nicsa.org | #WebinarWednesdays
Presentation Navigation
• Cyber Threat State of Play
– Ransomware and Cyber Threats
• Risk Governance
– Risks posed to Financial Firms
• Data Integrity
– Balancing security and customer experience
www.nicsa.org | #WebinarWednesdays
Ransomware Introduction
• Ransomware is malware that infects computers, networks, and
services.
• Victim’s computer is infected with malware.
• Malware encrypts victim’s data and/or systems, making them
unreadable.
• Actor demands payment to decrypt files or network.
• Variations of ransomware evolve.
www.nicsa.org | #WebinarWednesdays
Who are the targets?
Ransomware attacks by industry.
Source: Kaspersky 2016 Security Bulletinhttps://securelist.com/kaspersky-security-bulletin-2016-story-of-the-year/
www.nicsa.org | #WebinarWednesdays
The Cyber Threat Landscape 2017-2018
9
Types of Attacks
DDOS
(Distributed Denial of Services
Attack Vectors
Attack Targets
Business Exposures
Highest threat areas
PoS Desktops & Laptops Mobile Devices Services Network Applications Web Sties Call Center Employees3rd Service
Providers
Bankcard Data PH Data (Personally
Identifiable Information)
Business Records Trade Secrets
Reputational Customer
Sentiment & Trust
Vendors &
EmployeesShareholders Sales Lawsuits Regulatory
Penalties
Ransomware
Consumer DataPII Data (Personally Identifiable
Information)
3rd Party Service
ProvidersWeb Sites
Viruses Ransomware TheftDDOS
(Distributed Denial of Service)
PII Data (Personally Identifiable
Information
www.nicsa.org | #WebinarWednesdays
New Threat Actors and Who They Target
Malware Developers
Feed other organizations
with tools that are needed
Energy SectorFood and Agriculture Government
Facilities
HealthcareFinancial Nuclear Sector Water SectorTransportation Sector
Chemical Sector Commercial Facilities Communications Critical Manufacturing Dams Sector Defense Sector Emergency Services
Hacktavists
Anonymous, LulzSec,
TeaMp0isoN
Nation State
Intelligence agencies and cyber
warfare operatives
Organized Crime
Russia, E-Europe, China,
Africa
Middle East,
North Korea
Corporate Espionage
Industrial espionage,
economic espionage, espionage
www.nicsa.org | #WebinarWednesdays
Phishing
• The delivery mechanism for various types of malware and cybercrime
attempts.
www.nicsa.org | #WebinarWednesdays
What are the risks to financial institutions?
• Critical Data loss/destruction
– 15% of companies targeted with ransomware found their data
completely unrecoverable.
• Operational impacts
– 85% of ransomware victims were forced offline for over a week.
33% of ransomware related compromised resulted in
inaccessibility for a month or more.
• Regulatory fines
• Reputation Loss
www.nicsa.org | #WebinarWednesdays
What Steps Should We Take?
• How to assess if you are prepared:
1. What is our most valuable data? Do we back that data up? How often?
Is this data protected through extra measures?
2. Do we have a solid, documented and tested cyber incident response
plan in place?
3. If critical data is encrypted, what workarounds are in place? How would
this affect our bottom line? How would this impact our ability to conduct
day to day operations?
www.nicsa.org | #WebinarWednesdays
Identify
• Identify critical data/systems.
• Robust security awareness training.
• Identify attack vectors for DM distribution.
• Identify systems with enterprise wide reach.
• Conduct ongoing information security risk assessments.
• Perform security monitoring, prevention, and risk mitigation.
• Participate in industry information-sharing forums.
• Identify alternative communications channels for incident responders.
www.nicsa.org | #WebinarWednesdays
Protecting Your Systems
• Focus on awareness and training.
• Keep patches updated.
• Set anti-virus and anti-malware to automatic update.
• Manage privileged (Administrator) accounts.
• Implement principle of least privilege.
• Disable MS Office macro and use Office Viewer software in e-mail.
• Implement software restriction policies.
www.nicsa.org | #WebinarWednesdays
Protect• Types and categories of security controls
– Preventive, Detective, Corrective
• Enhance controls
– Strategic
• Institute a data security program to manage risk
• Segregate and rotate duties
– Technical
• Application-generated data integrity controls
• Automatic updates to anti-virus software
• Monitoring controls
• Backup Solutions
– Offline backups
www.nicsa.org | #WebinarWednesdays
Detect• DM detection in the enterprise
– Risk, Signature, and Behavior-based detection
• Principal means of detecting DM
– Drive by Downloads
• Pro-active monitoring
– Phishing
• Technical and policy related techniques coupled with consistent training
– Social Engineering
• Reports to call centers and security staff (physical)
• Regular meetings with security staff to outline behaviors
• Detecting data integrity attacks
– Application-generated data integrity controls
www.nicsa.org | #WebinarWednesdays
Respond
Defining a security incident
Containment
Isolate systems
Search for additional compromise
Validate data integrity downstream
Collect evidence
Communicate with affected parties, law enforcement, and regulators
Intrusion response
Focus on people and technologies
Creating a Computer Security Incident Response Team
CSIRT or equivalent team’s interactive role
www.nicsa.org | #WebinarWednesdays
Recover• Operational considerations
– Inventory IT operations
– Well documented plans/guides
• Exercised prior to attack
• Technology considerations
– Wiped data needs to be reinstated from separately maintained backup systems
– Applications and source-code reinstalled from trusted sources
– Bare Metal Recover for lengthy compromises
– Replace inoperable OS
• Long-term recovery
– Document all procedures, maintain forensics
– Share threat indicators and context where possible with industry partners
– Incorporate lessons learned immediately
www.nicsa.org | #WebinarWednesdays
Backups
• Backups are critical; if infected, backups may be the best way to
recover critical data.
• Robust backup and restore procedures.
• Secure backups offline/airgap.
www.nicsa.org | #WebinarWednesdays
What To Do If Infected
• Isolate infected computer.
• The US Government does not advocate paying.
– Paying ransom emboldens the adversary.
– Ransom payment funds illicit activity.
• Contact law enforcement.