First of all I want to say thank you to everyone for joining us today. My name
is Dave Cropco with Advanced Logic Industries and joining me today from ALI
are Eric Thompson, our Senior Solutions Architect; Don Davis our VP of Network
Integration; Parker Pearson (you just heard from) our VP of Marketing; and
Jeremy Rasor, our Sales Manager. What we would like to discuss with you today
is a topic that has certainly been in the news and has had a pretty far-reaching
impact to both small and large corporations all over the globe. Our conversation
today will focus primarily on ransomware what ransomware is how your
organization be affected by it steps you can take to help minimize your risk of a
ransomware compromise and things that you as a business IT professional and
leader need to be thinking about for your organization. But before we get into
the meat of the conversation today, let's take a quick look at some statistics
that demonstrate the scope and impact that ransomware has had in just the last
18 months or so.
In the year 2016, ransomware attacks grossed over 1 billion dollars to cyber
thieves according to the latest statistics that have been released. So in
just one year, the ransomware attacks have netted or grossed close to 1
billion dollars. Over 50 percent of US companies have experienced a ransomware
incident (and you can see other countries listed on the slide) but in the United
States alone, over 50% of companies that reported a ransomware compromise -there
probably are quite a few more that haven't reported anything - these are just
the statistics that are available. And it does not matter if it's a large
corporation or a small corporation, there doesn't seem to be any rhyme or reason
to the attacks specifically. 60% of the ransomware attacks in the United States
demanded over $1,000 ransom per incident. And revenue generation, while still the
primary objective, what they're seeing is a shift now in that attacks are simply
geared to do nothing more than destroy your data. So there's still some sort of
ransom attached to most attacks; however, what the scale seems to be leaning
towards more often now is that simply they're looking to destroy the data and
your access to the data as well.
Ransomware attacks can take as little as 15 minutes to implement;
however, median time to detection is still about three and a half hours. So
you can see the difference there and that how quickly our ransomware attack
can be deployed and how relatively slow it is until the detection has been noted
and remediation can then begin to take place and by that time it is usually way
too late. And the number of attacks on businesses has grown from one every two
minutes to one every 40 seconds in 2016. So you can see a significant increase in
the amount of attacks that organizations are seeing, and you can also see where
the problems lie as the industry continues to try to catch up to how they
can effectively protect organizations from ransomware compromises. When talking
to business leaders that have been affected by ransomware attacks, the
things that they most often say are the impact that they have had is first and
foremost is business disruption that's the whole point in intent of
ransomware is to disrupt your business on a daily basis. Secondly they say
they've suffered reputation damage. So in some cases businesses that have been hit
by ransomware, and haven't either announced or been found out to have been
compromised by ransom, their business suffers a reputation damage. Obviously
one thing that's extremely concerning the businesses that they reported is
their loss of proprietary information, either on a temporary or permanent basis.
Doesn't mean that what is happening is that a ransomware attack is trying to
get access to your data, it's trying to prevent you from getting access to your
data. So the ability that organizations have to use their proprietary
information, either temporarily or permanently, is disabled by these
ransomware attacks which obviously ties in to business disruption and finally,
financial loss. So many companies and this is beyond just paying a ransom so
those companies and we'll talk about that a little bit later but those
companies that have decided to pay the ransom.
That's not the financial loss that they're really talking about, the
financial loss is in loss of difficulties. And then finally, if you
think it can't happen to you, take a look at the slide that's on the screen
now and you can see some of the companies that have been compromised by
ransomware attacks just in the last year or so and most of these companies should
be somewhat familiar to you. One of the things I wanted to point out on this
slide though is that the Bayer and Siemens organizations - their organizations
weren't hit by ransomware attacks, the devices that they manufacture were, and
in some cases those devices that they manufacture were in hospitals in the
United States. So not only does the ransomware attacks seek to identify
companies, it also is looking to identify devices you guys may be familiar with
the Internet of Things and the fact that everything is being connected ransomware
can target those points of attack. And in the case of Bayer and Siemens, that's
exactly what happened. There organizations didn't get hit, the things
that they manufactured were compromised by ransomware. And based on what they do
that can be a pretty frightening proposition if you think about what
those devices are and what that could impact from the hospital standpoint
would be. So those are just a few quick slides and facts about ransomwares
impacts and scope. I'm going to turn it over now to Eric Thompson who is
going to go into a little bit more detail about what ransomware is, how it
can affect, your organizations and things that you need to be thinking about to
help prevent it. Thank You Dave. Hello everyone, my name is Eric Thompson, Solutions
Architect here at ALI, and let's take a look at how ransomware targets your
organization. So ransomware attacks vulnerabilities. What exactly are we
talking about? There are four major weaknesses that are actively targeted
for attack. The most common is e-mail, most of attachments, especially Word
documents with malevolent macros. Usually these arrive in the form of a
resume or shipping notification. You may also see redirected links, which is a URL
and an email that appeared to be genuine but is not. So
let's take a look at some examples of these fake links. So we're going to play a little game
it's called is this the correct link or not - and you only have about three seconds to
decide. And here we go: so is this the correct link? No. In this example, the
number 1 has been substituted for the letter L in PayPal. It is very easy to miss. Let's try again. So Amazon this time. Is this the correct URL for Amazon? No. This
time the letter A was emitted. So let's try another one.
Microsoft - looks correct. It's actually missing a period. This has nothing to do
with the Microsoft website - completely different mouse. Go on. Apple.
Everybody knows Apple. Again, not correct. This time they added an S and made it
plural. One last one. Google. Nope. This time there are three O's instead of just
two. You can see how an end user is pretty easily deceived by these creative
changes. The second major category of attack is what we call "drive by download".
There are two types of these, the non interactive and interactive type. So on a
non interactive side, you may visit a compromised website. If you have an older
browser or corrupted plugins or maybe just an on patch third-party application,
the compromised websites can then run an exploit kit. These are non interactive, it
just happens to be a website that is already infected. On the second side of
the download, it is being actively tricked while trying to download a real
application driver or patch. Sites are a favorite target for
these kind of attacks. These websites can be very confusing even to a seasoned IT
professional because of all the fake download ads specifically on the
download page. The third major category is pirated software. This is cracked, free,
but illegal versions of expensive software that often contain malware and
now ransomware. Popular programs include Microsoft Office, Windows, Photoshop,
SolidWorks, AutoCAD. The fourth category is actually post infection spread - so
becoming infected from an already infected machine which is on the same
network, these self-propagating viruses are ransomware used privileged accounts.
So of these four categories, three have something in common. And the
commonality is that they need human interactions to succeed. So let's look at
what actually happens during an attack. So the CPU and the memory may become
overloaded, families may increase to compensate for this additional heat, you
may see the file extensions actively being changed and each variant may use
its own extensions at the dock Krypton VBB Zepto phone locker. Users won't be
able to actually open their files because the extension isn't recognized.
If a user is working on an unencrypted file, it will be encrypted as soon as it
is saved. Changing the extension back manually will have no effect. Another
thing you may see is USBs that have been forcefully disconnected - the external
hard drives or USB drives. The goal here is either to infect it or corrupt it with
forceful ejections. So what is encrypted? So ransomware wants to lock away
important user data and allow the system to actually continue normally.
It usually targets productivity files - Microsoft Office, OpenOffice, Adobe PDF, EFT files, popular image formats like JPG
and PNGs, regular text files, and database files such as SQL or Oracle or GBA MTV's.
Natural target compress zip file rar files or search Keys pen keys which are
pretty important to an organization. So what happens in the immediate aftermath
of successful attacks? Usually you get a display of a threatening message with
instructions on how to pay, and it usually includes the deadline. The actual
encrypted file folders may contain a text file with instructions as well.
If your antivirus didn't stop the attack, it will probably be stopped by the attack
or even deleted. You may not be able to use some system utilities such as
command line powershell control panel or registry editor ems config control or delete.
Ransomware actively tries to turn these off to keep you from stopping it.
It will actually try to remove the ability to boot from safe mode on
Windows machines. It may try to remove the windows rollback point or disable
VSS. Operating system updates may be blocked. The virus then attempts to
spread to other computer servers our files from an infected user who has
access to these on the network.
Then we'll actually see a ransom. So the demanded payment is usually in the form
of bitcoins, but sometimes now they'll ask for an Amazon and Apple or other gift
cards because they're easier to launder.
So can you stop the attack? Unless you can disconnect the network and pull the power,
probably not. By the time the ransom notice pops up, it's already too late.
You can try to kill the suspicious program, but the damage is probably
already occurred. You can try to change the file extensions to something
uninteresting like PDF of MVP that actually hide them from the ransomware.
But then again, command line control/delete process explorers may not work at that point.
So what are the real options after a successful attack?
The first option would be restore from backups. If you have pre-infection
backups, you can use those to restore. 99% of companies actually do some kind of
backup, but only 41% are able to fully recover with those backups. This is
because of backup failures or they actual the newest data was lost, or
the backup itself become infected. So what happens if you can't recover from a
backup? Well you can attempt to recover via tools. Older cryptos may have
solutions, but those are probably not the one you're infected by because the a/b
signatures would have already detected it. So without a successful backup, your
final options are: pay the ransom or rebuild it. So what can we do to prevent
these attacks? While browsing, avoid drive-by downloads, many ransomwares
utilize IE, Adobe Flash or Java. They actually recommended not to use IE anymore,
use more secure browsers like Edge, Chrome or Firefox. Remove Adobe Flash flash if you
can, disable ActiveX, use html5 where possible.
Fewer ransomware seem to target Chrome, less vulnerabilities. If you must use
Internet Explorer, try to set the security level too high. Most ransomware
can only work at lower security settings. And ransomware propagates through
advertisements, so blocking ads using an ad blockers or layers of layer 7 filtering
may help. Email attachments: Because it's about unsolicited attachments,
avoid clicking on untrusted links in an email or opening those attachments.
Don't enable macros. You want to use some kind of spam detection, and ad, IDF, IPS or
anti-phishing software. On the end of our side, keep it updated and remember the ad
is not perfect. Centrally managed enterprise ad can update signatures
faster than standalone solutions. So least OS privileged best practices. So
you want to activate user access controls on Windows 7 or above, don't
stay logged in as an admin if you don't need, to don't do web surfing, or email or
document editing, in an admin account - configure the access controls including
file, directory and network share permissions with least privilege in mind.
You want to keep the operating system, especially security patches up to date.
You may want implement a software restriction policy to actually block
these binaries from running in temp directories, or out directories,or your
local app directory. And you can use Windows group policy editor to push
these settings all PCs. So at the hardware level you want to create an air
gap. Separate your critical computers from the internet, and use separate
computers for risky activities - never servers. Web surfing, email, BitTorrent, you
should not be doing these things on a server. So at the network level you want to
install a next-generation firewall, and not all firewalls are created equal,
next-generation firewalls include more layers for filtering (such as the Cisco
AFA) which uses firepower services. You want to block
proxy services towards oddities, block access to known malicious IP addresses,
and patch these operating systems and software on the network devices. Keep
them up to date as well. You may consider using a
centralized patch management system to keep the individual PCs up-to-date or
the network devices. At the external network level you might consider using a
secure internet gateway, these usually redirect DNS to a secure filter system
such as Cisco's Umbrella. Email security. You need email web gateways a
cloud-based email security. You want to enable strong spam filtering using
technologies like SPF or, sender policy framework, which ensures that your domain
is not spoofed. You want to scan all incoming and outgoing emails to detect
threats and then filter executable files from reaching end-users.
Awareness and training for your employees: and this is not just for end-users, this is for IT as well.
So why does ransomware make it through all these layers? Well let's compare
physical security to network security. We're going to play another game called
Spot the Security Hole. So you can see the security hole in the defense system -
it's pretty easy to spot physical security gaps. Let's try again... Yeah, not
too complicated when you understand how the system works. Do you see what went
wrong here? This one actually took me a second, but once you see it I think you'll
understand. Here's another one - not such a great idea. This one is actually the
Pittsburgh Penguins internal Wi-Fi password that was displayed on ESPN during an after game interview - yeah, not that great. So now tell me if this config is
secure. It's not just as simple as looking an open gate
TP IES on the call probably already introduced as this configures okay, but
they probably want to shut down pop3 access. Sometimes you know you have a
problem, but not how to fix it. If you have to have a window replaced, you
tell you that this is a correct solution sort of, but with the poor insulation.
This is a visual representation of a poorly designed security solution. You
want to make some sure that you have someone qualified giving you advice.
Maybe you have the right product, it just didn't get implemented correctly. Most
organizations have solutions that have been independently chosen and spent
together over time, without a coherent plan. So we'd love to help you figure out
a solution to your current issues and provide support and fill any current
gaps you may feel you have. With that, I'll turn it over to Don Davis our VP of
Network Integration to discuss ransomware and its effects from a leadership
perspective. Thanks Eric, appreciate you guys giving us the time
today. But I want to do just give you a couple of thoughts for the business
leaders at your organizations. The things that Dave touched on
that everyone needs to consider is your reputation, and customers are concerned
with the data that they entrust in your businesses, and the impact of a
ransomware attack on your reputation is again one of the most important factors
to consider. The other thing we talked about is, what's your downtime? And the
things to look at here is, there's the actual cost to fix the problem, there's
the revenue loss, and the productivity loss. So we talked about hard cost and
soft cost. It's really important in your organization to understand and have each
line of business agree to what those things are. That's not something that a
consultant like us can can tell you what that's worth. And
once you get agreement inside your business, then an IT organization
understands how to make investments. But without taking an honest look at what
that downtime is worth, what the cost is going to be to to make the repairs, it's
really hard for you to make good investments and how to prevent and some
other things we're going to talk about in a minute, how to recover. One thing you
may want to consider as you understand what the cost of being down is, a real
popular writer to have for your business today,
is information technology writer on your insurance policy. If you don't have one
get with your insurance agents and take a look at them. One thing from a
ransomware perspective that it probably won't do much good on, because of the
deductibles, it won't help you with the ransomware. But all the other costs it
will help, so if you don't have insurance you should look into it. The most
important thing for any organization, and we've run into ransomware attacks with
customers, and the biggest thing is plan... you know, what are you going to
do when it happens? I can tell you that the Department of Justice and the FBI
recommend "don't pay the ransom". The issue that we're seeing now from a customer
service standpoint, the hackers aren't getting very good at being able to
provide the actual encryption key. So you may pay the ransom, but only four out of
five end-users that are paying the ransom are actually getting an
encryption key that allow you to unlock your data. And that gets back to the
point that Dave was talking about earlier, there, in some cases the intent
is not necessarily to get money, but to cause destruction.
So again when you're thinking about planning, when it happens, what are you
going to do? You know the recommendation is to try to recover from back up.
Some large organizations may want to consider buying an incident response service.
Cisco has developed a service that prepares for readiness and response for
businesses that may be something that a large organization may want to consider.
But again the thing that you want to do most often is plan, make sure your
employees understand what your policies are, and that they're trained. And it's
not a one-time training process, it's a continuous process. And having your plan:
how often employees are trained, certainly an on-boarding process that
goes over that policy and training creating new employees, and then on at
least a manual in place, a retraining process so your employees understand how
to help prevent what their responsibilities are for protecting your
company's information. So again just to wrap it up, a solid policy, solid plan,
Eric went through several of the areas that you need to work on from a
protection standpoint and I'm not going to regurgitate all those different
vectors and how you can protect yourself, but certainly we're there to help.
Anyone that wants to contact their Account Manager and have us come out and
take a look either a business policy or IT policy , and then any actual protection
services that you're looking for, we'd be more than happy to help. And if all else
fails, we have introduced a new backup solution that most of you have probably
heard about and the reason that we developed this product
is to make sure that our customers have a solid backup. And what FlxStore is is
just that. It's an end-to-end solution, you can have us completely manage your
backup, it has an on-site backup appliance, and then replication of that
backup to our Data Center. So if anyone would be interested in looking
at how their current backup situation protects them, and maybe if FlxStore
would be a better solution with that if you do get infected, knowing that you
have a good on-site and off-site backup. So with that I think I'm going to turn
it back over to Parker and we'll open it up for Q&A.
For more infomation >> If you need a ride to work SC Works has a program for you - Duration: 1:18. 
For more infomation >> Shadow of the Colossus | Remaking a Masterpiece | PS4 - Duration: 4:37. 
Không có nhận xét nào:
Đăng nhận xét