Security Series #5 – November 2016
(Original Content Provided By Maura Wiese, Vice President and Underwriting Manager, Cyber & Technology, XL Catlin)
It’s every organization’s nightmare: something is intentionally preventing an employee from using its computer system normally. Whether access to the operating system is blocked, files are encrypted or certain applications are unusable, in all cases, the organization is hit with a ransom demand in order to stop the attack.
Unfortunately, this type of cyber-attack, involving a specialized form of malware — notoriously known as ransomware — is common. The Federal Bureau of Investigation (FBI) notes that such attacks not only are increasing, but also getting more sophisticated. The startling truth is that ransomware incidents can be worse than data breaches. We are more reliant than ever on computers to operate a business. What happens when a company’s network goes down? Employees become frustrated that they cannot work. Some organizations when hit with this type of attack quickly opt to pay the ransom in order to resume normal IT access and avoid any material impact to business operations.
A typical ransomware incident plays out like this: an employee receives an email containing a legitimate-looking file attachment or link to a URL. Opening that file or clicking on that link installs malware on a computer which searches for and encrypts files and folders on local drives, attached drives, backup drives and potentially other networked devices. A phishing attack, which uses spoofed email messages and links that appear to come from a known or trusted individual or business, are a common channel for ransomware to infect a network. There are other ways malware can infiltrate a computer network. In most instances, the ransomware is automatically downloaded when an employee clicks on a malicious website or a website that has been hacked. Yes, by simply browsing a website, malicious code can be transferred to the end user’s computer. In other instances, the malware is bundled with other software that is downloaded.
Ransomware is a big business. McAfee estimates that a single ransomware author and distributor was able to collect $121 million in ransomware payments during the first half of this year, netting $94 million after expenses. Ransoms generally are requested in Bitcoin, a cryptocurrency that allows buyers and sellers to remain anonymous. Many ransomware incidents demand low amounts, such as 0.5 Bitcoin or 1.0 Bitcoin (about $355 to $711 at Bitcoin’s current value range during the posting of this article). That’s a sum that most would consider paying to retrieve their data, so why not go ahead and pay it?
First of all, paying a small ransom encourages cyber criminals to keep up with the attacks. If cyber criminals are not able to make money from these attacks, they will move on to other activities. Secondly, paying a ransom and getting the systems or data back does not ensure that the network and computers are actually safe and the risk has been alleviated. It is difficult for a company to determine if the malware has truly been remediated and to be certain, they often will hire a forensic investigator. If a data breach did occur, a seemingly minor ransomware incident could trigger notification requirements, which is considerably more expensive than a $300 demand, and even more reason to boost a company’s ransomware defense tactics. Fortunately, there are effective means of preventing ransomware from infecting an organization’s systems, including educating employees about the risks and how they play a role in preventing a cyber-attack and by implementing basic security protocols, like anti-malware software and data backup procedures.
Every employee needs to be aware of how their individual actions can unleash a cyber situation
BOOSTING CYBER AWARENESS
While information security teams employ online security tools and tactics to minimize risk to ransomware, few would argue that a good defense starts on the frontlines — with their employees. All employees need to be aware of how their individual actions can unleash a cyber situation.
Lessons should not be extremely difficult, but rather centered around building awareness about warning signs and the current tactics that cyber criminals are using. Consider these three messages that every employee can remember and that can go a long way in helping keep ransomware and other malware from infiltrating their computer.
1. Don’t talk to strangers. While we all get inundated with emails these days, most should come from people we know. If you do not recognize the address the email is coming from, just delete it. Be extra careful to closely review the sending email address as crafty attackers have gotten very good at disguising their emails address or domain (e.g., @business.com).
2. Steer clear of suspicious emails. This not only applies to messages sent by unfamiliar people but also from senders who are acquaintances. Today, emails can masquerade as notifications from a delivery service, your bank, your credit card company or any other number of potential senders or “friends.” One way to check the legitimacy of an email is to hover a mouse over the top of the URL to see the actual address of the sender. If the address is different from the address displayed, that’s a big red flag. Misspellings and grammatical errors are other warning signs. When companies like major banks send out emails to their customers, they are often vetted by a number of departments including communications and legal departments. Given the process, these kinds of errors would be caught in a genuine customer email campaign before it reaches you.
3. Think twice before clicking on a link! Dangerous hyperlinks can be received via email, social networks and instant messages. Unfortunately, the senders are likely to be people you trust, including your friends or colleagues. But, when you click on the link, ransomware can sneak into your machine. In this kind of attack, cybercriminals compromise your friends or colleagues accounts and spam their contacts, sending bad links that release malicious software to as many people as possible. Some ransomware hackers have also adopted another approach which compromises an advertiser’s network by embedding malware or ransomware in ads that get delivered via websites you know and trust.
With all that employees have to worry about in their day-to-day jobs, it is not always easy to get their undivided attention. That’s why employers have to exercise some creativity in assuring that cyber security lessons get the attention that they require and that employees retain and apply what they learn.
For instance, at one at IT company, the information security team distributes regular cyber security lessons through various channels to colleagues. To entice employees to complete this important training, they use innovative and creative ways to share, using humor and fun tactics to communicate including posters in our offices, short webinars, blogs that offer some personal perspective from its IT security professionals and even contests that encourage its team to watch educational videos to help raise money for a charity.
On occasion, newly acquired cyber knowledge can really be put to the test with an actual test. More organizations conduct exercises like phishing tests, which involve sending employees fake “phishing” emails to see how they react.
Here’s how these tests might play out: an IT Security team will send a select group of employees an email. In one case, 900 employees were sent an email from “Vendor Security Updates” with the subject line “[News] 2/9/16 Security Update for Lync and Skype”. The email requested that recipients login to update their Lync and Skype software via a questionable site that was attached in the form of the URL link Skype for Business (Lync) Security Update. If the recipient clicked the link in the email they were passed to a forged Microsoft webpage, which instructed them to log in using their company credentials (ID and password).
Thanks to previous awareness training, many in this test deleted the email. Others called the company help desk or IT security directly to raise a red flag. A much smaller group actually entered their credentials and were routed to a second webpage and informed that they had been phished. If this had been a true phishing attack, simply clicking the URL link embedded in the original email could have loaded malicious software (malware) onto a company computer. If an individual actually went ahead and entered their credentials, they could have put their company infrastructure and data at risk in addition to their own personal accounts.
Many companies require additional mandatory awareness training for individuals that fail such tests. Some firms may also require individuals in departments like finance and human resources — departments that are particularly vulnerable to attacks because of the information they can access — to step up their awareness with additional mandatory training.
According to one company’s head of information security management, education drives behavioral change. Instead of employees being “the weakest link” in a cyber-security incident, the individual and his team encourage employees to utilize the ‘see something, say something’ philosophy to empower them to become one of the strongest lines of defense. If they ever see something strange in their email inboxes, or if they see something unusual going on in the system, they are encouraged to raise a red flag, contact information security and give feedback that will make their online security efforts even stronger.
For any organization that relies on computer-stored data and technology, educating employees on the newest cybercrime tactics and social engineering plots can be the most important strategy in staving off cyber-attacks.
ABOUT THE AUTHOR
Maura Wiese is a vice president and underwriting manager in XL Catlin’s Cyber and Technology Insurance Group. She has extensive experience underwriting cyber liability, technology, miscellaneous professional liability and media insurance.