October 20, 2020
Good morning, everyone!
|This week’s critical vulnerabilities:
Patch all the things!!
Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam
I touched on this briefly last week, but now I want to discuss just a bit. As Brian Krebs reports, in an advisory released October 1, the U.S. Treasury’s Office of Foreign Assets Control said “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
Wow. This is serious, and seriously complicated. Many people in the industry are reporting that more and more companies are paying the ransom, in spite of the FBI’s warning that this only encourages the criminals. Sometimes the insurance company forces the ransom payment, as it may be less expensive than rebuilding a network from scratch. In particular, organizations that don’t have good backups may have no choice but to pay the ransom. The OFAC advisory makes the situation much more complicated.
Let's talk about backups
Remember, if you store your data in the cloud, have local backups. If you store your data locally, have backups in the cloud. Cover all your bases. Honestly, you can never have too many backups! Just be certain they are good backups:
Refer back to my August 4 newsletter for more detail on how to have good backups.
I read a well-written piece on the subject of the OFAC advisory, which states in part:
The major sanctions-related risk in a ransomware attack is that a ransom payment will go to a sanctioned person or sanctioned jurisdiction. The OFAC Advisory emphasizes that OFAC “may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations.”
So you can get in trouble for paying a ransom, even if you have no idea that money is going to a sanctioned entity.
OFAC does not comment on the difficulty of determining who is responsible for a ransomware attack but does identify factors that may mitigate any enforcement action in the event a payment goes to a sanctioned actor.
Well, I guess that’s some consolation? I’ve read a lot of opinion pieces on these new advisories – “blame the victim” is a common refrain. But it is a complex situation; I can see both sides. So what to do?
Prevention is your first defense against ransomware! Ransomware is on the rise at least in part because of security holes created in networks that were hastily opened up to allow working from home (WFH). I have been told (by someone I know who monitors these things) that open/exposed RDP ports have increased by 50% in the Mobile area in the past three months. This is a trend all over, not just here. Windows Remote Desktop Protocol (RDP) is a major target: “The number of daily brute-force attacks against Windows remote desktop service has almost doubled during the pandemic lockdown” according to this report. So let me recap my earlier discussion on this issue.
Many businesses were not prepared for teleworking/WFH when the pandemic first began, and were forced to implement temporary measures. Now that the immediate crisis has passed, it’s time to review your security measures and develop a plan for a secure, long-term, remote workforce when needed. Here are a few things to consider:
(1) Install a VPN
(2) Set up corporate accounts for LogMeIn, GoToMyPC, etc.
(3) Develop and promulgate an acceptable use policy for WFH.
(4) Secure employee home networks.
(5) Require multi-factor authentication everywhere.
(6) Invest in employee training.
(7) Have good written policies, and train your employees on the policies.
You can read more details about these steps and how to implement them in my July 21 newsletter.
AAA Protocols Redux: Too Many Privileged Users Don’t Need Elevated Access
Security vendor Forcepoint recently polled over 1900 administratively privileged users, discovering that over one-third of them did not need it. What does this mean? Users should only have access to resources (file shares, software applications and functions therein, etc.) that they actually need to perform their jobs.
Three reasons in particular were given:
- everyone at a certain level (by job title) has privileged access
- privileged access from a previous role had not been revoked when they changed jobs
- granted elevated access rights for no apparent reason
The author says "Operating an access policy of 'least privilege' is widely accepted to be cybersecurity best practice."
Hey, didn’t I say that last week? Mind your AAA Protocols! (Authentication: who are you? Authorization: are you allowed to be here? Accounting: what are you doing here?)
As always, I could talk a lot more about this stuff! Come back next week for the next installment. :)
October 28: Implementing the NIST Cyber Security Framework
November 10: Ethical Duties: How Technology is Undermining Attorney-Client Confidentiality (1 hr ethics CLE)
December 3: Ethical Duties: Practical Strategies for Safeguarding Client Information (1 hr ethics CLE)
Security Awareness Training Goes Virtual
Thanks to COVID-19, lots of things are going virtual, and that includes my employee Security Awareness Training. I've set up a small studio in our conference room (nobody there but me) so I can provide live training (almost) just like before! You can see me wave my hands and make faces while a wall of fascinating facts and practical tips slideshow across your screens, wherever you and your employees may be.
Contact me to schedule your employee training sessions. They're fun! ☺
Talk to you again soon!