Protecting Your Organization From Ransomware Part 1 – Train Your Users

 

This is part 1 of a mini-series that I’m going to do on the things that can protect your organization from ransomware. This is not an exhaustive list, however if done properly, they can seriously reduce the risk of ransomware taking your organization down. At the very least, following these suggestions will reduce the amount of impact that a ransomware infection will have on your organization.

Part 1 – Train Your Users

If there’s one thing I’ve learned working here at KnowBe4, it’s what a difference training your users can make. I talk to folks all the time and hear story after story about how trained users made the difference. In my younger years, I probably wouldn’t have believed it however having experienced it first-hand, let me tell you, it really does work.

This is not a sales pitch for my company. I want to try to help you understand how to make the time you spend training your users provide the best ROI.  If you already have to do annual training for compliance, just putting a little more effort into things and taking it seriously can pay off big for you.

 

Messaging – Start Right From the Beginning

Messaging plays a huge role in how well your training is accepted and is a step that is often neglected completely, or barely considered. Start by understanding that people in general don’t just like to be told to do something “because we say so”. I don’t know if that’s any more prevalent outside of the IT/Security Professional and user interaction, but it frequently raises its head here. When it comes to training your users you want to avoid an “Us” versus “Them” mentality. We have to change it in to a “Us” helping “Them” feeling. While it is easy to get frustrated when the users click on things that you know they shouldn’t, you need to have patience. Try to remember that most users don’t live in the tech world we do. They aren’t aware of the threats the way we are and it’s our job to help them understand this. Users aren’t usually dumb, they often just have skills in domains that we may not, and vice versa. 

Consider how a user feels about the training in the 2 following messaging scenarios:

“Folks, it’s that time of year again when we do the mandatory security awareness training. This is required to be done annually by some of our regulations and contracts. We will meet in the break room at 10am for 1 hour. Anyone not able to make will need to schedule a follow up appointment. We will start testing everyone by sending simulated phishing emails at least once a month after that. Again, this is mandatory. Thanks, It Staff” 

or

“Folks, did you know that 91% of successful data breaches start with a spear-phishing attack? Did you know ransomware and phishing can also hit you at home and potentially cost you all of your important photos and documents? The bad guys don’t care, but we do, so we have some great training that will help protect not only the organization, but you and your family at home as well. This training is online and on-demand and should take about an hour, so you can watch it at your leisure when you have some spare time. Training does need to be completed in the next 30-days, after that we will be sending some simulated phishing emails at least once a month to help you exercise what the training teaches you. Let us know if you have any questions and happy learning! Thanks, IT Staff” 

Do you see how the messaging in one scenario is positive and helpful while the other sounds like it’s just something you have to do to get through until next year? Also, the phishing sounds like a test in the first scenario (lots of people are scared of tests) where the second scenario leans toward an opportunity to exercise these skills (much less intimidating). Consider this when doing your messaging, even when it comes to initially getting approval from management and HR.

 

Leadership Buy-In – Facts Without FUD

From the beginning, when you are going to run a training program like this, you need to have some people on board. Your Executives need to understand the value of what you’re doing, the HR department needs to be on board with it, and any other executives need to understand the importance.

FUD stands for Fear, Uncertainty and Doubt. While it can force people to make decisions, it can backfire in big ways, tarnishing your reputation and making future proposals more difficult. It is better is to present the facts and risk without wrapping things in emotional phrases or positioning designed to scare. Let your leadership know that they are targets for things like CEO fraud, W2 fraud, and ransomware. Show real examples of these things impacted an organization, but don’t embellish. Sometimes you have to start by simply educating them with articles of recent breaches or other examples that may resonate with them. This may take a little while, but changing this culture from the top will reap huge rewards further down the line.

As I said above, when you communicate with the HR department your focus needs to always be on how you are teaching the people to be safe. This isn’t about “getting” people or being tricky, it’s about preparing them for the attacks that are happening in the real world and protecting the organization. Invite them to screen the phishing emails and make them feel like they are part of the program, not just standing by. Sometimes they will want to stay involved, sometimes they will bow out when they feel comfortable with what is going on. Either way, it will put them at ease.  

 

Training Needs To Be Relevant – Ditch the Tech-ese

When you train people, it needs to be engaging. The users need to be made to feel that they understand the topic and need key points to help retain the information. Sadly, we as technical people tend to get overly technical in our explanations. Remember, the marketing staff doesn’t care about C2 communication channels or specifics of malware delivery. If you want their eyes to glaze over, that’s a quick way to do it.

My first suggestion is to subscribe to a 3rd-party service to supply the training. Frankly, it is difficult to get the same kind of return on the training investment doing it yourself. 3rd parties collect feedback about the training and improve, as well as staying on top of the current threats. In addition, the final product looks professional and saves a lot of your time preparing and tracking the training. After working here at KnowBe4 and seeing the results and the low price, I can’t imagine ever doing it myself again. Seriously.

If you like pain, you can do it yourself. 😀 If you are going to go this route, I strongly urge you to involve HR and Marketing in the design of the course. They can help keep you on track if you are getting too techie. You will want to have a way to track who completed the training as well and be ready to send follow-up emails as needed. I also can’t stress this enough… if you can do it online and on-demand, you will get much better results. You do need to make sure it is interactive so they can’t just let it run in the background while they go to lunch.

 

Comments are welcome below

 

Next up: Part 2 – Have Weapons-Grade Backups

This will cover things you can do to help ensure that you can recover from a ransomware attack and common pitfalls to avoid. Subscribe at the top-right corner of the page to get alerts when new posts are made.

 

Ethereum Hit With Another Heist, This Time $8.4 Million

Ethereum has really been feeling the sting lately as yet another theft, this time $8.4 million, hits the cryptocurrency. While I love the fact that cryptocurrency is a stand alone entity not backed any specific country or nation, it’s value depends greatly on the security around it and the confidence people have in it. While $8.4 million isn’t a huge number by monetary standards when you compare it to things like CEO Fraud at about $5.3 billion lost in the last few years, or ransomware which is running at about $1 billion per year, it is a big when you consider the reputational damage to cryptocurrency as a whole.

Market info for Ethereum as of July 25, 2017

Think of it this way, investors have done a lot to boost and stabilize the price of Bitcoin and Ethereum as they are seeing a return on the investment. Investors don’t mind some risk as that comes with the territory, but when sums like this are lost several times in the course of a few weeks, it shakes the trust.

Consider that the total value of Ethereum is about $19,141,290,491 at the time of this writing and about $47,000,000 of that has been stolen in the last month. That can shake the confidence a bit. Looking at the price graph, it’s being reflected.

Unless these losses are stabilized, cryptocurrency is in danger of taking several steps backward with respect to its reputation and value to investors. This in turn will impact it’s value even more significantly.

Whoops! Wells Fargo Releases Info On 50k People

So first it was the deal with Sweden, and now this with Wells Fargo. Let today be a lesson in how not to outsource certain business functions. In this case with Wells Fargo, it seems 1.4 GB of data involving about 50,000 individuals was accidentally sent in response to a request from an attorney for some banking documents on an individual. Wells Fargo is blaming a third-party for not properly screening the data on the disk.

While I get that, it’s important to understand that when you outsource any of your processes, that does not mean you’re totally off the hook. In this case obviously Wells Fargo is the one ending up in the headlines as opposed to the contracted company. On the other hand, I personally don’t think that is undeserved. To send 1.4 gigabytes worth of data in response to a rather limited request for a single individual seems a bit excessive to me. Why couldn’t they have limited that considerably prior to sending it to the third-party? We may never know.

Just remember this when you’re hiring outside parties to handle sensitive information. “Regulators, meanwhile, have started a probe into the data breach…” is not something you want to hear or read about in the paper.

 

Sweden Screwed Up Big Time Resulting In Sensitive Data Disclosure

In what’s amounting to a pretty significant slip-up, Swedish Transportation Authority appears to have provided quite a bit of sensitive information to a group in the Czech Republic. What is really surprising to me is that they are outsourcing so much of their potentially sensitive data offshore.

While I understand the attractiveness of outsourcing some IT functions, when your data is this significant and personal, steps must be to be taken to better secure it. Coming from a Department of Defense background, there were certain things that we would never allow non-citizens or offshore third-party entities to see. In this case, all of the vehicle information, including that of military and police, were provided to groups in the Czech Republic without a reasonable screening process.

More surprising than that, is the fact that their firewalls and much of their communications is being managed from Serbia. Really? There are times when the transfer of risk or management of Information Technology functions make sense. We see this all the time in a smaller scale with respect to cloud computing, but again there are times where saving a few dollars is not worth the risk of exposing the data.

Can you imagine if here in the US, the Transportation Authority, or even State MVDs outsourced the data processing and storage to an outside country like say, North Korea? This is pretty much like what’s Sweden is doing when Outsourcing firewalls and such to Serbia and having the Czech Republic deal with their Transportation Authority data. Perhaps tensions aren’t quite as high between those countries as the US and North Korea, but my understanding is they aren’t exactly in lockstep either.

Think about this when you’re looking at cloud providers. Understand where the data is going, who is processing it and the nature of the data and sensitivity as well. Require background checks for people who are handling sensitive information. Don’t be that guy or gal that makes the news like this.

*WARNING* – Headlines From Yesterday Make Great Phishing Ammo For Today

It’s Friday morning and after a pretty intense Thursday, just want to send out a little warning to folks. Yesterday we lost a great musician and “The Juice” is about to be loose. These are two pretty significant headlines. What does that mean? Well it means the scammers are going to be using this against people.

Be ready for phishing emails related to these two stories. Pretty much any time there’s a major event inboxes are flooded with stuff like this. This is pretty typical since social engineering is really about leveraging our emotions against us.

Now I have to admit, music hasn’t played a huge role in my life but it has many others so this hits home for many especially given the fact that it’s a suicide. With respect to OJ, I think most of us that are old like me remember the low-speed chase in LA and the ensuing legal battle, more than what he actually got locked up for. Either way these things relate to a number of us across different generations and that makes them great ammo.

I suggest that if you haven’t already, send some simulated phishing emails to your users related to these subjects. The idea is to inoculate them before they get the one with a malicious attachment. My company KnowBe4, has already been all over this today and already has templates made to deal with this sort of thing. If you’re a customer, use them.

Stay safe out there folks, and let those users know that this may be coming.

Ransomware Attack In Atlanta’s Peachtree Neurological Clinic Sheds Light On Persistent Breach

The Look When You Find Out You Have Been Breached… For Over A Year.

So when is a ransomware attack a good thing? How about when it uncovers a previous breach where someone has been in your system for over a year. That’s exactly what happened to Peachtree Neurological Clinic in Atlanta. While they didn’t pay the ransom, they did find out someone had been in their system since February of 2016.

Now, they haven’t said how many patients data may be disclosed and breach hasn’t been added to the HHS breach tool, but it looks like names, Social Security numbers, driver’s licenses, addresses, phone numbers, medical data, prescriptions and/or health insurance data are at risk. That’s a lot of data on a person. This should be an interesting one to watch.

How long would this have gone on if it wouldn’t have been for the ransomware attack? Who knows. See, there is a silver lining sometimes. 🙂

Getting Ready For Vegas and Austin, Texas

Well folks, Hacker summer camp is right around the corner. While I won’t be able to be there for all of it, I will be there for a couple of days at Black Hat. I’m returning this year once again as a booth babe in the KnowBe4 booth. Unfortunately before Defcon starts, I have to be in Austin to wrap up the 12 days of Sysmas which is being put on by Spiceworks in honor of SysAdmin Day in the 28th. It’s going to be a ton of fun, but it’s also going to be a very long week.

So the deal is, I’ll be there Wednesday and Thursday in the booth doing demos and stuff like that. we have Kevin Mitnick signing books on Wednesday evening, and we’re handing out these truly epic KnowBe4 axes. We have an axe to grind with ransomware. Kind of catchy huh? I’m going to have a bunch of goofy puns for that. Maybe I’ll even axe you a question about it. 

I can’t wait for this fun!

I’m going to warn everyone right now, this next week is going to take an awful lot of energy drinks to survive. For the record, the white Monster energy drinks or the white Rockstar energy drinks are my favorites. Just saying, you show up to our booth with one of those for me, and I’m going to take care of you as best I can. If I’m in a really good mood, I might even sign your forehead with a sharpie. Hey, I’m just cool like that.

Since I arrive Tuesday at about midnight, I’m not going to be doing much then. I might be up for something Wednesday night, but it’s going to depend on how the day goes. Apparently I’m expected to work at this thing. Thursday, I have to leave straight from Black Hat and head to Austin, Texas for the “SysAdmin Day edition of On the Air” on Friday morning. that’s going to be a ton of fun, especially since I’ll probably be giddy and such from a lack of sleep. Tune in if you’re feeling it. I love the Spiceworks group as they tend to live life to its fullest. It’s going to be at 10 a.m. Central, so 9 a.m. Vegas time. That means flip open your laptop and watch it while you nurse your hangover. Hey, we’re giving away a Nintendo switch, so you might even get lucky there.

On a serious note, if you want to talk shop and ransomware or social engineering, come hit me up in the booth. I would love to have discussions about it. likewise if you were looking for anyone to interview during the show, I’m happy to offer my expertise. it’s not every day you get a security guy that’s this charming, good-looking, and humble all in one package. 🙂

 

 

The Life Of A Traveling Swine

As an educated and well travelled swine, I have to say that life on the road is not always easy. In fact, although it looks like glitz and glam, there are some rough times as well and I can tell you that spending a lot of time in airports is not what it’s cracked up to be. At times I miss my mud pit and eating airport food is missing the… ‘je ne sais quoi’… something, of home prepped slop. Add to that the fact that I rarely see others of my kind, and it can be a lonely life, even with my human along to do my bidding for me.

I bring a human along mostly because a lack of vocal cords makes it tough for me to speak, so I have to drag him around to be my voice to the other human servants. Sometimes you would swear they think THEY own the planet, but I don’t mind letting them have their little delusion as long as they do my bidding in the end. I control them with my mind, so they always do.

A recent trip outlined the dangers and difficulty of life on the road. I took my human to Washington DC to attend a conference and speak at another one (I’m good a multitasking the human). I wore red that day as it is a power color and when you are in the nation’s capitol, you never know who you will run in to, and have to boss around. In any case, although I’ve been to DC before, I have never been to the Museum of Natural History and wanted to check it out.

Posing at the train station. Selfies are hard when you have no real arms

To understand how this works, years ago I had my human purchase a first class traveling home for me called the ‘Oakley Kitchen Sink‘. Think of it as a human-powered RV. It’s incredibly spacious inside, comfortable and has lasted me several years of heavy travel. Since I spend a lot of time in here controlling the humans thoughts, making the human spend that much money on a backpack was something I have never regretted.

During this trip to DC, I loaded myself up in the pack and had the human go to the train station. This ended up being an interesting time, but I’m not going to repeat myself as I had the human talk about it already in this thread. I was finally able to get him to the museum safely, although it was apparently very hot outside of the RV as he was sweating profusely.  The museum itself was wonderful. I was able to interact with many of the exhibits (sometimes with help from my human) and spotted some folks that I am pretty sure are a close relative to myself.

 

   

I have a cousin with tusks like that, only these are upside down

     

I wasn’t scared at all. Honest. I just stared him down

    

I am reasonably sure we are related. Both of us are pretty hardcore!

From here it was work, work, work as I took my human to the Gartner event and spoke at the International Legal Technical Association (ILTA) event. I mostly stayed in my RV for the time, but had my human take me to some pretty good sessions and spoke with some great people.

Tomorrow I leave for Chicago for BSides Chicago where I am speaking (through my human again). This time I’m going whole-hog and wearing my derby in hopes of attracting some tickets to DerbyCon. The resident bee doesn’t agree with my blatant attempt to score DerbyCon tickets, however I told him to buzz of about it. He has shifty eyes anyways. Not someone who’s opinion you can trust.

Would you trust those shifty eyes?

Perhaps I will do a “Day in the life of…” post tomorrow so you can see what it’s like to be on the road. Time will tell.

Tennessee City’s Emergency Services Hit By WannaCry

It’s July, how do you still have machines vulnerable to this? It’s not like this hasn’t been publicized. Yeah, I get it, patching can be a pain, but really? They should have had mitigations in place.

FTA: “Norville says most of the affected data is not retrievable, and it is unclear if any significant files have been lost. Two file servers and 19 computers within the police department’s system were breached.”