Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Ransomware, Malware and Viruses; How to Protect YourselfPresented by Ben Jones Technical Stream One
Ransomware, Malware and Viruses/seminars
Agenda
Cybercrime – What, Why and How?
Prevention – Avoiding Infection
Recovery – Dealing With Infection
Ransomware, Malware and Viruses/seminars
Cybercrime1
Ransomware, Malware and Viruses/seminars
Cybercrime
“Criminal activities carried out by means of a computer”
What is Cybercrime?
Ransomware, Malware and Viruses/seminars
Cybercrime
“Criminal activities carried out by means of a computer”
Currently at a bigger risk than ever
What is Cybercrime?
Ransomware, Malware and Viruses/seminars
Cybercrime
“Criminal activities carried out by means of a computer”
Currently at a bigger risk than ever
Over 140m new malware samples recorded in 2015
What is Cybercrime?
Ransomware, Malware and Viruses/seminars
Cybercrime
Estimated as a $400bn industry in 2015, rising to $2tn by 2019
The Numbers Behind Malware
Ransomware, Malware and Viruses/seminars
Cybercrime
Estimated as a $400bn industry in 2015, rising to $2tn by 2019
Typically, only 4% of malware alerts are investigated
The Numbers Behind Malware
Ransomware, Malware and Viruses/seminars
Cybercrime
Estimated as a $400bn industry in 2015, rising to $2tn by 2019
Typically, only 4% of malware alerts are investigated
Malware-laced emails claim victims within 82s on average
The Numbers Behind Malware
Ransomware, Malware and Viruses/seminars
Cybercrime
Virus
Forms of Malware
Ransomware, Malware and Viruses/seminars
Cybercrime
Virus
Bot
Forms of Malware
Ransomware, Malware and Viruses/seminars
Cybercrime The Internet Of Things
Ransomware, Malware and Viruses/seminars
Cybercrime
Virus
Bot
Rootkit
Forms of Malware
Ransomware, Malware and Viruses/seminars
Cybercrime
Virus
Bot
Rootkit
Trojan Horse
Forms of Malware
Ransomware, Malware and Viruses/seminars
Cybercrime
Virus
Bot
Rootkit
Trojan Horse
Worm
Forms of Malware
Ransomware, Malware and Viruses/seminars
Cybercrime
Virus
Bot
Rootkit
Trojan Horse
Worm
Ransomware
Forms of Malware
Ransomware, Malware and Viruses/seminars
Cybercrime Ransomware
“The ransomware is that good… To be honest, we often just advise people to pay the ransom”
-Joseph Bonavolonta
Ransomware, Malware and Viruses/seminars
Cybercrime Ransomware
“The ransomware is that good… To be honest, we often just advise people to pay the ransom”
-Joseph Bonavolonta
Ransomware, Malware and Viruses/seminars
Cybercrime
Ransomware can – and does – stop businesses functioning
Ransomware
Ransomware, Malware and Viruses/seminars
Cybercrime
Ransomware can – and does – stop businesses functioning
It’s effective and lucrative for attackers
Ransomware
Ransomware, Malware and Viruses/seminars
Cybercrime Ransomware – As A Service
Ransomware, Malware and Viruses/seminars
Cybercrime Ransomware – As A Service
Ransomware, Malware and Viruses/seminars
Cybercrime
Ransomware can – and does – stop businesses functioning
It’s effective and lucrative for attackers
“Safe” platforms like mobile, macOS, Linux etc. are viable
Ransomware
Ransomware, Malware and Viruses/seminars
Cybercrime
Ransomware can – and does – stop businesses functioning
It’s effective and lucrative for attackers
“Safe” platforms like mobile, macOS, Linux etc. are viable
Cryptolocker extorted around $30m in it’s first 100 days
Ransomware
Ransomware, Malware and Viruses/seminars
Cybercrime
Ransomware can – and does – stop businesses functioning
It’s effective and lucrative for attackers
“Safe” platforms like mobile, macOS, Linux etc. are viable
Cryptolocker extorted around $30m in it’s first 100 days
It will use your infrastructure against you!
Ransomware
Ransomware, Malware and Viruses/seminars
Cybercrime
Ransomware can – and does – stop businesses functioning
It’s effective and lucrative for attackers
“Safe” platforms like mobile, macOS, Linux etc. are viable
Cryptolocker extorted around $30m in it’s first 100 days
It will use your infrastructure against you!
Impact caused by downtime can be significant
Ransomware
Ransomware, Malware and Viruses/seminars
Cybercrime
How does ransomware execute itself?
Is it possible to tell when ransomware is encrypting files?
Isn’t it just bluffing?
What Does Ransomware Look Like In Action?
Ransomware, Malware and Viruses/seminars
Prevention2
Ransomware, Malware and Viruses/seminars
Prevention Prevalent Methods of Attack In Education
These are the most common attack vectors RM have seen:
• Opened a malicious email attachment
Ransomware, Malware and Viruses/seminars
Prevention Prevalent Methods of Attack In Education
These are the most common attack vectors RM have seen:
• Opened a malicious email attachment
• Browsed infected sites/ads with outdated plugin versions
Ransomware, Malware and Viruses/seminars
Prevention Prevalent Methods of Attack In Education
These are the most common attack vectors RM have seen:
• Opened a malicious email attachment
• Browsed infected sites/ads with outdated plugin versions
• USB pen drive
Ransomware, Malware and Viruses/seminars
Prevention Prevalent Methods of Attack In Education
These are the most common attack vectors RM have seen:
• Opened a malicious email attachment
• Browsed infected sites/ads with outdated plugin versions
• USB pen drive
Brute force attacks on RDP sessions have also been seen
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Wired network points
Anti-Virus solution
Software
End users
Passwords
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Wired network points
Anti-Virus solution
Software
End users
Passwords
Your security is only as strong as the weakest link in the chain
Ransomware, Malware and Viruses/seminars
Prevention What’s The Best Solution?
There’s no single “best solution” to malware prevention
Ransomware, Malware and Viruses/seminars
Prevention What’s The Best Solution?
There’s no single “best solution” to malware prevention
A balance of software, hardware and education works best
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Ransomware, Malware and Viruses/seminars
Prevention Firewalls and Security Appliances
Patches for bugs and security exploits
Ransomware, Malware and Viruses/seminars
Prevention Firewalls and Security Appliances
Patches for bugs and security exploits
Default passwords
Ransomware, Malware and Viruses/seminars
Prevention Firewalls and Security Appliances
Patches for bugs and security exploits
Default passwords
Ineffectively/incorrectly configured
Ransomware, Malware and Viruses/seminars
Prevention Firewalls and Security Appliances
Patches for bugs and security exploits
Default passwords
Ineffectively/incorrectly configured
Unsupported and EoL products
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Ransomware, Malware and Viruses/seminars
Prevention Wireless Networks
Signal can reach outside your premises
Ransomware, Malware and Viruses/seminars
Prevention Wireless Networks
Signal can reach outside your premises
Use secure methods of authentication and encryption
Ransomware, Malware and Viruses/seminars
Prevention Wireless Networks
Signal can reach outside your premises
Use secure methods of authentication and encryption
Segregate guest networks from data network
Ransomware, Malware and Viruses/seminars
Prevention Wireless Networks
Signal can reach outside your premises
Use secure methods of authentication and encryption
Segregate guest networks from data network
Use managed wireless rogue detection capabilities
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Wired network points
Ransomware, Malware and Viruses/seminars
Prevention Wired Network Points
Disconnect/Disable any unused network points
Ransomware, Malware and Viruses/seminars
Prevention Wired Network Points
Disconnect/Disable any unused network points
Employ MAC address based port security
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Wired network points
Anti-Virus solution
Ransomware, Malware and Viruses/seminars
Prevention Anti-Virus Solution
Centralise management in large environments
Ransomware, Malware and Viruses/seminars
Prevention Anti-Virus Solution
Centralise management in large environments
Definition updates
Ransomware, Malware and Viruses/seminars
Prevention Anti-Virus Solution
Centralise management in large environments
Definition updates
Product updates
Ransomware, Malware and Viruses/seminars
Prevention Anti-Virus Product Updates
“These vulnerabilities are as bad as it gets. They don’t require any user interaction…”
-Tavis Ormandy, Project Zero
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Wired network points
Anti-Virus solution
Software
Ransomware, Malware and Viruses/seminars
Prevention Software
Software patches often fix security flaws, they are important!
Ransomware, Malware and Viruses/seminars
Prevention Software
Software patches often fix security flaws, they are important!
Flash Player and Java are often exploited for weaknesses
Ransomware, Malware and Viruses/seminars
Prevention Software
Software patches often fix security flaws, they are important!
Flash Player and Java are often exploited for weaknesses
Make updating software part of regular NMTs
Ransomware, Malware and Viruses/seminars
Prevention Software
Software patches often fix security flaws, they are important!
Flash Player and Java are often exploited for weaknesses
Make updating software part of regular NMTs
Macros are often exploited – disable them in Group Policy
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Wired network points
Anti-Virus solution
Software
End users
Ransomware, Malware and Viruses/seminars
Prevention End Users
External storage (pen drives)
Ransomware, Malware and Viruses/seminars
Prevention Pen Drives
Ransomware, Malware and Viruses/seminars
Prevention USB Pen Drive Study
Ransomware, Malware and Viruses/seminars
Prevention Disabling External Drives
Block external drives by Group Policy Object
TEC4341616
Ransomware, Malware and Viruses/seminars
Prevention End Users
External storage (pen drives)
Personal devices
Ransomware, Malware and Viruses/seminars
Prevention End Users
External storage (pen drives)
Personal devices
Social Engineering
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering
“You could spend a fortune purchasing technology and services… And your network infrastructure could still remain vulnerable to old-fashioned manipulation”-Kevin Mitnick
Ransomware, Malware and Viruses/seminars
Prevention Psychology Of Social Engineering
Social engineers prey on basic human instincts:
Ransomware, Malware and Viruses/seminars
Prevention Psychology Of Social Engineering
Social engineers prey on basic human instincts:
• Fear
Ransomware, Malware and Viruses/seminars
Prevention Psychology Of Social Engineering
Social engineers prey on basic human instincts:
• Fear
• Obedience
Ransomware, Malware and Viruses/seminars
Prevention Psychology Of Social Engineering
Social engineers prey on basic human instincts:
• Fear
• Obedience
• Urgency
Ransomware, Malware and Viruses/seminars
Prevention Psychology Of Social Engineering
Social engineers prey on basic human instincts:
• Fear
• Obedience
• Urgency
• Sympathy
Ransomware, Malware and Viruses/seminars
Prevention Psychology Of Social Engineering
Social engineers prey on basic human instincts:
• Fear
• Obedience
• Urgency
• Sympathy
• Greed
Ransomware, Malware and Viruses/seminars
Prevention Psychology Of Social Engineering
Social engineers prey on basic human instincts:
• Fear
• Obedience
• Urgency
• Sympathy
• Greed
Often more than one of these emotions are combined
Ransomware, Malware and Viruses/seminars
Prevention Phishing Emails
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering – Cloned Web Sites
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering – Cookies and Identity Theft
“Cookies are insecure, no matter what you do…‘Authentication cookies’ are often exploitable”
-Kevin Fu
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering – Cookies & Identity Theft
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering – Cookies & Identity Theft
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering – Cookies & Identity Theft
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering Countermeasures
EDUCATION!!!
https://www.sonicwall.com/phishing/
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering Countermeasures
EDUCATION!!!
https://www.sonicwall.com/phishing/
Implement digital controls to mitigate/block risks
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering Countermeasures
EDUCATION!!!
https://www.sonicwall.com/phishing/
Implement digital controls to mitigate/block risks
Destroy paper and digital records securely
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering Countermeasures
EDUCATION!!!
https://www.sonicwall.com/phishing/
Implement digital controls to mitigate/block risks
Destroy paper and digital records securely
Employ the Principle of Least Privilege
Ransomware, Malware and Viruses/seminars
Prevention Social Engineering Countermeasures
EDUCATION!!!
https://www.sonicwall.com/phishing/
Implement digital controls to mitigate/block risks
Destroy paper and digital records securely
Employ the Principle of Least Privilege
CC4 Networks – Check your privileged users!
Ransomware, Malware and Viruses/seminars
Prevention Where Are You Vulnerable?
Firewalls, Security Appliances and Infrastructure
Wireless networks
Wired network points
Anti-Virus solution
Software
End users
Passwords
Ransomware, Malware and Viruses/seminars
Prevention Passwords
Passwords are effectively the keys to your network
Ransomware, Malware and Viruses/seminars
Prevention Passwords
Passwords are effectively the keys to your network
Encourage, enforce and follow good password practice
Ransomware, Malware and Viruses/seminars
Prevention Passwords
Passwords are effectively the keys to your network
Encourage, enforce and follow good password practice
Enforcing too much complexity can make things worse
Ransomware, Malware and Viruses/seminars
Prevention Passwords
Passwords are effectively the keys to your network
Encourage, enforce and follow good password practice
Enforcing too much complexity can make things worse
Consider using passphrases rather than passwords
Ransomware, Malware and Viruses/seminars
Prevention How Secure Is My Password?
Ransomware, Malware and Viruses/seminars
Prevention How Secure Is My Password?
T1ddles14
Ransomware, Malware and Viruses/seminars
Prevention How Secure Is My Password?
T1ddles14
4 Days
Ransomware, Malware and Viruses/seminars
Prevention How Secure Is My Passphrase?
Ransomware, Malware and Viruses/seminars
Prevention How Secure Is My Passphrase?
my cat is called tiddles
Ransomware, Malware and Viruses/seminars
Prevention How Secure Is My Passphrase?
my cat is called tiddles
4 Sextillion Years
Ransomware, Malware and Viruses/seminars
Prevention Passwords
Passwords are effectively the keys to your network
Encourage, enforce and follow good password practice
Enforcing too much complexity can make things worse
Consider using passphrases rather than passwords
Password managers minimise risk from website hacks
Ransomware, Malware and Viruses/seminars
Prevention Passwords
Passwords are effectively the keys to your network
Encourage, enforce and follow good password practice
Enforcing too much complexity can make things worse
Consider using passphrases rather than passwords
Password managers minimise risk from website hacks
Configure account lockouts for privileged accounts
Ransomware, Malware and Viruses/seminars
Prevention Passwords
Treat your password like a toothbrush. Don’t let anyone else use it, and get a new one every six months.
-Clifford Stoll
Ransomware, Malware and Viruses/seminars
Recovery3
Ransomware, Malware and Viruses/seminars
Recovery Despite All Best Efforts…
Prevention is still better than cure
Ransomware, Malware and Viruses/seminars
Recovery Despite All Best Efforts…
Prevention is still better than cure
Typical mindset needs to change during an attack
Ransomware, Malware and Viruses/seminars
Recovery Identify, Isolate, Remove, Restore
Identify the affected user and/or workstation
Ransomware, Malware and Viruses/seminars
Recovery Identifying – File Ownership
Ransomware, Malware and Viruses/seminars
Recovery Share And Storage Management
Ransomware, Malware and Viruses/seminars
Recovery Share And Storage Management
Ransomware, Malware and Viruses/seminars
Recovery Identify, Isolate, Remove, Restore
Identify the affected user and/or workstation
Disable the user account, and disconnect the PC
Ransomware, Malware and Viruses/seminars
Recovery Identify, Isolate, Remove, Restore
Identify the affected user and/or workstation
Disable the user account, and disconnect the PC
Find out how the malware got in, and deal with it
Ransomware, Malware and Viruses/seminars
Recovery Scanning Files and Websites
http://www.virustotal.com
Ransomware, Malware and Viruses/seminars
Recovery Identify, Isolate, Remove, Restore
Identify the affected user and/or workstation
Disable the user account, and disconnect the PC
Find out how the malware got in, and deal with it
Rebuild infected PCs to remove all traces
Ransomware, Malware and Viruses/seminars
Recovery Identify, Isolate, Remove, Restore
Identify the affected user and/or workstation
Disable the user account, and disconnect the PC
Find out how the malware got in, and deal with it
Rebuild infected PCs to remove all traces
Restore any affected network files from backup
Ransomware, Malware and Viruses/seminars
Recovery What If A Server Is Infected?
Server infections will require more careful planning
Ransomware, Malware and Viruses/seminars
Recovery What If A Server Is Infected?
Server infections will require more careful planning
Like PCs, servers should be disconnected from the network
Ransomware, Malware and Viruses/seminars
Recovery What If A Server Is Infected?
Server infections will require more careful planning
Like PCs, servers should be disconnected from the network
Depending on the severity, DR may be the fastest option
Ransomware, Malware and Viruses/seminars
Recovery What If A Server Is Infected?
Server infections will require more careful planning
Like PCs, servers should be disconnected from the network
Depending on the severity, DR may be the fastest option
Without a DR process, full recommissions may be required!
Ransomware, Malware and Viruses/seminars
Recovery What If A Server Is Infected?
Server infections will require more careful planning
Like PCs, servers should be disconnected from the network
Depending on the severity, DR may be the fastest option
Without a DR process, full recommissions may be required!
Check if a decryption tool exists as a last resort
Ransomware, Malware and Viruses/seminars
Recovery Backup Considerations
Backups are the only guaranteed method of recovery
Ransomware, Malware and Viruses/seminars
Recovery Backup Considerations
Backups are the only guaranteed method of recovery
Don’t rely on backups which are accessible on your LAN
Ransomware, Malware and Viruses/seminars
Recovery Backup Considerations
Backups are the only guaranteed method of recovery
Don’t rely on backups which are accessible on your LAN
Follow the 3-2-1 rule
Ransomware, Malware and Viruses/seminars
Recovery Backup Considerations
Backups are the only guaranteed method of recovery
Don’t rely on backups which are accessible on your LAN
Follow the 3-2-1 rule
Check regularly with test restores
Ransomware, Malware and Viruses/seminars
Recovery Backup Considerations
Backups are the only guaranteed method of recovery
Don’t rely on backups which are accessible on your LAN
Follow the 3-2-1 rule
Check regularly with test restores
Backups only protect backed up servers, not workstations
Ransomware, Malware and Viruses/seminars
Recovery Backup Considerations
Backups are the only guaranteed method of recovery
Don’t rely on backups which are accessible on your LAN
Follow the 3-2-1 rule
Check regularly with test restores
Backups only protect backed up servers, not workstations
Don’t rely on Shadow Copies, Snapshots or Cloud Sync!
Ransomware, Malware and Viruses/seminars
Recovery Disk To Disk To Tape Backup Model
Ransomware, Malware and Viruses/seminars
Recovery Disk To Disk To Cloud Backup Model
Ransomware, Malware and Viruses/seminars
Summary5
Ransomware, Malware and Viruses/seminars
Summary Cybercrime
Cybercrime can take many shapes and forms
Ransomware, Malware and Viruses/seminars
Summary Cybercrime
Cybercrime can take many shapes and forms
The best method of prevention is to reduce the attack surface
Ransomware, Malware and Viruses/seminars
Summary Cybercrime
Cybercrime can take many shapes and forms
The best method of prevention is to reduce the attack surface
It’s important to educate yourselves and others
Ransomware, Malware and Viruses/seminars
Summary How Can RM Help?
Network Vulnerability Testing
Ransomware, Malware and Viruses/seminars
Summary Network Vulnerability Testing
Ransomware, Malware and Viruses/seminars
Summary How Can RM Help?
Network Vulnerability Testing
Free Online Safety Review
Ransomware, Malware and Viruses/seminars
Summary Online Safety Review
http://bit.ly/2eKhWOG
Ransomware, Malware and Viruses/seminars
Summary How Can RM Help?
Network Vulnerability Testing
Free Online Safety Review
Managed Anti-Virus Solutions
Ransomware, Malware and Viruses/seminars
Summary How Can RM Help?
Network Vulnerability Testing
Free Online Safety Review
Managed Anti-Virus Solutions
Backup Solutions
Ransomware, Malware and Viruses/seminars
Summary How Can RM Help?
Network Vulnerability Testing
Free Online Safety Review
Managed Anti-Virus Solutions
Backup Solutions
Secure Broadband
Ransomware, Malware and Viruses/seminars
Summary
Think, then click.
Not the other way around.
Ransomware, Malware and Viruses; How to Protect YourselfPresented by Ben Jones Technical Stream One