Mitigation - All Articles - CISO Platform2024-03-29T14:31:19Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/MitigationTop 5 'Mobile Security' talks from Black Hat Conference 2016 (USA)https://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference2016-12-05T12:30:00.000Z2016-12-05T12:30:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p><span style="font-size:12pt;">Our editorial team has handpicked some great talks from Black Hat Conference - one of the largest IT Security Conference in the world. </span></p>
<p><span class="font-size-3">Black Hat - built by and for the global InfoSec community - returns to Las Vegas for its 19th year. This six day event begins with four days of intense Trainings for security practitioners of all levels (July 30 - August 2) followed by the two-day main event including over 100 independently selected Briefings, Business Hall, Arsenal, Pwnie Awards, and more (August 3-4).</span></p>
<p><span class="font-size-3" style="color:#333333;">(Source: Black Hat Conference USA 2016)</span></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669809279,original{{/staticFileLink}}" class="align-full" alt="8669809279?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1">image courtesy: <a href="https://www.flickr.com/photos/jasonahowie/7910370882">https://www.flickr.com/photos/jasonahowie/7910370882</a></span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/1000-ways-to-die-in-mobile-oauth-black-hat-conference-2016" target="_blank">1) 1000 ways to die in mobile oauth</a></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Eric Chen, Yutong, Yuan Tian, Shuo Chen, Robert Kotcher, Patrick Tague</span></p>
<p><span class="font-size-3">In the paper, we pinpoint the key portions in each OAuth protocol flow that are security critical, but are confusing or unspecified for mobile application developers. We then show several representative cases to concretely explain how real implementations fell into these pitfalls. Our findings have been communicated to vendors of the vulnerable applications. Most vendors positively confirmed the issues, and some have applied fixes. We summarize lessons learned from the study, hoping to provoke further thoughts about clear guidelines for OAuth usage in mobile applications</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/1000-ways-to-die-in-mobile-oauth-black-hat-conference-2016" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p><br /> <a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669804484,original{{/staticFileLink}}" class="align-full" alt="8669804484?profile=original" /></a></p>
<p></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/behind-the-scenes-with-ios-security-black-hat-conference-2016" target="_blank">2) Behind the scenes with IOS security</a><br /></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Ivan Krstić</span></p>
<p><span class="font-size-3">We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.Data Protection is the cryptographic system protecting user data on all iOS devices.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/behind-the-scenes-with-ios-security-black-hat-conference-2016" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669807700,original{{/staticFileLink}}" class="align-full" alt="8669807700?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1"><span> </span></span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/bad-for-enterprise-attacking-byod-enterprise-mobility-security-so" target="_blank">3) Bad for Enterprise: Attacking BYOD enterprise mobility security solutions</a></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Vincent Tan ( <a href="https://twitter.com/vincent_tky" target="_blank">@vincent_tky</a> )</span></p>
<p><span class="font-size-3">Using the Good Technology EMS suite as an example, my talk will show that EMS solutions are largely ineffective and in some cases can even expose an organization to unexpected risks. I will show attacks against EMS protected apps on jailbroken and non-jailbroken devices, putting to rest the rebuttal that CxOs and solution vendors often give penetration testers, ""We do not support jailbroken devices.""</span></p>
<p><span class="font-size-3">Whether you are a CxO, administrator or user, you can't afford not to understand the risks associated with BYOD.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/bad-for-enterprise-attacking-byod-enterprise-mobility-security-so" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p><br /> <a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669805458,original{{/staticFileLink}}" class="align-full" alt="8669805458?profile=original" /></a></p>
<p style="text-align:right;"><span class="font-size-1"> </span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/samsung-pay-tokenized-numbers-flaws-and-issues-black-hat" target="_blank">4) Samsung pay: tokenized numbers flaws and issues</a><br /></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Salvador Mendoza ( <a href="https://twitter.com/netxing" target="_blank">@Netxing</a> )</span></p>
<p><span class="font-size-3">Samsung announced many layers of security to its Pay app. Without storing or sharing any type of user's credit card information, Samsung Pay is trying to become one of the most secure approaches offering functionality and simplicity for its customers. This app is a complex mechanism which has some limitations relating security.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/samsung-pay-tokenized-numbers-flaws-and-issues-black-hat" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/bh2016-top-5-mobile-security-talks-from-black-hat-conference" target="_blank"><img width="750" src="{{#staticFileLink}}8669807677,original{{/staticFileLink}}" class="align-full" alt="8669807677?profile=original" /></a></p>
<p><span class="font-size-1"><br class="Apple-interchange-newline" /> </span></p>
<p><span class="font-size-6"><a href="http://www.cisoplatform.com/profiles/blogs/the-art-of-defence-how-vulnerabilities-help-shape-security-featur" target="_blank">5) The Art of defence: How vulnerabilities help shape security features and mitigations in android</a><br /></span></p>
<p><span class="font-size-4">Speaker:</span> <span class="font-size-4">Nick Kralevich</span></p>
<p><span class="font-size-3">In this talk, we will cover the threats facing Android users, using both specific examples from previous Black Hat conferences and published research, as well as previously unpublished threats. For the threats, we will go into the specific technical controls which contain the vulnerability, as well as newly added Android N security features which defend against future unknown vulnerabilities. Finally, we'll discuss where we could go from here to make Android, and the entire computer industry, safer.</span></p>
<p><span class="font-size-4"><a href="http://www.cisoplatform.com/profiles/blogs/the-art-of-defence-how-vulnerabilities-help-shape-security-featur" target="_blank">>>Go To Presentation</a></span></p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-4"><a href="https://goo.gl/hfszfM" target="_blank"><img src="http://i67.tinypic.com/zw0wgz.png?width=750" width="750" class="align-center" alt="zw0wgz.png?width=750" /></a></span></p>
<p><span class="font-size-6"><a href="https://goo.gl/ZyzyKF" target="_blank">Your Complete Guide To Top Talks @Black Hat Conference 2016 (USA)</a></span></p>
<p><span class="font-size-3">Get your FREE Guide on Top Talks @ Black Hat Conference 2016 (USA) . Our editorial team has gone through all the talks and handpicked the best of the best talks at the Conference into a single guide. Get your Free copy today.<br /> <br /></span></p>
<p><span class="font-size-4"><strong><a href="https://goo.gl/ZyzyKF" target="_blank">>>Click Here To Get Your FREE Guide</a></strong></span></p>
<p></p>
<p></p></div>Ransomware - Practical View, Mitigation & Prevention Tipshttps://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips2017-02-16T08:00:00.000Z2017-02-16T08:00:00.000Zprithahttps://www.cisoplatform.com/members/pritha<div><p>Ransomware is a type of malware that encrypts everything on your system with a cryptographic algorithm and holds that encrypted data hostage for ransom. It demands the user to pay for the decryption key. There are two types of ransomware. The first type encrypts all data on the system and renders it nearly impossible to decrypt without the key. The second type simply locks the system and demands to enter the key for data decryption but does not encrypt data itself.</p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img width="744" src="{{#staticFileLink}}8669813496,original{{/staticFileLink}}" class="align-full" alt="8669813496?profile=original" /></a></p>
<p></p>
<p>One of the very well-known ransomware systems is Cryptolocker. It uses the RSA cryptosystem to encrypt data. The command and control server of malware stores the private key for the decryption of data. It typically propagates as a Trojan virus and relies mainly on social engineering for propagation.</p>
<p>The operation of ransomware (unlike its purpose) is quite interesting. For proper understanding, we can divide it into the following steps: </p>
<p>1. Entering the system of the victim and installing it as a covert/silent installation. It places its keys in the system registry.</p>
<p>2. After installation, it contacts its command and control center. The server tells the ransomware what to do. It starts the communication by performing a "handshake" with the server and then exchanges keys.</p>
<p> 3. Next it actually begins to work with the key provided by the server. It then starts encrypting the data on the machine. It uses common file extensions to identify the files and encrypt them.</p>
<p>4. This is where it gets scary. After encrypting the data, a message appears on your screen informing you that it has locked data on your computer and threatens that if you do not pay within a specific time period, you may never see your data again.</p>
<p></p>
<p>( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/2016-the-year-of-ransomware-let-s-change-2017" target="_blank">2016-The year of Ransomware - Let's change 2017...</a>)</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>How it propagates:</strong></span></p>
<p>Ransomware mostly uses social engineering tricks to propagate. It uses email attachments with malicious files and covert or maliciously forged documents with embedded scripts. In addition, it uses malicious URLs that point to vulnerable and compromised sites. Internet surfing and downloading software with unknown publishers is also likely the cause of infection. Ransomware also spreads through mediums like USB, portable hard drives and the like.</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Ransomware installation:</strong></span></p>
<p>Its installation is a covert operation. It uses Windows default behavior to hide extensions from the file name, disguising the real .exe extension. Once it reaches its target by using any of the above mentioned propagation methods and a user opens the malicious file, it becomes a memory resident on the computer. Then it usually saves itself in AppData, User Temp and Local AppData folders. Later, it adds a Windows registry key, which activates the malware every time Windows restarts. For more details to understand the differences click <a href="http://stackoverflow.com/questions/16276139/difference-between-program-data-and-appdata" target="_blank">here</a>.</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Primary Method of Operation</strong></span></p>
<p>The main method is encryption of data on the target computer. It generates a random symmetric encryption key for each file. It targets files with general extensions like .jpg, .doc, .docx, .xls, .png, .ppt, .pptx, .jpeg, etc. and other files whose extensions are in the malware code. It uses an AES algorithm to encrypt data files. After encrypting data, it encrypts a random key with an asymmetric private key using an RSA algorithm and adds this to encrypted file. Now only the owner of the private key can have access to the random key it generated to encrypt the data.</p>
<p>Malware communicates with its command and control center to obtain the public key. It uses a domain generation algorithm (DGA) with common names such as “Mersenne Twister” to generate random domain names and find its command and control center. After encrypting data, it displays a message with the time limit to the user about the ransom that has to be paid for the key and that the failure to do so will delete the key.</p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAl-AAAAJGZkYzg1ZmEyLTlhY2EtNGI2Ni1iMzVlLWI1ZGFiMWQxYzViOQ.png?width=658" width="658" class="align-center" alt="AAEAAQAAAAAAAAl-AAAAJGZkYzg1ZmEyLTlhY2EtNGI2Ni1iMzVlLWI1ZGFiMWQxYzViOQ.png?width=658" /></a></p>
<p></p>
<p><span>The compromised system can have such symptoms as a high rate of Peer to Peer (P2P) communication, increased network communication (Communication with Command & Control center server) and high usage of system resources.</span></p>
<p><br /> ( Read More : <a href="http://www.cisoplatform.com/profiles/blogs/ransomware-attacks-how-prepared-are-you" target="_blank">Ransomware Attacks: How Prepared Are You?</a> )</p>
<p></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Mitigation and Prevention:</strong></span></p>
<p>So far, there is no way to break the CryptoLocker encryption and provide you the key to decrypting data. Purchasing a key seems to be the only way to get data back - unless you have a backup. However, past incidents have shown that paying did not ensure the return of data. For example, some people paid but did not receive the key; in other cases, the given key did not work. Ultimately, the best way to keep your data safe is to be proactive. So lets discuss some proactive steps to take to prevent these types of attacks from happening to you.</p>
<p></p>
<p>1. The first and foremost thing that comes into play when we talk about security is User Awareness. Training of the employees, users and stakeholders is the most important thing. Understand that we are in a war against malware. Additionally, users cannot win this fight unless they are aware of the threats. SOC/Security management teams can organize seminars, awareness campaigns, etc., to guide their employees. Periodic briefing is important. Also, explaining the cases with examples to both technical and lay employees can make it easier for them to understand and remember the scenarios they are likely to encounter in everyday life. Here are just a few ways you can keep your staff educated about these types of attacks:</p>
<ul>
<li> Avoid surfing untrusted sites (e.g. porn, gambling, freeware downloads and so on.). It is recommended to use Chrome or Firefox browsers, which are less vulnerable to attacks. Be especially cautious when using older versions of Internet Explorer. If you as a company can't afford expensive solutions, you might consider allowing your users the use of extensions like Web of Trust as an obscurity measure.</li>
<li>Do not open an email or attachment that originates from an unknown source (EXE file inside a zip archive is an obvious example). Recent events taught us that a Word document with macros can be dangerous (Locky).</li>
<li>When transferring files from mobile storage units / D.O.K., don't forget to scan the device. Consider <a href="https://support.microsoft.com/en-us/kb/967715" target="_blank">disabling auto run.</a> Doing so will help improve your endpoint security.</li>
</ul>
<p></p>
<p></p>
<p>2. Along with user awareness, implementation of security policies inside the domain via GPO and email transport rules to block such potential types of emails and .exes to execute silently. One major recommendation: Use Security Group policies in your organization to safeguard against malware. Let us walk through the process of implementing this.</p>
<p>Certain applications and programs apply software restriction policies for their execution. This utilizes Group policy. What we can do is block the executable in the specific user space areas where the ransomware launches itself. In large organizations, we can do this via Domain Group policies. In a small business environment, or within homes or organizations with no domains, apply local security policies.</p>
<p></p>
<ul>
<li>Open a Group Policy management console on your primary DC to implement a Software restriction policy.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAiIAAAAJGJmNzQxMmQzLTRkNzMtNDYyNS1iYWJmLTVlYWFmZDk0MzIxNQ.png?width=540" width="540" class="align-center" alt="AAEAAQAAAAAAAAiIAAAAJGJmNzQxMmQzLTRkNzMtNDYyNS1iYWJmLTVlYWFmZDk0MzIxNQ.png?width=540" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Create a New GPO. Name it “Software Restriction Policy”.</li>
</ul>
<p><a href="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAP4AAAAJGU2Zjg1YTVlLTViMDctNDU5Ni1iZjA0LWVkZjdkNjI1M2Q3OA.png" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAP4AAAAJGU2Zjg1YTVlLTViMDctNDU5Ni1iZjA0LWVkZjdkNjI1M2Q3OA.png?width=687" width="687" class="align-center" alt="AAEAAQAAAAAAAAP4AAAAJGU2Zjg1YTVlLTViMDctNDU5Ni1iZjA0LWVkZjdkNjI1M2Q3OA.png?width=687" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Next, edit the newly made GPO and add user space folders in which you don’t want the software to auto execute. Go to Computer Configuration> Policies > Windows Settings > Security Settings Software Restriction Policies > Additional Rules. Right click on 'Additional Rules' and click ‘Add new Path rule’. Here you will create a new rule and enforce software restriction.</li>
</ul>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAfZAAAAJDQzYWY4YjcxLWQ4MDItNGUzYy1hYTI3LTc2Nzc2MTIzZDBkNQ.png?width=682" width="682" class="align-full" alt="AAEAAQAAAAAAAAfZAAAAJDQzYWY4YjcxLWQ4MDItNGUzYy1hYTI3LTc2Nzc2MTIzZDBkNQ.png?width=682" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>You will be adding file paths here. Add a path, select security level ‘Disallowed’ and add a description.</li>
</ul>
<p>The paths to be included in the policy are for Windows 7 and above.</p>
<ul>
<li>%AppData%\*.exe</li>
<li>%AppData%\*\*.exe</li>
<li>%LocalAppData%\Temp\*.zip\*.exe</li>
<li>%LocalAppData%\Temp\7z*\*.exe</li>
<li>%LocalAppData%\Temp\wz*\*.exe</li>
<li>%LocalAppData%\Temp\Rar*\*.exe</li>
</ul>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAQ2AAAAJDZiNTUzYjM3LTdiMTEtNDJiMS04ZGE1LTRlMGM5MjQ3ZDEwNQ.png?width=681" width="681" class="align-center" alt="AAEAAQAAAAAAAAQ2AAAAJDZiNTUzYjM3LTdiMTEtNDJiMS04ZGE1LTRlMGM5MjQ3ZDEwNQ.png?width=681" /></a></p>
<p></p>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAg2AAAAJDZmOTAxOTM4LTU2NTMtNDQ4NS1iYjhhLTA5Yjg1ZWE0MWQ4ZQ.png" class="align-center" alt="AAEAAQAAAAAAAAg2AAAAJDZmOTAxOTM4LTU2NTMtNDQ4NS1iYjhhLTA5Yjg1ZWE0MWQ4ZQ.png" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Allow some time to let the GP sync to all the systems or you can go to every system and open cmd as Administrator, and write ‘gpupdate /force’ to force update the group policy to the system.</li>
</ul>
<p>There can be a disadvantage to applying the software restriction policy, i.e. all the other legitimate .exes will not run in those spaces. However, you can whitelist the legitimate software in Software Restriction policies.</p>
<p>For whitelisting apps in the Software Restriction policy, exceptions have to be set for those apps. You can manually instruct Windows to allow those apps while blocking all the others. To do that, just add the same rule for particular apps as previously explained and set the security level to Unrestricted instead of Disallowed. This will allow the GPO to whitelist the apps, and their execution to take place in the user space.</p>
<p>If you have an onsite email server or exchange, Transport rules become very useful. Use the exchange transport rule to block or disallow attachments with executable content or at least mark it as Possible Spam so the User is warned by the content of the email.</p>
<ul>
<li>Open Exchange Management Console on your exchange server.</li>
<li>Go to Organization Configuration > Hub Transport.</li>
<li>Open Transport Rules.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAXLAAAAJDM3ODk5NGEyLThhMzAtNGUzYy1iMmE1LTU0ZDM4ZTc1ZTRmMw.png" class="align-full" alt="AAEAAQAAAAAAAAXLAAAAJDM3ODk5NGEyLThhMzAtNGUzYy1iMmE1LTU0ZDM4ZTc1ZTRmMw.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Add a new rule by right clicking the main screen. Enter the name of the rule along with its description.</li>
</ul>
<p></p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAffAAAAJGZhMzVkNDI4LTNiMTMtNDBjNC1hMzFkLTY4N2VhYmI0ODUxYw.png" class="align-center" alt="AAEAAQAAAAAAAAffAAAAJGZhMzVkNDI4LTNiMTMtNDBjNC1hMzFkLTY4N2VhYmI0ODUxYw.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Select the condition for the rule from the next window. Select the “When any attachment file name matches text patterns” option.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAaEAAAAJDdhMjFiMzlhLTQ2MTAtNDAwYi1hYjg3LTI5NGM2ODBkYzgwNA.png" class="align-center" alt="AAEAAQAAAAAAAAaEAAAAJDdhMjFiMzlhLTQ2MTAtNDAwYi1hYjg3LTI5NGM2ODBkYzgwNA.png" /></a></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>Select as many extensions as you like. Here we add .exe, .html, .doc, .docx, .jpg, .jpeg, .zip, .rar, etc.</li>
<li>Select the Action that the rule will perform after meeting the conditions. Select the option “prepend message subject with string”. Then add “Possible Spam” as the text to be added in the subject line.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAW5AAAAJGY4NDI1NjFkLTIzNzUtNDU5Ny1hY2UyLTdmNmMwNDA4YWE2Mg.png" class="align-center" alt="AAEAAQAAAAAAAAW5AAAAJGY4NDI1NjFkLTIzNzUtNDU5Ny1hY2UyLTdmNmMwNDA4YWE2Mg.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<ul>
<li>If there are any exceptions, add them on the next screen; otherwise, leave it as is. Complete the process by clicking Next and then Finish. The transport rule is now added and enabled, with priority set to 0.</li>
</ul>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAUqAAAAJGVjYzk2MmZlLWYzYTktNDZjMC1iNmY3LWZkMGMyMDUyMDMyNQ.png" class="align-center" alt="AAEAAQAAAAAAAAUqAAAAJGVjYzk2MmZlLWYzYTktNDZjMC1iNmY3LWZkMGMyMDUyMDMyNQ.png" /></a></p>
<p></p>
<p>Now, when the user receives emails with those specific extensions that we added in the rule, they will see Possible Spam as the subject of those emails.</p>
<p></p>
<p>3. User permissions: Review the NTFS permissions carefully every time you are dealing with permissions. For instance, Share folders from server etc. If the share folder has ‘Everyone’ write permissions and the user system gets infected then you are in trouble. Apply “Least Privilege” principle where you will give few permissions as possible to lessen the possibility of damage. Also, consider to disable users being local administrators on the endpoints by.</p>
<p></p>
<p>4. Minimize the amount of mapped shared folders on endpoints (ransomware can encrypt every accessible file, even if it is located in a shared folder).</p>
<p></p>
<p> 5. At this juncture, many antivirus software programs are able to detect and remove the virus but decryption of the data is not possible unless you have the key. Keep your antivirus updated so it can detect and remove the malware before it acts.</p>
<p></p>
<p>( Read More: <a href="http://www.cisoplatform.com/profiles/blogs/top-11-ransomware-resources" target="_blank">Top 11 Ransomware Prevention Resources</a> )</p>
<p></p>
<p></p>
<p>6. Keep your systems up-to-date and patched up with the latest security patches that the manufacturer releases.</p>
<p></p>
<p>7. Enable the “System Restore” option, in order to be able to restore the system to the previous state,<strong> before</strong> the ransomware infection occurred.</p>
<p></p>
<p>8. Consider applying a software whitelisting solution (e.g. Windows AppLocker / commercial solution). Applying a good software whitelisting solution can help prevent executing malicious software components like ransomware.</p>
<p></p>
<p>9. Consider applying a 3rd party anomaly based detection solutions in order to locate malicious activity and files.</p>
<p></p>
<p>10. Update your operating system and 3rd party software on a regular basis (for example, Internet Explorer 8 which is vulnerable to browser attacks, and also Adobe and Java software components, which are known for multiple new vulnerabilities every year).</p>
<p></p>
<p>11. Do not allow Peer to Peer (P2P) communication in your network. Ransomware and many of the other malware and bots communicate with their command and control center via P2P communication. Disallowing this will help you keep it safe.</p>
<p></p>
<p>12. Use Security devices like firewalls and IDS/IPS in your network and configure them appropriately and intelligently.</p>
<p></p>
<p>13. Consider preventing executing files with macros (e.g. Microsoft Word / Excel). This can be done via Group policy.</p>
<p></p>
<p>14. Consider restricting insertion of mobile devices, USB devices, CDs and even floppy disks to the endpoint (can be done by 3rd party solutions and also by applying group policy restrictions).</p>
<p>USB ports can be blocked on the system from any unauthorized access. Malware, once exposed to a system via USB, can spread through a LAN and affect all other systems.</p>
<p>USB storage access can be disabled on the system with a registry tweak:</p>
<ol>
<li>Go to Run and write ‘Regedit’</li>
<li>Navigate to the key: ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR’</li>
<li>Select ‘Start’ from the right pane, and change its ‘Value data’ to 3. This will disable the USB storage.</li>
</ol>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAeFAAAAJGRlYjFlYWFlLTJkYWEtNDA2NC1hODMyLWE1MTk4ZGM2ZTY1NQ.png" class="align-center" alt="AAEAAQAAAAAAAAeFAAAAJGRlYjFlYWFlLTJkYWEtNDA2NC1hODMyLWE1MTk4ZGM2ZTY1NQ.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p>15. Avoid using unknown anti-virus programs on your system, even if they claim to remove malware from your network or system. Ransomware encryption cannot be broken easily and data cannot be decrypted without a key. So, if any unknown anti-virus program claims that it can break encryption quickly, be wary. It is very likely an other type of malicious virus.</p>
<p></p>
<p>16. BACKUP ALL your data regularly. I have seen clients affected by ransomware and the only thing that saved them was a successful backup. Performing a backup of all your critical data to an external drive or NAS or SAN that is isolated from your system is very useful. If you are a large organization, develop a BCP (Business Continuity Plan) and BDR (Backup and Disaster Recovery). BCP contains all the aspects of ransomware attacks and migration techniques along with the details of the backup you can take for your organization. There are many backup solutions available in the market that can assist you in backing up your data to an external storage or remote location, i.e. cloud storage.</p>
<p>Aside from 3rd party solutions, Windows also provides backup utilities within Windows OS and Windows Server OS. Continuous backup of important files can be stored on external drives and NAS. In addition, System Restore points can be saved frequently. Windows also uses Volume Shadow Copy, which can be used to save previous versions of important and critical data. To revert to the previous version, just right click the file and go to Properties. If System Restore or Shadow Copies is enabled, the Previous Version tab will appear in Properties. This will list all the previous versions of the files. Choose the version you want to restore and click to save it to an existing location. You can also choose another location to save.</p>
<p><a href="http://www.cisoplatform.com/profiles/blogs/ransomware-practical-view-mitigation-prevention-tips" target="_blank"><img src="https://media.licdn.com/mpr/mpr/shrinknp_800_800/AAEAAQAAAAAAAAdOAAAAJGYzNDA0NjFiLTEwYmYtNGI0NS1iMGY3LWUwZDU3NzkyZTdkMA.png" class="align-center" alt="AAEAAQAAAAAAAAdOAAAAJGYzNDA0NjFiLTEwYmYtNGI0NS1iMGY3LWUwZDU3NzkyZTdkMA.png" /></a></p>
<p></p>
<p></p>
<p></p>
<p></p>
<p>17. Apply adequate network segmentation via firewalls, in the event of a malware's lateral movement (spreading to other endpoints and servers in the corporate network with credentials of a compromised user).</p>
<p></p>
<p>18. Implementation of IPS (intrusion prevention system) between the corporate network segments, if you have not yet done so. Consider applying IPS for outgoing communication. Update the IPS signatures database on a regular basis.</p>
<p></p>
<p>19. Web filtering – consider applying a web filtering solution that will prevent access to untrusted websites and downloaded files (e.g. .exe, .zip, .rar, .jar, .scr, etc.. If possible, use “surfing virtualization” solutions like VDI, Citrix Smart Browsing, Jetro Secure Browsing etc. This will help to minimize the possible effect on internal endpoints, because internet surfing doesn’t really happen on the internal endpoint.</p>
<p></p>
<p>20. Mail Relay solution will help filter the incoming emails. Apply rules that will prevent incoming emails with attachments like .zip, .rar, .exe, .scr, .jar, .js, .bat, .cpl, etc. Allow what's required for the ongoing work and consider restricting incoming attachments with PDF’s and MS Office macros if possible.</p>
<p></p>
<p>21. Consider applying a “Sandbox” solution that will check every incoming file that originates from the email infrastructure or is downloaded from the internet.</p>
<p></p>
<p>22. Disabling Autoplay through Group Policy or the registry. For more details click <a href="https://support.microsoft.com/en-us/kb/2328787" target="_blank">here</a>. </p>
<p></p>
<p>23. Disabling Windows Script Host - Consider enabling per necessary user groups. For more details click <a href="https://technet.microsoft.com/en-us/library/ee198684.aspx" target="_blank">here</a>. </p>
<p></p>
<p>( <span id="docs-internal-guid-6d6c1bfa-45e5-1930-e434-fa72d57be39f"><span>Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-assess-the-effectiveness-of-your-vulnerability-manag">Checklist To Assess The Effectiveness Of Your Vulnerability Management Program</a> )</span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-assess-the-effectiveness-of-your-vulnerability-manag"><span><br class="kix-line-break" /></span></a></span></p>
<p></p>
<p></p>
<p><span class="font-size-5"><strong>Actions to be taken in case of a ransomware infection:</strong></span></p>
<p>1. Isolate the station from the corporate network to prevent the spreading of the ransomware encryption process (e.g. pull the network cable out of the plug or isolate the station via Corporate NAC, you also can consider having separate VLAN that will be dedicated to such scenarios which can help your IR team).</p>
<p>2. After isolating the station from the network:</p>
<ul>
<li>Do a damage assessment to understand what was encrypted and check if there is any valid backup that you can restore your data from.</li>
<li>Paying the ransom is not always a good idea as the money is the “fuel” that runs these criminals and you don’t have any guarantee that your files will actually be decrypted even after paying (so basically you will have paid for nothing).</li>
</ul>
<ul>
<li>Not recommended - if you don't have "nothing to lose” and losing your files is much more expensive than paying the $400, you can do it and cross your fingers that it works.</li>
<li>It is recommended to fully format the infected station in order to eliminate any residues of malware.</li>
</ul>
<p>3. Investigate – the investigation phase is basically the aftermath analysis that will help apply countermeasures to minimize the likelihood of your corporate getting infected again (all the suggestions written above).</p>
<p></p>
<p></p>
<p><strong>Post Author :</strong> Tal Eliyahu, Lead Risk Manager, BugSec</p>
<p>This post was initially posted <a href="https://www.linkedin.com/pulse/ransomware-practical-view-mitigation-prevention-tips-tal-eliyahu" target="_blank">here</a> & has been reproduced with permission.</p>
<p></p>
<p><a href="https://goo.gl/tqykN4" target="_blank"><img src="{{#staticFileLink}}8669808686,original{{/staticFileLink}}" class="align-full" alt="8669808686?profile=original" /></a></p>
<p></p></div>Best ploy against Ransomware : A Perfect Backup Planhttps://www.cisoplatform.com/profiles/blogs/best-ploy-against-ransomware-a-perfect-backup-plan2017-02-17T08:00:00.000Z2017-02-17T08:00:00.000ZAmit Jaokarhttps://www.cisoplatform.com/members/AmitJaokar797<div><p>Last year, cybercriminals attacked the California-based Hollywood Presbyterian Medical Center, encrypting files crucial in running the hospital’s operating systems and demanding a ransome to restore them to working order. The scam worked – after 10 days of futility, the hospital surrendered and paid $17,000 to regain system control.</p><p><a href="http://www.cisoplatform.com/profiles/blogs/best-ploy-against-ransomware-a-perfect-backup-plan" target="_blank"><img width="750" src="{{#staticFileLink}}8669806685,original{{/staticFileLink}}" class="align-full" height="369" alt="8669806685?profile=original" /></a></p><p></p><p>Other hospitals, government agencies and businesses in the U.S. and abroad were targeted similarly last year, leading CNET to dub such ransomware scenarios as the hot hacking trend of 2016 And the numbers are truly staggering. Osterman Research estimates that nearly half of surveyed organizations have been hit with ransomware within the last year, and concludes that ransomware will amount to a $1 billion source of income for cyber criminals in 2016. In a recent report, Kaspersky Security states that in Q3 2016, a business was attacked by ransomware every 40 seconds, and that even after paying the ransom, one in five of them never got their data back.</p><p><span id="docs-internal-guid-6d6c1bfa-4b22-9434-ff3b-da6c4d383756"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/security-metrics-and-dashboard-for-the-ceo-board">Information Security Metrics And Dashboard For The CEO / Board</a> )</span><a href="http://www.cisoplatform.com/profiles/blogs/security-metrics-and-dashboard-for-the-ceo-board"><span><br class="kix-line-break" /></span></a></span></p><p></p><p></p><p></p><p> </p><p><span class="font-size-5"><b>Apple Users Now a Target<br /></b></span></p><p>But while many ransomware instances go unreported due to embarrassment or the desire to not be targeted again, the attacks were thought to be largely focused on the Microsoft Windows software realm, leaving Apple users relatively unscathed. But that changed in 2016 when the first public ransomware targeting Apple systems was discovered by Palo Alto Networks, which found a popular BitTorrent client for Apple’s OS X software for Macs infected with ransomware. Known as “KeRanger,” the ransomware is delivered with a ransom note demanding 1 Bitcoin, which has a current market value over $700. Fixing the problem can also be complicated and time consuming.</p><p>Antivirus software also isn’t having an impact; by the time a computer is infected with ransomware, it’s likely that the antivirus software won’t detect it until it’s too late and the damage has been done. The encryption used by modern ransomware is often too good to crack, leading most security experts to conclude that the best approach to fighting ransomware is to avoid it in the first place.</p><p><span id="docs-internal-guid-6d6c1bfa-4b24-2a9e-9034-b23d4041052b"><span>( Read More:</span> <span><a href="http://www.cisoplatform.com/profiles/blogs/checklist-to-evaluate-siem-vendors">Checklist To Evaluate SIEM Vendors</a> )</span></span></p><p></p><p></p><p> </p><p><span class="font-size-5"><b>Different Backup Approaches</b></span></p><p>It seems the most effective way for Apple users to safeguard their computer files from these nefarious attacks is through regular backups. And, in the event you are hit with ransomware, the solution would lie in simply restoring your system to the state it was before the malware hit your computer. There are several backup and restore approaches to consider for the Apple environment:</p><ul><li><strong>Time Machine</strong> is the backup software application distributed with the Apple operating system, introduced in Mac OS X Leopard. It was designed to work with various storage drives such as Time Capsule. But for Time Machine to be effective, files must be unlocked or closed, which may not be practical for those currently in use. In addition, there is the possibility of a two-step process within OS X that requires users to reinstall the operating system before retrieving the application and files from the backup image.</li><li><strong>File System Snapshots </strong>simplify backup and recovery by taking a point-in-time virtual file system photo. But while this method can be employed to protect active operating systems, depending on files sizes, it can take significantly more time.</li><li><strong>Disk Management Solutions</strong> can create image-based copies of a disk or partition (or multiple disks and partitions) whether active or inactive, at a specific point in time far more quickly. Such robust offerings have the advantage of being able to make consistent sector-level backups (also often referred to as Snapshots) even if data is being currently modified.</li></ul><p> </p><p>Thus, while there are different backup approaches to consider, the bottom line is that a regular, proactive backup strategy – potentially even a multi-pronged approach – is your best defense against crippling ransomware attacks. And while Apple users were once immune from such attacks, they too now need to join the rest of the computer world in being vigilant in protecting themselves. After all, like many things in life, when it comes to avoiding being held hostage by cybercriminals, an ounce of prevention is worth a pound of cure.</p><p></p><p></p><p></p><p><a href="http://www.cisoplatform.com/profiles/blogs/nominations-open-top-100-ciso-awards-2017" target="_blank"><img width="684" src="{{#staticFileLink}}8669810872,original{{/staticFileLink}}" class="align-center" alt="8669810872?profile=original" /></a></p><p> </p></div>