Scout Anti-Ransomware Archives

29 Mar 2018

Banks, Credit Unions, Security Brian Brannon 0 comment

City of Atlanta Falls Victim to Ransomware: How Financial Institutions Can Guard Against “SamSam” Ransomware Attacks

Ransomware attacks not just targeting financial institutions and Fortune 500 businesses anymore. The city of Atlanta now finds itself dealing with a ransomware attack as it announced a ransomware attack last week. On Thursday, March 22 the city received a written ransom demand in bitcoin for $51,000 to unlock the city’s entire system. At the date of this posting, certain systems are still inaccessible (including customer-facing applications like bill pay systems and court-related applications). Fortunately, the attack did not affect police and fire emergency response systems or water supply safety.

Due to the nature of the attack, experts believe it to be a “SamSam” variant of ransomware, initiated by a group that began targeting small and large businesses, healthcare organizations, governments and educational institutions in late 2015. The ransom prices set by this group tend to fluctuate, but they remain generally “affordable,” which is why many victims have simply chosen to pay the ransom. To date, the group has made nearly $850,000 USD through ransomware payments.

To execute an attack, the hacker group installs the SamSam ransomware on the endpoints of networks compromised, often via unsecured connections. The hackers first look for unsecured remote desktop (RD) servers, launch attacks that compromise the server, and then use various tools to escalate access inside the organization’s network. Once they have gained access to as many endpoints as possible, the group installs the ransomware and starts the extortion process, and hope the victims do not have offline backups.

To resolve the security issue and determine what information has been compromised, the city of Atlanta launched an official investigation with the FBI, U.S. Department of Homeland Security, Cisco cybersecurity officials and Microsoft®.

What to Do if You’ve Been Targeted

In addition to contacting government authorities, organizations that find themselves threatened by SamSam ransomware should:

Unplug or disconnect all devices that you know are compromised from the network;
Determine if additional or unknown devices are infected. One way to accomplish this is to verify that machines are up to date on their patches;
Depending on how serious the attack, disconnect the entire network from the Internet all together;
Do not pay the ransom. Doing so helps the fraudulent industry grow. If the attackers do not receive payments, the industry will burn out. In addition, there is no guarantee the attacker will release the data or provide a decryption key and once an organization has paid, they become targets time and time again; and
Verify previous backups for recovery.

How to Prevent an Attack

Successful ransomware attacks primarily reveal the lack of adequate endpoint protection, which can be defended against. Some common methods to prevent attacks include:

Deploy and enable an endpoint protection system;
Utilize vulnerability and patch management systems to patch internet-facing applications;
Remove administrator rights from end-users;
Use application control whenever possible to implement a default-deny execution policy;
Implement an enterprise endpoint backup plan, and ensure monitoring of backups and testing of restore capabilities regularly;
Upgrade secure email and secure web gateways or firewalls to filter suspicious email, executable objects and URL/IP addresses;
Install an anti-ransomware solution on your network to stop ransomware; and
Build regular testing of incident response scenarios into the ransomware response plan.

To adequately protect against ransomware, financial institutions should employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the Internet to establish a secure IT environment. By employing multiple controls, security layers ensure that gaps or weaknesses in one control, or layer of controls, are compensated for by others. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation. Proactively protecting data will always be more cost effective than falling victim to malicious activity.

For more information, download our complimentary white paper, “Ransomware and the Evolving Security Landscape of Today’s Financial Institution.”

06 Dec 2017

Banks, Compliance, Credit Unions Jamie Davis 0 comment

What Community Banks and Credit Unions Should Budget for in 2018

2017 Dec What Community Banks and Credit Unions Should Budget for in 2018

Many financial institutions are entering (or are already within) their 2018 budget season. While creating a budget is essential in helping you execute your strategy and plan for the future, any shortcomings, such as the ability to respond to changes in regulation or things you didn’t adequately plan for, can quickly derail your plans and force you to make critical trade-offs. As community banks and credit unions dive into this process, it is important to evaluate all areas and think outside the box on key IT, security and compliance budget items that are often overlooked. Since we work with more than 600 financial institutions just like yours, we are constantly researching what’s coming next, both from technology and compliance viewpoints and offer some points for consideration in your budgeting for 2018.

2017 started with several ransomware incidents and culminated mid-year with one of the largest breaches ever – directly impacting more than half of the adults in the United States– with the Equifax breach. Expect “Cybersecurity” and “Information Security” to be buzz words going forward for the next few years. No business wants to have a breach and no regulatory agency wants to sign off on a business’ processes only to have them be breached. Look for the regulatory agencies to start looking out for number one by putting pressure on you, the financial institution, to step up your cybersecurity efforts.

Per some studies, up to 90% of cybersecurity spending is directed towards securing the network, yet 72% of all breaches happen from the application level. This disconnect indicates that, while the money spent may prove effective on stopping perimeter exposure, it has likely left an unexpected weakness in overall protection.

Expect cybersecurity and added layers to be a focus over the next few years. The layers are often moving from the perimeter to the device level. Considering most breaches go unnoticed for 100-200 days, expect an emphasis on forensics and monitoring in the coming year(s) as well.

As you are setting budgets for 2018, here are some key line items for consideration:

Malware/Ransomware Layers: $1,500 – $5,000

Remember that 2016 and early 2017 were very heavy in malware, especially ransomware. While this seemed to cool off toward the end of 2017, experts expect this to be a major issue for the foreseeable future. The price will depend on the layers you select and how many you choose to add. You should really consider taking a more aggressive step in your fight against malware this year. If 2016 and 2017 taught us anything, it is that malware, and specifically ransomware, is back with a vengeance. More legitimate websites are unknowingly infected with malware and more emails are getting through with malware than in years past.

Malware has also evolved into a more aggressive threat. It’s no longer characterized by simple aggravating popups and sluggish computers, but is now encrypting all of the data on your machine, rendering it unusable. It’s gathering credentials of users, or even sometimes gathering documents and information on the machines themselves. Safe Systems has had more calls from both customers and non-customers about aggressive malware in 2016 than in years past and that trend looks to continue.

Financial institutions should evaluate their current layers, their effectiveness, and what they can do to enhance their cybersecurity posture. This may mean more/different end user training, DNS Filtering, or actual implementation of anti-ransomware toolsets. Whatever course you choose, know that the battle to protect your data is real, and it is as important as ever.

Cybersecurity Policy and Incident Response Testing: $4,000 – $7,500

Cybersecurity preparedness does not start or end with the Cybersecurity Assessment Tool (CAT), but it does play a role. Examiners will be looking at this for at least acknowledgement that you understand cybersecurity is a real issue and you are working on addressing it. We still speak with institutions who have done little to nothing with the CAT. With the current risk environment constantly escalating, regulators are unlikely to continue to let this slide.

Strengthen Your Strategy: Why a Layered Defense is the Best Choice for Your Bank’s IT Security Program

Learn why a single layer of security, such as antivirus, is no longer enough in the current risk environment.

Honey Pots: $2,500+

A security professional at a major security conference earlier this year referenced baiting and monitoring for criminal activity as one of the most effective measures to know if you have been compromised. Often referred to as “honey pots,” this refers to decoys set up to look interesting to anyone “snooping” around. With a solid solution in place, your institution could know of an intruder within minutes instead of the estimated 100-200 days noted above. If Target or Equifax had used similar solutions, they would likely have not been compromised or damaged to the extent that they were.

Robust Vendor Management Solution: $2,500 – $5,000

With financial institutions delivering more products via third-party vendors than ever before, regulators are looking for a thorough vendor management program that ensures that all vendors are being reviewed regularly. For the average community bank, the process to properly perform vendor due diligence and vendor management has become too cumbersome. An automated solution provides a more efficient, cost effective way to address this. This also ties into the cybersecurity preparedness. As data has moved outside the institution, it’s more important than ever to make sure your vendors are keeping your data safe.

New and Replacement Technology: $500 – $10,000

Be sure that all products your vendors are “sun setting” are budgeted to be updated or replaced. Also, ensure that key applications and settings are updated to the latest best practices, including:

Expired in 2017 and should be replaced or upgraded

Windows Vista
Symantec Endpoint 10.x
Microsoft Office and Exchange 2007
Backup Exec 2015
Adobe Acrobat XI

Expires in 2018 and should be replaced or upgraded

ESXi/vCenter 5.5 expires 9/19/2018

Training: $500 – $1,500

Information security is an issue that not only affects your institution, its employees and Board of Directors, but also extends to your customers. In fact, FFIEC guidelines now expect you to enhance the training programs you may already have in place. This is an area where many institutions could make a lot of improvement for the fewest dollars. Employees, via intent or mistake, are often the starting points for the breaches many institutions face. A single employee has been blamed for much of what happened in the Equifax breach. Make sure your employees and customers have access to the appropriate training commiserate with their needs. Information security knowledge and understanding affects all employees at some level, so ensure that your budget includes the appropriate training for each type of employee.

Vendor and User Conferences: $1,000 – $1,800

It is important to stay up to date with the latest features and industry changes. An effective way to achieve this is to attend a vendor conference or user group event. Make sure to budget for key vendor conferences as an educational and vendor management function.

Some careful forethought in the budgeting process today can prevent you from having to make difficult decisions and trade-offs next year. With more than 20 years of service in the financial industry, working with more than 600 institutions, and actively managing 20,000+ devices, Safe Systems has gained a unique perspective on what is important to financial institutions and to the regulators that oversee them. We encourage you to leverage our expertise as you develop your strategic plans and budgets for the coming year.

25 Oct 2017

Banks, Credit Unions, Security Jamie Davis 0 comment

Top 4 Security Threats Your Financial Institution Faces Today & How To Protect Yourself

The financial services industry continues to be heavily targeted by cyber-attacks because of the sensitive financial data that institutions hold. Hackers, in turn, recognize one of the greatest potential avenues for financial gain is in targeting financial institutions, enabling them to either commit fraud themselves or sell the information to a third-party. What is most troubling is that cyber criminals have displayed new and advanced levels of sophistication, knowledge and ambition in 2017 – a year characterized by a series of extraordinary attacks, including malware threats, credit and debit card breaches, phishing attempts and data breaches.

Some of the most common security threats financial institutions are facing today include:

Ransomware

Ransomware has established itself as one of the leading cyber threats with instances increasing by 44 percent last year. In fact, according to the 2017 State of Malware Report by Malwarebytes, ransomware was the favored method of attack used against businesses in 2016. Recent FBI statistics also indicate that hackers successfully extorted more than $209 million in ransomware payments from businesses and financial institutions in Q1 2016, and the business of ransomware is now on track to become a $1 billion per year crime.

Lack of Third-Party Vendor Security

While a financial institution might have the right security systems and policies in place to protect itself and its customers from a cyber-attack, its third-party providers and vendors may not have the same level of security and diligence. This creates a major vulnerability for the financial institution and risks Federal Financial Institutions Examination Council (FFIEC) compliance issues.

Insider Threats

Often, all it takes is a disgruntled employee or ex-employee to release valuable security information and compromise system and data security. Additionally, cyber criminals are increasingly realizing success through bribery as a means to entice bank employees to give up their login credentials or other security information, allowing direct access to internal systems.

Lack of Employee Training and Security Expertise

Cyber-attacks are often able to outpace cyber-defense due to a shortage of qualified cybersecurity personnel and the limited IT staff bandwidth to stay abreast of a continually evolving security landscape. Employee testing and training is critical for banks and credit unions to decrease vulnerabilities and ensure staff — at all levels — understand their roles and responsibilities in protecting against security threats. Until this learning gap is resolved, financial institutions will continue to struggle to efficiently manage cybersecurity threats.

Combating Security Threats & Protecting Customer Data

To adequately protect against cyber threats, financial institutions should ensure that every device on the network has up-to-date antivirus software, adequate firewall protections and that all patches are up-to-date as a minimum requirement.

In addition, financial institutions should also employ a strategy that places many uniquely tailored layers throughout their networks, from the end-user to the Internet to establish a secure IT environment. Adding preventive, detective and responsive layers to IT security strategy will help strengthen an institution’s approach and build an effective security foundation. Proactively protecting customer data will always be more cost effective than falling victim to malicious activity.

For more information, download our white paper, “Ransomware and the Evolving Security Landscape of Today’s Financial Institution.”