Starting in May 2018, if you operate an enterprise or deliver services to customers in Europe – even if you are not located in Europe – your organization must be compliant with GDPR.
If you decide not to comply with the requirements imposed by the legislation, the regulators will be able to slap you with a hefty fine that corresponds to 4% of your top line, up to 20 million Euros (25M USD).
There are many legal requirements related to how you should protect your data. These are detailed in 99 articles and you must get a grasp of them as soon as possible as some of them demand profound changes in the way you operate as a business and how your information system is currently designed.
It is worth mentioning as well that there will be budgetary impacts not only due to the compliance project but to the very fact of operating in a GDPR-governed world. As an example, in terms of headcount, you will have to hire and/or designate a Data Privacy Officer to oversee compliance in terms of operations and for all future projects that involve customer data. To speak plainly, it means that 100% of your projects will have to be assessed for GDPR exposure before you can move on with them. This is not optional; it is a mandatory requirement if your organization has more than 250 employees.
Here are five challenges will you will face:
- This is not an IT or a security project, it is a corporate and transversal project that will require a lot of input from the various system users, especially on the business side, as only they know if their systems contain regulated data. Moreover, without proper top executive sponsorship, this project won’t be easy to deliver on time; executive support will help ensure every team pitches in.
- You need to map where the regulated data are located across both the business and the information system. As an example, a non-specialist might not understand that applications are not self-contained or autonomous. These applications rely on multi-tiered sets of technology and systems that are on premise and in the cloud, within both your organization and those of your business partners, and are used to consult, transmit, display, query, transform, store, backup and replicate the data. In short, you need to map not only the data itself but also how it travels around, through its entire lifecycle.
- Once you understand the problem and the gaps, you need to figure out how to fill them. This is probably one of the challenges where there is a plethora of solutions available to you, should you be willing to buy them. Unfortunately, they don’t come cheap but they can save a lot of time if they are adapted to your specific technology context. Technology, like encryption proxies that will tokenize the data and anonymized specific fields in a transparent manner to legitimate users, can save many weeks if not months of software redevelopment.
- Once you have the plan, you need to procure both the technology and the expertise. It’s unlikely that your current team have all the required knowledge to implement it on their own. Even if they can, if they haven’t started, this is a huge project on top of everything else you already pay them to do. For many of our clients, developments were externalized in the past, hence, they don’t even have the in-house knowledge of the application to fix this. At the risk of stating the obvious, the sooner you are done with the 3rd challenge, the more time you will have left to fix the situation.
- Manage an important cultural change. GDPR is not only about the information system, it is actually a lot about how we work with the data our customers provide us with. The way people have been working up to now will be impacted. There will be frustration, and unless you’re a large EU organization that has already had similar challenges before GDPR, it won’t be as simple as it was to continue to work ‘as is’. Do not underestimate people’s resistance to change.
The good news is that you are not alone and you are not the first organization to face this challenge. There is a lot of best practice and technology readily available, but you better hurry up because this is not a 3-month project that you can wing, by plastering 3 pieces of software on top of your existing system.
Much like the state of California, the European Community is taking GDPR very seriously. Actually, much more seriously than our American friends, as they regulate how you protect the data, not only obliging you to “disclose” when there is a breach – and you are in for more than a slap on the wrist if you don’t meet your legal obligations.
Should you want to learn more on how we can help you, please do not hesitate to reach out to us.
Martin Dion (CISSP/CISM)
VP EMEA Service Delivery
Recently, Andrew Howard, Kudelski Security CTO was asked to comment in CSOonline on the need for a Cyber National Guard. A US congressman recently proposed the idea, citing digital security as a component of national security amidst headlines of other nations meddling in government business. The cyber national guard would be a team of cybersecurity reservists that could “occasionally be called on to protect the country against cyber threats, and strengthen national security on the digital level.”
My colleague’s response touched on the gap between IT and the military. Military requirements and obligations are often less appealing to tech workers than pursuing a career in the private sector. “Our government, similar to corporate America, is struggling to find qualified cyber security experts. The concept of a national guard cyber security capability is a good idea, but only to help grow the number of qualified military experts, not to actively defend US interests.” That begs the legal question of whether the military should be involved with enforcing domestic policies at all. The Posse Comitatus Act says no.
If the military and the National Guard cant, then the active defense of US interests in cyberspace will be driven by the “might of the nation.” When we talk about “might,” we’re talking about “the power, authority or resources wielded (as an individual or a group (at least according to Merriam Webster). National might is the power of the people, the businesses that create economic wealth, and the organizations that support our way of life, not just the military.
Every day in America, and across the globe, good, patriotic people are defending the world’s way of life in cyberspace. These people are the “might” that must defeat cyber attacks. . Whether it’s a government organization or a company that provides valuable services and economic power, there are cyber “forces” fighting to ensure our way of life continues.
Having spent 22 years in the US Army, helping operate and defend the Army’s networks, and at times, the entire Department of Defense’s networks, I see former Department of Defense military and civilian cyber professionals, serve this nation every day as part of the cyber ‘might’ in the civilian sector. Although they moved outside the military, their commitment to serve by fighting cyber attackers has not wavered. To all of them, thank you for your service and your continued service!
To CEOs, COOs, and CISOs, look for the Might. The nation needs your help, and it needs your employees’ help. Many companies want the world to be safe from cyber attacks, but it’s your team that has to accept the challenge. Ask yourself these two questions:
- Does your team understand their purpose – within the organization and their impact to the Nation?
- Are they prepared to fight? Do they have the attitude and the drive to do what they’ve been called to do?
It’s up to all of us to be part of the “Might” that will defend our nation against cyber attacks, cyber crime and cyber terrorism. The nation depends on it!
The number of individuals, organizations and countries affected by the WannaCry malware attack is growing at an alarming rate. After the initial infection is executed, no user intervention at all is required for the malware to spread. As this is one of the largest cybersecurity attacks in history, it’s important that you have all the facts. In this webcast Francisco Donoso, Lead Managed Security Architect at Kudelski Security, will help you understand the significance of this attack, global impact, provide information on how the attack spread, prevention and mitigation tactics.
Download the webcast by clicking here.
wCry2 Ransomware spreading via EternalBlue (MS17-010)
Update May 13
Data was coming in very quickly on Friday and while we worked to provide timely and reasonable information we know now more about what happened and how the Wana Decrypt0r 2.0 ransomware outbreak managed to escalate so quickly.
First some good news: The malware, once executed checked for the existence of a randomly generated domain. If the domain did not exist or could not be reached, the execution of malicious code continued. If the domain existed and was accessible, a kill switch was activated and the infection was halted. A malware blogger and reverse engineer from the U.K registered the domain which effectively slowed the malware spread in the U.S. Unfortunately, many anti-virus vendors began to block the domain, unintentionally allowing the installation to continue, realizing the error some of the anti-virus vendors have removed the block and now sinkhole the domain instead.
More information here:
The unfortunate news is that there are now samples emerging that no longer contain the domain based “kill switch”.
An example of this new variant is available here:
Additionally, after further review of the malicious binaries, we’ve identified that all RF1918 (private) netblocks as well as randomly generated internet netblocks are also scanned looking for further propagation avenues. This means that organizations could also potentially be affected by way of site-to-site VPN connection with business partners or vendors. The ransomware has also spread via guest wifi, thus users should be cautious as it is possible they could be affected while connected to an open wifi hotspot.
Researchers have noted that WannaCry 2.0 is not the actual worm. The worm is the MS17-010 “spreader”. WannaCry 2.0 is dropped by the “spreader” which can also be used to drop other binaries and files. Thus, it is extremely critical that organizations apply the MS17-010 patches as quickly as possible.
Mac OS and Linux users running Windows VMs or Wine are also affected if not patched.
Along with the ETERNALBLUE components, the dropper also calls out and downloads DOUBLEPULSAR. Organizations affected will want to check for the existence of DOUBLEPULSAR once the initial attack is remediated. There is a free script available to check for this located here:
The Wana Decrypt0r 2.0 ransomware campaign utilized 3 Bitcoin wallets and as of today they show modest returns. Note: there is no indication that paying the ransom actually provided the user with the keys to decrypt their data and some researchers reported that users had to interact with a human via phone or web chat to negotiate. In the ransom note, the attackers mention that if someone is “too poor” to pay that their files will automatically decrypt in 6 months.
The following Bitcoin wallets have been linked to this ransomware campaign:
The Global response to this campaign has been swift and effective, unfortunately, too late for a large number of European organizations. Microsoft released updates to its malware protection engine to block the malware. Additionally, Microsoft has unexpectedly released security patches for EternalBlue and MS17-010 vulnerabilities for the unsupported Windows XP, Vista, Windows 8, and Windows server 2013 operating systems.
When unfortunate events like this take place, it’s easy for information security practitioners to point fingers and assign blame but the global information security community would be better served by helping organizations understand and avoid these situations in the future.
Moving forward, Kudelski Security expects to see most if not all ransomware and malware families using similar techniques to spread quickly and infect large numbers of users and organizations.
This global ransomware outbreak is a stark reminder that organizations must have the basics covered. Organizations must review and evaluate their vulnerability and patch management programs to ensure confidence, comprehensiveness, and effectiveness. Security patches are a fundamental and critical foundation of any organizations security program and should be tested and applied quickly. Organizations should also perform a “health checkup” and review backup strategies, test backups regularly, and ensure backups are easily accessible while also being protected from encryption and deletion. Also, organizations should review and reevaluate what traffic is allowed to and from the internet.
Once the basics are covered, now is the time to start looking at some of the newer endpoint protection platforms that rely on behavioral indicators that executables could be malicious instead of solely relying on signatures.
Now is the time to take a look at security, review and apply the basics, and then pragmatically strengthen its effectiveness.
On May 12 2017, a widespread cyber-attack utilizing the WCry2 ransomware, also known as Wana Decrypt0r 2.0, began spreading across the globe. At the time of this writing, the Ransomware has currently impacted organizations in 99 countries and continues to spread. Wana Decrypt0r 2.0 uses the EternalBlue exploit (MS17-010), released by the Shadow Brokers in March 2017. This SMB exploit is used to attempt to infect other machines within the same network and to scan for, and infect, potentially vulnerable Windows machines on the internet.
Wana Decrypt0r 2.0 is a highly effective ransomware variant that encrypts several file types, making them inaccessible to the user, and demands a payment of $300 U.S dollars in Bitcoin to decrypt the files.
Additional details on Wana Decrypt0r 2.0 and EternalBlue (MS17-010)
Wana Decrypt0r 2.0 is a variant of the WannaCrypt ransomware family that is currently being spread by exploiting EternalBlue (MS17-010). Wana Decrypt0r 2.0 encrypts several file types on an infected computer demands a ransom of $300 USD in Bitcoin to decrypt the inaccessible files.
ExternalBlue is an exploit that takes advantage of previous vulnerabilities in SMB, a critical protocol for Windows Systems. The exploit allows for the remote execution of malicious code on vulnerable systems without requiring any use interaction. The ExternalBlue exploit requires that the systems be vulnerable and expose the SMB service (enabled by default on Windows systems) to successfully compromise a system and replicate across network infrastructure to other vulnerable Windows systems.
At the time of this writing, this cyber-attack has quickly spread to 99 countries across multiple regions of the world. This global threat arrives in the form of a phishing email with a malicious attachment, once the malicious attachment is opened a dropper begins to download and unpack the actual ransomware code. The ransomware encrypts the user’s files, scans the networks to which the machine is connected, and uses the EternalBlue exploit to spread across organizations with unpatched Windows systems.
Kudelski Security has observed several industries and regions being specifically targeted by this ransomware campaign. Kudelski Security has intelligence that indicates that other ramsomware campaigns are activity integrating more of the Fuzzbunch framework exploits into their code.
As of this writing, according to internet scanning tool Shodan, there are approximately 2.4 million internet exposed systems which may be vulnerable to this exploit.
Mitigation and Response
Microsoft released a patch for the EternalBlue and other critical remote code execution vulnerabilities in March 2017 as part of Microsoft Security Bulletin MS17-010.
Kudelski Security recommends that clients immediately apply the patch for MS17-010. For organizations unable to quickly apply the Microsoft patches, potential mitigations include using a GPO to apply Windows Firewall rules to block inbound SMB connections on all unpatched endpoint systems and limiting SMB connections between servers.
Kudelski Security also recommends limiting all inbound and outbound communication on UDP ports 137 & 138 and TCP ports 139 & 445 on internet firewalls in order to reduce exposure and the slow the propagation of this ransomware.
Kudelski Security recommends backing up all files, including systems already affected by the ransomware in case future decryption tools become available.
Additionally, Kudelski Security recommends that organizations evaluate their vulnerability management programs to ensure that updates and patches are tested and applied quickly once they are released.
The Kudelski Security Cyber Fusion Center has ensured all managed and monitored security devices are updated with detection signatures and methodology to detect the uses of the Wana DeCrypt0r 2.0 ransomware and exploitation with ExternalBlue and other recent Windows exploits.
VirusTotal analysis of malicious PDF
Learn More about Kudelski Security’s Managed Security Services (powered by our Cyber Fusion Center)
Over the past few months, numerous breaches have been reported in connected embedded devices ranging from medical devices to programmable logic controllers (PLCs). The so-called Internet of Things (IoT) is now under attack in similar ways to the rest of the IT infrastructure, but there are two major differences:
- IoT devices rarely have the same security level as professional IT hardware. Many of them have been developed prioritizing time-to-market and are lightly evaluated for security. On the other hand, IT hardware has been exposed and exploited for many years, and the industry has evolved countermeasures.
- IoT devices are now cheap and produced in volume. They will pop up in the IT network for many good and bad reasons. The fact is that they cannot be simply discarded but they cannot be ignored either.
This security softness makes those new connected devices a great way into an IT network but their ubiquity and volume also make them a great vector to launch reflective attacks on other targets, as evidenced by the Mirai botnet and its offspring.
IoT devices are generally meant to be driven from the cloud (typical for home automation systems) or from a private server (typical for OT networks). These remote connections bring business value through the centralized gathering and analysis of sensor data and by providing manual or rule-based actuation in the field. Traditionally very little thought is given to security and more particularly to recovering from a security breach. At best, the devices can be updated remotely but this is not sufficient to ensure the security of an entire network. And that’s before we even consider that the remote connections also make the attack surface larger.
The Genie Is Out
In an ideal world, security is not an afterthought. Security is part of the whole product lifecycle. Coming back to reality, billions of devices are connected today and, for the most part, are not secure. There is no way to put this genie back in the bottle, even if we wanted to. Fortunately, some manufacturers are starting to include security in their IoT systems. Unfortunately, this doesn’t help the billions of devices that are already deployed.
Highly regulated markets such as the medical sector already have their guidelines. The FDA has published “Postmarket Management of Cybersecurity in Medical Devices” which essentially gives recommendations to manufacturers about the management of medical devices once they are out in the wild.
It is reassuring to know that pacemakers and insulin pumps will be managed throughout their lifecycle. This doesn’t fix the rest of IT and OT though as the manufacturer of your average connected device does not and probably never will implement such security guidelines. For IoT, we will need to deploy countermeasures to secure the network.
Going back to the basics, prevention, detection and response are the commonly accepted pillars of the information security process. How does this translate to connected devices that are already in the field?
Know the Threat and Contain It
Before deploying countermeasures, a company has to understand its gaps. Therefore, the first step is to better understand the potential threat through a discovery. This discovery should not only include wired devices but also wireless ones. The various radio protocols, modulations and frequencies in use make this task non-trivial and such an analysis requires some fairly advanced tools.
The discovery is likely to show known and unknown devices. Among the known ones, there will be some sensitive ones such as video surveillance cameras. It is never too late to evaluate the hardware, software and network security of such devices as they are exposed. These generally come in small numbers and they can be managed like other IT assets (incl. updates, configuration management, etc.). It is unlikely that the local penetration testing company will do a great job analyzing the security of exposed embedded devices as this requires hardware security skills.
One of the main countermeasures companies deploy with IoT is segregation. It is a good practice to isolate or compartmentalize IoT devices from the rest of the network (e.g. NAC). In reality, most of those connected devices will need access to the Internet to function. Even if they are only allowed to connect to some kind of limited “guest” network, they could still be used to carry out reflective attacks to target other entities.
In addition to corporate-controlled devices, there are also one-off or user-provided devices, i.e. the newest “iThing” for the CEO and the connected toys the product engineers promise they need to get the job done. What can be done about detecting their presence and threats targeting them?
Enter Live Monitoring
As preventive measures are never as perfect as we would like them to be, detective countermeasures are needed. A solid SOC or a Cyber Fusion Center would be ideal but a NOC is already a good first step to identify some of the most obvious attacks like a reflective DDoS.
Monitoring is all about threat intelligence and skilled security analysts. The threat intelligence feeds must include IOCs for embedded devices and the security analysts must be able to hunt for threats on those less conventional devices.
Live monitoring will also keep the list of connected devices up-to-date and allow for better preventive measures.
That “Oops” Moment
If the detection job is done right, attacks will be discovered quickly and they will require fast and efficient response. The response is tightly linked to the type of attack, to the assets under attack and to the value at risk. While some devices could simply be disconnected / isolated, others need to be fixed / swapped and put back online as quickly as possible (e.g. video surveillance equipment).
The nightmare scenario is when the OT network gets compromised, as this has a direct impact on the business. OT networks will often include highly specific equipment, which makes them less susceptible to generic attacks but more interesting for targeted ones (e.g. Stuxnet). Dealing with this type of breach is difficult because:
- Detection is non-trivial in case of targeted attacks as the IOCs are generally not available and behavioral triggers are very specific to the OT devices in use
- When detected, targeted attacks require custom reverse-engineering of the exploit and its payload in order to be able to devise proper remediation actions
- If the exploited vulnerabilities are new (i.e. 0-day), there will be no security update available. The vendor will have to be involved in order to understand the exploitation path and the underlying vulnerabilities in order to build a security patch.
- The “if it ain’t broke don’t fix it” motto unfortunately still very much applies in the OT world. The people in charge will be reluctant to make changes to the system. The attack would often need to be a significant threat to the business to justify upgrading or changing devices.
Incident response needs to be properly planned and drilled during peace time. During war time (i.e. post-breach), people tend to panic and take wrong decisions based on inaccurate or incomplete data. Having a checklist and a script to go through will help those who don’t experience this kind of situation on a regular basis.
Taking Some Distance
Once an incident is solved, the one question that we often get is: can I trust my network again? Well, one should never trust their network. It is almost impossible to assert that a network is 100% clean. Companies on average take months to detect breaches and solving one incident is no guarantee that the network is trustworthy. Defense in depth, advanced detection mechanisms and rapid response are the main keys to stay on top of the security cat & mouse game.
Device manufacturers who care about security will have embedded mechanisms to prevent known types of attacks, to help detect odd behaviors, to report failures, to allow for rapid reaction to breaches and to provide renewable security. These manufacturers will also have dedicated security teams that will provide stellar service when threats arise.
As a CISO, it is best to stop the bleeding before taking care of the wounds. One great place to start is procurement. New devices being purchased need to go through a security evaluation that will ensure they are sound security-wise on day one and that they will be manageable in the long run. Then it is a matter of dealing with the current threats until the future gets brighter.
Earlier this month, the Open Web Application Security Project (OWASP) published a release candidate for its well-known Top 10 list of the most critical web application vulnerabilities. In this first update since 2013, some vulnerabilities have been combined or dropped, making way for new entrants including under-protected Application Programming Interfaces (APIs). This update is notable because the OWASP Top 10 is an important reference for many cybersecurity compliance and regulatory standards but also highlights the shifting threat landscape for web-based applications and technologies over the last few years. While API security is not new, the responsibility for it has been largely left to the software teams developing the APIs. Awareness and concern for web API security is increasing for CISOs in the broader enterprise security market.
From SaaS to social media, APIs provide the connective tissue between systems and services in our interconnected world of mobile, cloud, and IoT applications. APIs are software programming methods, protocols, and tools that enable communication between software components. APIs have long existed for computer hardware and software, including operating systems and databases, but are perhaps more commonly associated with mobile applications and web-based systems in today’s cloud-connected world. Enterprises are now connecting disparate and non-traditional IT systems (e.g. life/safety, physical access control) through web APIs and enterprise service bus platforms to enable better and more efficient business outcomes.
Web APIs use the same underlying technology as browser-based applications, so many of the same security concerns exist that enterprises are familiar with from browser-based applications. An under-protected web API can serve as an efficient way for an attacker to exfiltrate data, using malicious programmatic requests that are much faster to execute than web browser-based methods. Web APIs that are critical to business operations may be the specific target of data integrity or DDoS attacks, disrupting critical business operations. Some APIs include file transfer capabilities that can be a vector to introduce malware to a network. However, since web APIs are not relegated to web browsers, the attack surface is varied and may go undetected if organizations are not adequately monitoring web API activity across the enterprise. So what can CISOs do to shore up defenses for the web APIs in their environment?
- Asset Management – As with other areas of cybersecurity, you need to know what assets (APIs) are in your organization and also understand their function and security capabilities. This can be no small task since web APIs exist for both hardware and software, including on premise or cloud-hosted software applications (especially unsanctioned SaaS applications of Shadow IT). And you cannot just look at traditional enterprise IT assets – badge systems, embedded ICS controllers, and IoT devices use APIs to function or integrate with other systems. Aside from reviewing the API documentation of sanctioned systems, an application-aware firewall or cloud access security broker (CASB) can help identify previously unknown APIs, and the associated software application, unmanaged IoT device, etc.
- Secure communication – Using properly-implemented TLS encryption for communication between API endpoints can provide confidentiality and integrity for the data in transit, preventing data sniffing or manipulation from man-in-the-middle attacks. If you want to inspect the API traffic, using TLS will require decryption/encryption capabilities similar to what you may already use for a web proxy. Also remember that care must still be taken to securely store sensitive data (e.g. credit card numbers) after it is transmitted using web APIs.
- Strong authentication and authorization schemes – CISOs will need to work closely with API developers or vendors to understand what authentication and authorization schemes are supported. Authentication will validate the identity of the application or service requesting access to the API; use strong authentication, such as API tokens, instead of basic authentication (i.e. usernames and passwords in the HTTP authorization header). An authorization framework like the token-based OAuth 2.0 standard enables limiting applications or services to only a certain sub-set of API methods and data.
- Segmentation – Limit the accessibility of your APIs to known and trusted endpoints using an API gateway or firewall network segmentation. These options may not always be operationally feasible and can introduce availability or scalability concerns in certain scenarios or topologies. However, these control points can serve as a mitigation for legacy APIs in your environment that do not support strong encryption, authentication, or authorization schemes.
- Attack Detection and Prevention – Implement protections to detect and protect against API attacks. CASBs, web application firewalls (WAFs), and application-aware firewalls can help to detect and prevent API-based attacks. However, because each web API can have a unique syntax, data structure, set of methods, etc., these tools can only be so effective without specific understanding of the APIs in your environment. For example, CASBs may include specific logic for APIs from leading SaaS applications and can be effective in identifying malicious activity or data exfiltration for those applications. Web application firewalls (WAF) may protect against certain common web-based attacks that are launched against APIs, such as code injection or malformed requests, using WAF protection rules or API rate limiting. Anti-malware systems can detect malware in files that are embedded in an API call.
API security begins with good software development practices – many of the other OWASP Top 10 recommendations are also applicable to developing secure web APIs. Including under-protected APIs as a distinct threat in the latest OWASP Top 10 release candidate highlights the growing concern of API-based attacks. Traditionally the purview of software developers, web API security is becoming a greater consideration in enterprise security. CISOs now find themselves defending a growing and more diverse IT environment, which includes more cloud-based applications and IoT devices as well as enterprise-level application integrations. Web APIs present an amazing opportunity for business and IT extensibility, efficiency, integration… and mischief.