2. Chase Cunningham
Threat Intelligence Lead
• Former Chief Cryptologist for
the National Security Agency
• US Navy (Ret.)
RANSOMWARE
Today’s Speaker
3. • The Threat Landscape
• Ransomware: Definition & Reality
• Demo: How It Works
• Mistakes & Vulnerabilities
• Protect Yourself
• What No One is Talking About
• Questions & Answers
RANSOMWARE
Agenda
5. The Threat Landscape
12 / 13
110 million customers’ credit
card and personal data stolen
01 / 14 04 / 14 05 / 14
06 / 14 07 / 14
09 / 14
Exposed Names, addresses,
emails & payment card details
145 million users’
passwords affected
1.1 million customers’ credit
and debit card data stolen
3 million customers’ credit
and debit card data stolen
56 Million Customers Credit Card
Data Stolen
180 Southern California Stores
hit
08 / 14
Nude Photos of Actresses
Revealed to the Public
09 / 14
08 / 14
Social Security #s & Personal
Data of 4.5 Million People
09 / 14
4.93 Million Gmail User Names and Passwords
Published
Who’s Next?
?
Customer Data Theft
from 33 Locations
6. Ransomware Defined
• Malware locks out system
owners & demands ransom
• Creates “zombie computer”
operated remotely
• Individuals & businesses targeted
• On the rise past 3 years
• CryptoLocker procured
estimated US $3 million
7. Ransomware Reality:
Code Spaces
• Hosted by a major cloud provider
• Pirates held site for $millions
• Unable to pay; pirates deleted files
• Company filed for bankruptcy
• Cloud provider had no liability
I always call it the Wal-Mart/Target competition…
to see who can get to the lowest price and still
provide good service. Security is what gets lost.
“
“
- Jeff Schilling FireHost CSO,
SearchSecurity.com
18. Thank You
Please visit us at FireHost.com
Email sales@firehost.com
Phone +1 877 262 3473
RANSOMWARE
Editor's Notes
.
Hackers are as skilled as security experts
They operate in well-funded organizations
They have access to sophisticated tools
Their abilities to evade capture are growing, such as using Tor anonymizing networks to cover their tracks
Most companies lack the in-house expertise and technology to protect themselves
They lack the budget and even if they had it, finding real IT security experts is difficult – there’s a shortage
Need:
Information Security analyst or director - understand regulation and create a framework to guide security environment
Security Operations (SecOps): Implement and monitor framework from InfoSec
Threat Intelligence: Develop and implement threat intelligence framework
Incident Response & Forensics: Identify and mitigate threats
Many cloud providers are also insecure:
Many clouds were constructed before the industry realized the full importance of safeguarding data.
Those clouds were built with cost savings and performance in mind - security controls were added as an afterthought.
Rather than improve their security posture, they distract customers by emphasizing performance, speed to deployment, cost, scalability and other features.
So their customers assume they are protected – but they aren’t.
Opportunity to illustrate that threats are ongoing, gaining in severity and that brands, regardless of size, are being impacted.
Malware locks out owners from their own systems and demands ransom.
Often they enter system through a downloaded file or vulnerability, then begin encrypting files.
Sometimes they will just demand money – other times they’ll impersonate a law enforcement pretending that your system has been used for illegal activities/content, or they’ll pretend Windows installation needs reactivation, that a license expired.
Either way, your system is now a zombie, obeying the commands of a remote criminal network.
CryptoLocker is ransomware worm that surfaced in late 2013
It managed to collect an estimated US$3 million before it was taken down by authorities.[5] http://www.bbc.com/news/technology-28661463
Both individuals and businesses are targeted.
Chase's mom had her accounts held for ransom. They wanted $300 – but Chase rode in and straightened it out. Most people can't do that and they just pay because they're scared and no one will help them.
Obviously this can become a form of corporate warfare. Can hire criminals to take down competitor.
This started 10 years ago, but more in the last 3 years. Vectors and methods are growing.
Code Spaces was a code-hosting and software collaboration platform hosted by a major cloud provider.
Pirates kidnapped their site and demanded several million in ransom. They got into their control panel and demanded money – Code Spaces was unable to pay it.
Code Spaces changed its passwords and attempted to regain control of the system, the hackers started deleting all the company's data, backups, machine configurations and off-site backups from the panel, leaving the company’s website unable to operate. The company declared bankruptcy.
Their cloud provider, Amazon, had no liability. Security was not part of their obligation.
Chase can connect dots, but what if the fake FBI page said you owe $1 million instead of $200? Companies like Code Spaces may not be able to afford it and will go out of business.
So the question we get the most on this topic is – how can I avoid this happening to me?
Here are the mistakes and vulnerabilities we see.
A lot of people take the Ostrich approach: "it won't happen to me." It happened to Chase's mom! It happened to Evernote earlier this year – they paid the ransom. Lots of people pay it.
Another is wasting resources on areas that don’t need to be protected. Not every part of your environment deserves the same amount of protection – it’s smarter to figure out where your risk is and amp up on those areas.
But the #1 mistake we see is businesses using an insecure provider who doesn’t have the right capabilities. A lot of them will give you servers and get you up and running, but they have NO interest in keeping you secure
e.g. code spaces
A lot of businesses will ask what technologies can help them prevent this.
First thing, understand security is a 24/7 job.
Get a secure provider who can protect you.
Ask provider the right questions – what is their strategy, what is their security expertise? Do they have security experts on staff that can help protect you? Most don’t and don’t call that out. It’s on you to ask the questions rather than the provider to answer.
Ask if they have 2FA by default, web application firewalls, a security management protocol in place. Do they do threat intelligence management? Is security a priority for them or is it something they do when it’s a problem?
Practice multi-layered security and multiple technologies. No single technology is going to protect you. Real-time monitoring is important, so is threat intelligence, macro data, malware analysis.
FireHost was built from the ground up to focus on Security. It is the first cloud provider to ascertain specific indicators from corporate and customer environments to see if they are threat – we do this ahead of time, like minority report.
And if they are, we analyze the indicators so we can preemptively stop the threat before it happens AND recognize other threats. Trying to be proactive, not reactive.
We leverage algorithms and scientific models instead of just stuffing in data and trying to figure it out
Using data points and intelligence, we can predictively say we don’t need to lock down this area, it’s not going to hit there. We avoid spending 100s of man hours when it’s not a possibility. It’s about optimizing your mitigation strategy – making smart, efficient choices.
This is about leveraging data points and using that knowledge intuitively instead of shotgun reactions - waiting for problems and then fixing them. We’re moving away from the boy with the finger in the dam methodology to something more long term and effective.
We have a dedicated team that is wholly dedicated to vulnerability management and threat intelligence.
The vendors you choose to host or store data is part of everyone’s accountability. Focus has always been on bad guys and their tactics as well as the fallout for the victims. But we need to stress the need to consider who you collaborate with, because even if they are nice and mean well, they may not be as safe as needed. You would be in jeopardy as a result. Jeff can talk about FireHost and the principle that not all clouds and cloud providers are created equal when it comes to security and compliance. This gives us subtle yet clear positioning without over-marketing