Month: July 2020

Protecting Yourself from Cyber Attacks While Working From Home During Covid-19 Pandemic

With Coronavirus Pandemic affecting our lives, more and more Companies are adopting Work-from-Home Policies. The age of remote work is upon us and most of us have settled into a routine of working from home. But at the same time, Cybersecurity has become a growing issue.

Cybercriminals are seeking every opportunity to exploit Coronavirus and target companies and individuals. They are using COVID-19 themed phishing emails that intend on delivering official information on the virus in order to lure users to click malicious links that download Remote Administration Tools (RATs) on their devices. There have been many reported cases of malicious COVID 19 related Android applications, where cybercriminals have accessed smartphone data or encrypted devices for ransom. Additionally, the pandemic has resulted in the creation of more than a lakh new COVID-19 web domain, which should be treated with suspicion, however not all of them may be malicious.

Cyber attackers have been taking advantage of the fact that not many people working from home have applied the same security on their networks that would have been in place in a corporate environment otherwise. They are looking for gaps where enterprises have not deployed the right technologies or corporate security policies to secure all corporate-owned or managed devices with the same security protections, regardless of whether they are connected to an enterprise network or an open home Wi-Fi network. Therefore, it is the responsibility of both employees and business leaders to secure their Organization and make sure that cyberattacks do not further compound the already disrupted work environment.

How Businesses should respond?

In this critical time of the pandemic, business leaders must set clear expectations about how their Organizations should empower their employees, leverage new policies and technologies, and manage security risk in the new work environments. It is crucial that these messages on security come from the very top management and good examples are set from the beginning. Here are three recommendations for businesses to respond.

  1. Understanding the threats: With more and more employees working from home, business leaders should work with their security teams to identify the possibility of attack vectors. They should prioritize the protection of their business-critical applications and the most sensitive information.
  2. Encouraging communication & providing clear guidance: Right now, it is crucial that employees are clear about the home-working policies that include easy-to-follow steps that empower people to make their home-working environment as secure as possible. Employees should also know how to communicate with internal security teams regarding any suspicious activities.
  3. Providing right security capabilities: All the corporate-owned or managed devices should be equipped with essential security capabilities. This will help extend the same network security best practices that exist within the Organization to all remote environments. The critical capabilities may include:
    • The ability to securely connect users to their business-critical cloud and on-premise applications. For instance, video teleconferencing applications that are increasingly relevant for remote work environments.
    • Multi-Factor Authentication (MFA) should become a regular practice.
    • The Organization should be able to block exploits, malware, and command-and-control (C2) traffic using real-time, automated threat intelligence.
    • There should be endpoint protection on all mobiles and laptops, including VPN tools with encryption.
    • The enterprise should be able to filter malicious domain URLs and perform DNS sink-holing to thwart common phishing attacks.

How Employees should respond?

Employees should be encouraged to follow the guidelines provided to them by the Organization and take preventative measures.

  • Good Password Hygiene: Employees should use complex passwords and multifactor authentication wherever possible. They should keep changing these passwords frequently.
  • Updated Software & Systems: Updates and patches should be installed in a timely manner. This must include installs on mobile devices and other non-corporate devices that are used for work.
  • Secured Wi-Fi Access Point: Users should change the default settings and passwords so that the potential impact of an attack on the work via other connected devices can be reduced.
  • Using Virtual Private Network (VPN): VPNs create trusted connections between employees and Organizations. It ensures ongoing access to corporate tools and provides additional protection against phishing and malware attacks, similar to corporate firewalls.
  • Personal & Work Shouldn’t Be Mixed: Employees should keep their work devices and personal devices separate. If they wouldn’t install or use a service while they are at office, they should not do it while at home on the work device.

Neumetric, one of the top Cybersecurity companies in Bangalore, suggests that these straightforward steps at both individual and enterprise level can help address some of the most common security risks. Additionally, our threat environment is not static, especially during this pandemic. Phishing emails, malicious domains, and fake apps are out in the wild already and cybercriminals love to exploit real-world tragedies. COVID-19 is no different, which means you need to have a close eye on evolving threats to avoid unnecessary additional costs and disruptions in a time when we can least afford them.

Neumetric, a cybersecurity services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the Business objectives of the Organization.

Why Securing Virtual Desktops is Crucial During Covid-19 Pandemic?

With the Covid-19 pandemic forcing many enterprises to shift their businesses online and the employees to work from home, securing virtual desktops for the remote employees has become crucial. While businesses had to quickly adjust to the given situation, network security became an afterthought for many.

Cybercriminals have already been taking advantage of the new normal, “work-from-home” by targeting the vulnerabilities associated with employees connecting to corporate resources from their home environment. This involves phishing campaigns, denial of service attacks, and even exploiting vulnerabilities in home routers.

Virtual Desktops Infrastructure (VDI) assists businesses in reducing the impact on productivity and continuity, as well as the risk associated with remote access to internal data.

Vulnerable Desktop Pools

For any cybercriminal, the initial target of an attack is never the objective.

With Virtual Desktops Infrastructure, user-desktops reside within the data-center, close to the servers hosting critical applications and data. Bringing humans within the data-center through desktop virtualization can give rise to a new threat vector. This may allow attackers to take advantage of vulnerable users/desktops to gain access to data on the nearby servers.

Ensuring that VDI pools and RDSH (Remote Desktop Session Host) farms are isolated from the rest of the data-center is crucial. The key to what NSX Service-Defined Firewall enables is to provide this segmentation at scale, without requiring network re-architecture.

Protecting the Desktop Pools

Using dynamic security groups based on criteria including VM (Virtual Machine) name, network segment, or security tag, desktops can be grouped together. An appropriate segmentation policy can be applied that isolates the desktops from the rest of the data-center.

In case, an organization wants to scale up the number of remote desktops, due to multiple employees working from home, the new desktops can be added to existing groups. The same segmentation policy can be applied to the new desktops that come up, without making any changes to the policy, any network re-architecture, or adding on physical firewall appliances.

Once the desktops are added, it can be compared to the traditional model in which traffic to/from desktop pools is hair-pinned to a physical firewall that has a policy based on IP addresses and subnets. This needs to be manually adjusted to account for the large increase in desktops/IP addresses in VDI pools. Manual intervention can slow down the roll-out and is also error-prone, which can lead to both operational inefficiency and an increase in risk.

Ransomware & its Behavior

Similarly, to how attackers will try to move laterally within an environment so as to gain access to valuable systems, data; ransomware, and different types of malware exhibit worm-like behavior that allows them to spread from one infected machine to another.

WannaCry ransomware that exploited the EternalBlue vulnerability in Windows SMBv1 servers, executed on one machine, and then scanned the rest of the environment for vulnerable servers and propagated itself laterally. Microsoft recently published a security advisory about the existence of a remote code execution vulnerability also referred to as SMBGhost or CoronaBlue; similar to EternalBlue. It is considered wormable, which means if exploited it can self-propagate over the network.

In such a situation, network-based segmentation leveraging a traditional firewall deployed between zones can help to prevent lateral movement between zones. However, it may not offer any protection against propagation within a subnet such as a desktop pool. On the contrary, the NSX Distributed Firewall sits at the vNIC of every workload. It has the ability to intercept traffic even before it hits the network, regardless of whether that traffic is going to another desktop, internet, or a production application in the data-center.

The Single-Rule Policy

With a single rule on the distributed firewall, organizations can isolate every desktop from every other desktop across their VDI pools. Through the use of dynamic security groups based on tags or other constructs, this policy can be automatically applied to every desktop that is spun up. With just this single desktop isolation rule in place, organizations can stop the self-propagation of ransomware across their desktops as well as the lateral movement of an attack.

In case, if some lateral communication between desktops is required, customers can configure a firewall policy leveraging Layer-7 Application-Identity to only allow the use of more secure protocols.

This makes it easier to identify different existing solutions that aim at providing security in virtual machines.

Are You Preparing Your Business To Adopt Security Standards?

With ever-increasing cyber-attacks and constant changes to data privacy integration, IT security has become a major concern for companies these days. If you are also preparing your Organization for adopting security standards compliance, here is what to think through.

Understanding why the Organization needs the Standard: The foremost thing to do even before you decide on adopting security standards is to understand why the Organization wants to use the standards. You must think about which aspect of the standards you are going to tackle and how it can help your Business. Is it for multi-factor authentication, email encryption or to better understand security and risk in the Business? For instance, if you are a banking contractor you may want to focus on encryption, while someone in the medical practices would want to focus on stronger authentication for patient portals.

Finalize the scope of the project: While adopting the standards, some companies try to take on too much. Therefore, it is advisable to define the scope early and determine which employees and departments these standards are targeted for. Finalizing the scope at initial steps helps save significant costs and time. You can also control the costs by just tightening the scope of the standards project.

Certification programs: When your security system clings to all the standards and regulations, it is known as compliance. But this is not enough. Your customers may require your system to be certified by a governing body. Certification provides physical proof of a compliance claim. Therefore, it is of utmost importance to know if your customers and company’s stakeholders are asking for certification. And if they are, certification programs require buy-in from top management. You should also take extra resources for maintaining documents and paying consultants.

Determine how the new Standard makes you stronger as a company: Another crucial thing that you need to ask yourself is how the standards will make you stronger as an Organization and help your Business thrive. For instance, security teams should communicate to top management about opportunities that will present themselves with the new certification. Regulatory frameworks also help Businesses improve the compliance process every time they prepare for a review or an audit. Over a period of time, your Organization can automate by using outside tools that are designed to streamline the manual process for a compliance audit. These tools are quite helpful, as they come loaded with internal auditing features that can help you ensure that your company maintains continuous compliance and can avoid the rush to make changes at the time of the audit.

Maintenance regimen: Security certification audits are an annual routine and therefore you must think about keeping the certificate valid. This is a continuous process that includes the improvement of security practices and learning from past experiences.

Neumetric, a cyber security services, consulting & products Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

With years of in-depth experience in assisting Organizations irrespective of their sizes and or industry for their security requirements; it has helped us in quick assessment in regards to cost-cutting activities that do not bring value to you. Thus, your concentration is on the Business objectives of the Organization. 

Wiper Malware & Its Variants Part 2 – All That You Need to Know

The wiper is typically used for extortion and many ransomware attacks include a wiper component. Recently, cybersecurity researchers have discovered a new malware strain called Ordinypt that includes both wiper and ransomware capabilities. This malware overwrites the data and renders it permanently irrecoverable. This destructive nature of malware clearly signifies that there’s no incentive for victims to pay the ransomware’s actors. This was used to infect German-speaking users, thereby leaving them with no options to retrieve their files.

Variants of Wiper Malware

But Ordinypt is not the only one that has caused havoc by masquerading as ransomware. In August 2019, another ransomware named GermanWiper caused headaches for German companies by permanently destroying user data, while demanding ransom payments.

According to the latest report from IBM X-Force, it has been highlighted that there has been a 200% increase in destructive malware cases during the 2nd half of 2018 and the 1st half of 2019. But what is the point behind disguising a wiper as ransomware? Let’s have a look.

Financial Gain

While most of the ransomware attacks include a wiper component, the wiper is mainly used for extortion. The hazard of permanent data destruction acts as a strong incentive for Businesses to cough up the ransom. By the time ransom is paid to the attackers, Businesses realize the truth of wiper-cum-ransomware and are left with little or no chance to recover their lost data.

Economic Disruption

Sometimes the purpose of hiding Wiper as ransomware is to achieve large-scale economic disruption. For instance, in 2017, after a series of high-profile ransomware attacks, NotPetya was released to the world.

This Cyberattack seemed like conventional ransomware that was designed to generate as much money as possible. However, cybersecurity experts quickly realized that the ransomware was a destructive malware. NotPetya generated about $10,000 in ransom payments but caused havoc of more than $1 billion in the economic disruption.

Dealing With Malware

Neumetric, cybersecurity services, consulting & product Organizations, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization

We suggest Businesses adopt a comprehensive disaster recovery strategy to mitigate the effects of malware in the future because wipers-disguised-as-ransomware attacks pose a serious threat. Organizations should implement a robust antivirus solution and frequent staff training about the importance of basic cyber hygiene. 

All That You Need To Know About Wiper Malware

We all are aware of Malware that is designed to maliciously disrupt the normal operation of a network or a user’s phone, computer, tablet, and other devices. There is a wide range of malware categories, including worms, spyware, trojans, and even keyloggers. And these terms are often used interchangeably. Many malware variants incorporate a blend of different techniques and wiper malware is one such variant that can prove to be very destructive for Businesses.

Wiper Malware

Wiper Malware intends to destroy data and systems it infects. The motive of this malware variant could be to send a message, erase any traces of activity or introduce fear, but it may destroy data without impacting systems, or vice versa. Wiper attacks can be fatal to Organizations because there is almost no chance of recovering the data.

How do Wiper Methodologies affect Systems?

Usually, wipers have three targets, the boot system of the machines’ operating system, data files, and backup of data and system. While some wipers rewrite a targeted list of files, some rewrite all files inside specific folders. Some wipers overwrite a particular amount of files of every other amount and some target only the first few bytes of all files to destroy headers.

These practices are implemented to be more efficient, as destroying the files takes a lot of time for this class of malware. For destroying the backup, the malware deletes the shadow copies of files. The original operating system is rendered unbootable by erasing the first ten sectors of the physical disks or by entirely rewriting these sectors.

Wipers in the wild

Wiper has been around for a while now, and only a few of them have caught attention because of their large-scale activities.

  • A few years back, a wiper named Flame was discovered to have infected many systems in the middle eastern countries.
  • In 2013, a wiper named Dark Seoul infected South Korea’s broadcasting agencies and banks in a coordinated attack.
  • Shamoon wiper has affected nearly 30,000 computers at Saudi Aramco, where the systems were completely wiped and unbootable.
  • Petya malware was discovered to be a wiper disguised as ransomware, where victims had to pay their ransom, but still their data couldn’t be recovered.
  • Sony Pictures Entertainment was attacked by Destover wiper that leaked confidential data and rendered many machines unusable.

Defensive mechanisms against Wipers

The defensive mechanisms against wipers are quite similar to that of malware. Cyber Security Experts recommend swift action as allowing the malware to stay on the system longer can enable it to cause more damage. A Cybersecurity Incident Response Plan [CSIRP] in place can help you and your team to respond appropriately to the attack. This plan should clearly define the roles and responsibilities of different teams in the Organization.

During a wiper attack, it is essential to isolate the affected network to prevent malware from spreading. Trusting the entire Organization’s security to a single technology makes the line of defense quite weak. Therefore, we suggest that the traffic of the internal network should be strictly monitored.

Neumetric, a cybersecurity services, consulting & product Organization, can help you reduce your security cost without compromising your security posture. Our years of in-depth experience in handling security for Organizations of all sizes & in multiple industries make it easier for us to quickly execute cost-cutting activities that do not bring value to you, while you continue focusing on the business objectives of the Organization.

Scroll to top