AEMP Focus on Technology: Ransomware and Your Fleet
Wednesday, May 17, 2017
Posted by: Georgia Krause
by Georgia Krause - AEMP Staff Writer
Yes, you are vulnerable if you're online and unpatched!
The days of computer-phobic construction folks has long passed but the internet criminals are just getting started. So, in light of the recent WannaCry outbreak that went after computer systems worldwide, we thought this is a good to ask an expert if the software and telematics we use in the construction industry is vulnerable to a WannaCry wannabee.
Short answer - yes.
Kevin Epstein, vice president of Proofpoint’s Threat Operations Center was interviewed on WGN radio Monday afternoon. Epstein said a new ransomware worm is released every 2 or 3 days, trolling the internet in search of an unprotected digital device. In fact, according to ZDNet.com ransomware attacks increased 748 percent last year.
And, it is big money. Cyber criminals made more than $1 billion in ransomware attacks in 2016. Kidnapped computer systems have paid thousands of dollars to get their data back.
Ransomware is also subcontracted out. The more successful worms are sold on the dark web where computer criminals use the worm code in exchange for a share of the paid ransoms. The crime has evolved into a ransomware-as-a-service scheme to potential users at no cost at the point of entry. Instead of charging a fee for the ransomware code, they want a 50 percent cut.
Small to medium-sized companies are often targeted because they frequently have poor cyber security. Those companies may mistakenly believe they are too small to be a profitable target, but the kidnappers are working the percentages. Sending out the attack is cheap and easy and they figure if they hit enough companies, those small $300 ransoms paid start adding up to big money.
Ransomware is NOT limited to Windows-based computers. Apple devices are vulnerable, as are smartphones, tablets, smart TVs - ANY internet-connected device is a potential kidnap victim.
Experts fear the hackers will expand into holding connected cars, homes, even medical devices hostage.
It is important to understand that ransomware does not need to operate in a browser-based environment. In fact, often the computer's browser is left operational so the hostage can send money to the criminal via the web.
Diagnostic systems, data collection, messaging protocols can be attacked.
Epstein answered our question regarding internet-connected construction data saying, "Yes, connections to third-party systems unfortunately can expose the network to compromises like the ones seen in the WannaCry ransomware attacks. Organizations need to ensure that their network/firewall policies don’t expose their vulnerable services. Security teams can also install an IDS ruleset that is tuned to stop the spreader behavior of malware, and detect command-and-control activity."
So, what can you do? Epstein says that any time your device's system asks to update your system, say yes.
Here are some other ways to limit your risk:
- Unplug backup drives. It is not enough to simply shut them down. If your backup is plugged in when the ransomware attacks your system, your backup data will also be encrypted.
- You have already established a No-Click policy for all of your employee's devices - right? Now, if a link in an email from a familiar institution such as a bank or other usually trusted facility asks you to click on their link - and you did not instigate a dialog with that company - do not click on that link. it can be a trap. Instead, within your browser go to that company's website and do a search for whatever they may be contacting you for. If you have a relationship established with that company, you'll find their message to you within your account profile.
- Mobile apps can infect your system. Proofpoint's research found authorized Android app stores have more than 12,000 malicious mobile apps— capable of stealing information, creating backdoors, and other functions—accounting for more than 2 billion downloads. In addition to outright data-robbing apps, also be aware of apps than encourage dangerous employee behavior that can lead to sensitive company information leaking to unknown sources. Social media is an example. Have company-owned phones configured to bar app downloads and enforce a strict policy of now data is shared between employee-owned devices and your enterprise system.
- Install an email security program that combines deep analysis, content inspection, and robust URL intelligence services and make sure its coverage extends to corporate VPNs and mobile devices.
- Get ahead of malware threats with predictive security programs that automatically 'sandbox' suspect URLs. This is very important with accounts you may use to share files and images such as Google Drive, Adobe, and Dropbox.
- Do not allow employees to use devices that have been 'jailbroken' on your network. Jailbreaking is when the device's code is altered to allow users access to files and services not originally included in the device's operating software.
- Add additional strength to your already in place security with a custom ruleset. For example, Proofpoint offers the a rule set for detecting and blocking advanced threats using your existing network security appliances, such as next generation firewalls (NGFW) and network intrusion detection / prevention systems (IDS/IPS). It is updated every day and monitors network behaviors, malware command and control, DoS attacks, botnets, informational events, exploits, vulnerabilities, SCADA network protocols, and exploit kit activity.