Ransomware ‘explosion’ warning

RANSOM demands from computer gangsters who get control of entire corporate IT systems, as well as attempt to get employees to inadvertently disclose sensitive corporate information, have “exploded” and now represent 40 per cent of all IT systems attacks, according to Pentana Solutions.

Paul Stanbury, infrastructure manager at Pentana Solutions, told attendees of the company’s recent Top Gear Live virtual event that companies need robust countermeasures to cyber attacks and constant staff training to recognise cyber security threats.

This was essential to prevent compromised systems and monetary demands to restore infected computers and servers, he said.

Mr Stanbury told delegates that getting the attention of management for IT security was “a bit of a struggle” and that this was common in most businesses because the focus within the business was elsewhere and because “people don’t want to spend the money”.

He said the IT functions are often rolled into an existing function like an accountant.

“Let’s face it, security is expensive. It is complex and it can be time consuming. Many dealerships have a low budget and legacy desktop environments. I get it; why replace environments that are not broken?” he said.

Mr Stanbury also said that phishing and ransomware occurs where a malicious actor will send either targeted or broad emails to an organisation and users will unwittingly click on links in the email. They will either be presented with a dialogue box that looks like an internal system or an Office 365 login. Users will actually reveal the username and password and that username and password can then be used for a third party to access internal systems or email other customers.

“It often happens that phishing emails include attachments with macros in them. These macros can then be used to download and install malicious software to allow people to take control of your computers.

“And in the worst case, ransomware, they will actually encrypt your systems, they’ll connect to your servers, they’ll encrypt your backups, and then they’ll demand a ransom from you to actually reverse the effects of their encryption.”

Mr Stanbury said that the Australian government figures show that while 40 percent of cyber-incidents were phishing or ransomware, in 2020, 38 percent of data breaches were caused by human errors by, for example, employees sending emails to the wrong person.

He said that Pentana was addressing errors by automating many of its processes. It had also developed a training regime where “we have subject matter experts throughout the organisation creating training material so that our people are less likely to make mistakes”.

Mr Stanbury said that malicious attacks, in which people contact an organisation in order to impersonate someone to fool you into providing them with confidential information, represents about 10 percent of internet frauds.

Paul Stanbury

“At Pentana we’ve had multiple internal awareness sessions to ensure that people actually understand that these are not legitimate activities.”

He said that Pentana had actually sent its employees what purported to be malicious emails to see which employees opened or activated what was sent. This was followed by training sessions to help employees identify malware.

Referring to rogue employees, he said: “It’s a sad fact that the bigger you become the likelihood of having a malicious person within your organisation increases”.

“The obvious way of addressing the risk is to use auditing where you can go back after the fact if someone has access to documents in a place that they shouldn’t.

“At Pentana we actually have a security and event management system, which we’re currently rolling out, which aggregates information from all of our systems and gives us reports and highlights any malicious sort of activity.

“We also have a centralised platform called Thycotic so we can actually see where, and what systems any users are connected to, be they internal systems or customer systems. We can see who requested the password, what time they connected, and in the event of elevated access, we can actually see what sort of activities they undertook.”

Mr Stanbury said that in the breakdown of cyber incidents, malware has actually decreased.

He said malware is a virus activity that is commonly caused by people downloading free tools.

“Tools are never really free, they often include all sorts of spyware and additional types of software that you wouldn’t want running in your organisation. At Pentana, we address that sort of risk using antivirus software and we actually have internet controls that filter out that sort of content.”

He said Pentana uses account lockout systems to prevent brute force attacks, where a malicious person either uses a dictionary file that has a lot of common passwords, or they are actually using an attack that tries every word or letter in combination to try and break into business systems.

“Pentana has addressed that sort of issue by having an account lockout policy. So when you actually have five failed logins from the same IP address in one minute intervals, we will actually block that account for 10 minutes.

“We also have complex passwords, so we don’t have any passwords that are less than 10 to 15 characters. And, of course, we regularly change our passwords.”  He said that using sentences could be an effective way of remembering long passwords.

Mr Stanbury said hacking, where often malicious material is placed on a corporate website or within corporate systems, was fairly common but the numbers have not changed significantly.

He said that Pentana “scans our entire networks and we scan all of our internet connections. So we can actually identify where we have vulnerable systems. We then have a recurring process, where you have a number of engineers who go through and actually address these vulnerabilities”.

He said that the unauthorised material placed by hackers can be eliminated by restoring from back-up but warned that a multiple back-up regime was fundamental.

He cited the example of a dealer with a corrupted system “that had come to a grinding standstill” where the customer had just one backup tape.

“They had been backing up the system on one tape and, sure enough, the tape had a backup of their corrupted system.”

He said Pentana has 48 back-up snapshots in the cloud and replicates the same snapshots to head office.

“We do nightly consistent backups to disc which we keep for four weeks. These are also replicated to another disc target and to head office. And we actually archive our backups to tape which we rotate off-site through a commercial third party organisation. It’s really important to have a great backup strategy” he said.

Pentana also runs an automated process that updates their servers at least once a month and “hardens its systems” by applying constant configuration changes to stay ahead of anyone trying to compromise or break into its systems to make undesirable changes.

Another strategy Pentana uses to mitigate the risk of hacking is an app locker which controls what applications can and can’t run on its systems.

Pentana’s first stage defense against attacks is two-factor authentication. When an employee opens an email or connects to the mail client, they need a username and a password and then they need a code or an approval that they press on their phone.

“So if someone does get a username and password, they still can’t get into your systems.”

Another form of defense relates to macros.

“Macros are a big problem. So we’ve also implemented via group policy restrictions on what macros you can run on any Pentana computer. The infrastructure department approves all macros and signs them with a digital certificate. If it’s not signed with our digital certificate, it won’t run.”

He said control of administrative privileges was another strategy Pentana uses to mitigate the risk of ransomware and phishing attacks.

“One of the big problems is that if a person happens to accidentally run a malicious software many people don’t realise that, by default, a standard computer account has full access to the computer so you can install additional software and make unexpected changes and so forth.

“We have removed that access from 90 odd percent of our people; the notable exception being developers, so that even if you accidentally run software, that software can’t make unexpected changes to your computers.”

“The other thing that has made a big difference is education. We have launched some extensive education programmes internally to notify our people about the impact of phishing attacks.

“Pentana is now developing our most secure platform ever that will include threat detection, management and response that will be underwritten by CrowdStrike. It’s a third party company that will provide that service for us.”

Pentana is partnering with the Australian Cyber Security Centre and says its intention is to represent the issues and interests of the automotive industry. The company is also working to reduce the size of the IT footprint that potentially provides a pathway into its systems from hackers.

By John Mellor

Exit mobile version