Security | 5 min read

Trojans, Malware and Viruses

Colman Finnin
March 2020
written by Colman Finnin
Head of Engineering & Operation

For once this is not about the outbreak of the Corona Virus but about malicious code infecting computers and networks.

In this blog, I would like to look at the cybercriminals, how they operate and what can be done to mitigate the risk of an attack.

The attackers

Hackers are smart people and very patient, the famous Stuxnet worm that crippled Iran’s nuclear centrifuges was dormant for a year before the actual attack and it used intermediate steps to reach its target. Stuxnet also established a command and control server to update the malicious code and add new functionality. Not all cybercriminals are exploitative black hat hacker, some just shop for software in commercial darknet markets. Much like on Amazon you can obtain almost everything in the dark web and pay with cryptocurrency thus never get detected.

This is a very lucrative business, although the darknet markets size is difficult to estimate it is safe to say that it is a multi-million dollars industry. A zero-day exploit – a vulnerability that hasn’t yet been disclosed – can cost as much as one million dollars. Most attacks target well-known vulnerabilities that have been around for years. Such exploit packs can be purchased at discount prices. Not surprisingly zero-day exploit like Stuxnet are not so common.

The strategy

The strategy employed by cybercriminals are comparable to modern warfare and can be summarized as follows:

Establish a beachhead

This phase is all about getting behind enemy lines, behind that firewall and finding an entry point into the targets network. Once inside the attacker establishes communication to the outside to a command and control server and waits for further instructions.

Replication

Once a beachhead has been established it is important to spread the malicious code over the entire network.

Scouting

In military operations, reconnaissance or scouting is the exploration of territory to gain information about the environment. This will help the attacker to find vulnerabilities and ensure maximum damage.

Attack

The attack is the day that the hounds of hell are released upon the victim. A ransom is demanded, or sensitive data is exfiltrated.

The remedy

Once an attack occurs the harm is done and the cost to fight the attack and reinstate normal operations can be exorbitantly high. Last month a subsidiary of a global facility management firm in Switzerland was attacked. They had to isolate systems to stop a further spread, their website was down, over 40’000 employees in their UK office were unable to send or receive emails, a database has been locked from being accessed due to file-encrypting malware. They were unable to restore data because back-ups were compromised. Even weeks after the attack the fallout is ongoing.

My father always said it is better to be safe than sorry. The good news is there are simple, inexpensive remedies and countermeasures that can be applied to keep your company safe. Here are a few tricks of the trade.

3-2-1         Back-up principle

3 – Have three different copies of your data, this will give you the highest resiliency.

2 – At least have two different storage media

1 – Keep one off-site Backup (Air Gap)

Virus protection

Ensure Virus protection on all clients, if you are using windows the best choice is probably windows defender the built-in Security from Microsoft. Use a different anti-virus provider on servers or firewalls to be on the safe side.

Remote Access and Applications

Remote access and applications must be protected by two-factor-authentication – a password is just not good enough!

Passwords

Implement a password policy for users as a minimum standard, if you can, enforce the policy on all systems. In order to minimize retyping of passwords implement a single-sign-on (SSO). Even Microsoft shifted the recommendation towards not enforcing regular password changes and rather encourage users to choose passwords with high entropy (see Security baseline for Windows 10).

In a recent network review, we discovered local accounts on routers and switches, we advised the customer to remove any local accounts from the devices and recommended to use a centralized authentication server for management.

Patch management

Attackers often exploit known vulnerabilities that could have been avoided by patching. Patch management helps to maintain both the health and security of systems.

Network segmentation

When large networks are divided (segmented), an attacker will find it more difficult to infiltrate the entire company. As a nice side effect segmentation reduces broadcasts in your network and makes troubleshooting easier. We are currently advising one customer on finding the best way to divide his network thus reducing broadcast and increasing security.

Security awareness training

Cybersecurity is not just a department or a function, these days everyone must have a basic understanding of security. Conducting security training will give your IT staff visibility and can reduce the likelihood of an attack. One company I know sends out fake sweepstakes to their employees if an employee fails to detect the phishing attack, they must take the training. In another company, users that don’t lock their screen are pranked by their colleagues, they send out invites to everyone in the department for a coffee and cake or croissants.

At ngworx.ag we also conduct network and security audits that will help you become worry-free.

4+
Colman Finnin
March 2020
written by Colman Finnin
Head of Engineering & Operation