Anti-Malware , Breach Preparedness , Data Breach

Revelation of 321 attempts to place ransomware on federal government computers in the second half of last year raises a number of questions about the effectiveness of the Einstein intrusion detection and prevention system, as well as how the government responds to such attacks.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

The Department of Homeland Security last week in a written response to questions posed by the ranking member of the Senate Homeland Security and Governmental Affairs Committee - Sen. Tom Carper, D-Del. - said 29 federal agencies were targeted with ransomware 321 times between June and early December of 2015 (see Ransomware: Attacks Against Government Agencies Widespread).

In its response to Carper, DHS said that not all of the incidents resulted in computers actually being infected with ransomware. "Some incidents included reports of attempted infection, such as phishing emails intended to deliver ransomware, or ransomware that was detected and eliminated by the agency's internal security operations center," DHS said. "In the cases where agency systems were confirmed to be infected with ransomware, the majority of infections affected end-user workstations. In all cases, the system was removed from the network and replaced with a new, clean system with minimal impact to the user and agency."

DHS said it had not received any reports from agencies that they had paid a ransom. The department said it did not track the total amount of losses, such as the impact of lost productivity, caused by these reported incidents.

Seeking Answers

Homeland Security's response leaves many questions unanswered about the ransomware incidents, including how many computers were infected and whether Einstein, a federal system designed to detect and block cyberattacks targeting civilian agencies, successfully blocked any of the ransomware attacks.

Einstein, first developed in 2003, relies on known signatures to identify malware. Einstein also provides DHS with the situational awareness to use threat information detected in one agency to protect the rest of the government.

"E3A (Einstein 3 Accelerated, the latest iteration of the intrusion prevention system) provides perimeter protection for federal departments and agencies," DHS told Carper. "E3A's two capabilities are email filtering, which protects against the use of malicious file attachments and embedded links in email content, and Domain Name System sinkholing, which prevents malware already on a government computer from contacting its command and control servers. "

I've asked DHS for more information about the ransomware incidents, but the department has yet to provide any details beyond its statement to Carper. Among the questions I posed:

High Expectations?

Are expectations too high for Einstein to mitigate ransomware attacks? Perhaps.

"No defense is perfect - and that includes Einstein," says Philip Reitinger, president of the Global Cyber Alliance, who served as DHS deputy undersecretary for cybersecurity and director of the National Cybersecurity Center during the formative years of the Obama administration. "Certainly systems that detect or prevent intrusions can help stop ransomware attacks, but there are no silver bullets."

But detecting and preventing infections is only one part of dealing with a ransomware breach; responding to the infection is critical. Several former government officials contend Einstein's performance is secondary to other methods to provide a resilient federal government IT system.

"I wouldn't even tie Einstein to this situation," says former federal CIO Karen Evans. "The best solution to this situation is have backups and test your disaster recovery plans. Ransomware is banking on that fact you have no backups and you haven't thought through your contingency plans."

Response as Critical as Prevention

Paul Rosenzweig, former DHS deputy assistant secretary for policy, contends incident response to a ransomware breach is as critical as preventing it in the first place.

"We're focused on prevention, and very little on recovery," says Rosenzweig, a senior adviser to the security consultancy The Chertoff Group. Much of the government's cyberdefense efforts focus on intrusion prevention "and not remediating the inevitable failure," he says. "I'm all for resilience. Look, we just passed the Cybersecurity Act of 2015, the most modern, up-to-date thought we have in Congress about it [and] you can read the entire portion of that bill and not find the words 'resiliency' or 'recovery' anywhere."

How well are federal agencies performing in providing resilience and recovery? A September audit by the Government Accountability Office revealed that fewer agencies in fiscal year 2014 than in 2013 had implemented key elements of their business continuity and disaster recovery program. "Weaknesses in continuity of operations could lessen the effectiveness of agencies' efforts to successfully recover their systems in a timely manner after a service disruption occurs," Gregory Wilshusen, GAO director for information security issues, wrote in a report.

Clearly, much work needs to be done for the federal government to successfully mitigate the risk of ransomware - or, for that matter, other types of malware - shuttering government systems.

Fraud , Payments Fraud

The Federal Reserve will carefully scrutinize the security components of proposals it's receiving this month for technologies that can be used to enable faster payments in the United States. That's because a key issue in moving to faster payments is mitigating the greater risk of fraud.

See Also: 2016 State of Threat Intelligence Study

Next year, the Fed will issue a report designed to help the financial services industry identify what technology gaps still need to be filled to make faster payments a reality. That report will stop short of endorsing any particular technical approach. But the Fed plans to publish all the technology proposals it receives (see Will the Fed Support a Cryptocurrency?).

"Faster payments opens up all kinds of opportunities for fraudulent payments that must be addressed upfront, instead of trying to bake security back in after deployment," says financial fraud expert Avivah Litan, an analyst at the consultancy Gartner.

The proposals for how to achieve faster payments, Litan says, "should be very clear on the principles that must be followed to ensure strong security and fraud prevention. The proposals should stay away from prescribing technical solutions, since they will become outdated very quickly, as we have seen with other regulatory guidance in these and other technology areas."

The Next Steps

Last week, the Fed announced that it had hired the consultancy McKinsey & Company to help review the technology proposals, which are being accepted until April 30.

The consultancy will work with steering committee members from the Fed's Faster Payments Task Force to assess and review the submissions. Proposals can only be submitted by businesses that are among the 331 members that make up the task force, and the window for proposal submission closes April 30.

Whatever technologies ultimately are used to support faster payments must support banks' abilities to detect and limit fraud, says Paul Wilson, product manager at security firm Easy Solutions, which is a member of the task force.

"In the existing environment, the financial institutions have a relatively large amount of time to investigate transactions and dispute them before they are fully cleared," he says. "In some real-time payments systems, the transactions are cleared in real time and irrevocable once complete."

The irrevocable nature of faster payments will be a primary concern addressed during the review and assessment of solution proposals, Wilson says.

"By reducing the processing time, the time to look for and act on fraud is hugely reduced," he says. "Systems will be required that can both monitor transactions and take action on them, all in real-time. The faster payments are likely to be available across multiple channels (interactive voice response, online, mobile, kiosk), and so all of the monitoring will need to cover all channels and look for patterns of fraud or deviations from a customer's usual behavior."

Real-time transactions can't be reviewed for fraudulent activity after the fact, Wilson notes. "Each channel should provide non-repudiation, so that financial institutions do not end up taking the hit for a transaction that can't be reclaimed, but which the customer says he didn't make," he says.

Faster Payments' Impact on Banks

Once payments move to a real-time environment, banks and credit unions will have to perform real-time fraud checks before payments are submitted, Wilson says. And that's going to be a big change for most U.S. banking institutions, which are used to having days to review transactions for possible fraud, he adds.

"This will be the system connecting the banks to each other, and so security concerns will be around protecting the core system, providing integrity of transactions and preventing misuse," Wilson says. "The element regarding protection of end-customers is more likely to fall to the financial institutions themselves."

Wilson says the task force is likely to establish a security code of conduct similar to the code defined by the United Kingdom's Faster Payments Service, a banking initiative to reduce payment times between different banks' customer accounts from days to hours.

"Banks would be required to follow this code," he explains. "This code would outline the controls they have to implement on their own payments systems and gateways, along with giving guidance and rules that the financial institutions must follow to protect their end-customers. Such a code would be key in ensuring that the banks put sufficient controls in place, whilst also ensuring that the user experience is kept similar across different institutions."

Data Breach

Trump Hotel Collection, a luxury hotel chain owned by Republican presidential candidate Donald Trump, confirms it's investigating a possible data breach that some security sources say may have targeted the chain's point-of-service system for card data.

See Also: 2016 State of Threat Intelligence Study

Suspicious card payment activity tied to Trump hotels was reportedly first identified by issuers in Canada, Illinois and Hawaii, sources told Information Security Media Group last week.

What's not clear, however, is whether some of this most recent suspected fraudulent card activity is indicative of a new breach or just residual activity connected to an earlier breach that Trump Hotels disclosed in late September, some three months after it initiated its investigation into a possible POS system attack (see Trump Hotels Confirms POS Malware Breach).

"Like virtually every other company these days, we are routinely targeted by cyber-terrorists whose only focus is to inflict harm on great American businesses," Trump Hotels spokesman Eric Trump, one of Donald Trump's sons, noted in a statement provided to Information Security Media Group on April 5. "We are in the midst of a thorough investigation on this matter and are working with the U.S. Secret Service and the FBI to help catch these criminals and prosecute to the full extent of the law. We are committed to safeguarding all guests' personal information and will continue to do so vigilantly."

On April 4, security blogger Brian Krebs reported that that three "financial sector" sources had identified fraud patterns that suggested a breach at some, if not all of Trump Hotel Collection's more than a dozen hotels around the world.

None of the card issuers and other sources contacted by ISMG could say how many cards may have been impacted, but they said that it appears that this newest wave of fraudulent activity is linked to a compromise that lasted from November 2015 until March 2016.

One executive with an issuer on the West Coast who asked not to be named says the latest incident seems to be smaller and shorter-lived than the malware infection that was confirmed last year. That infection impacted POS systems at seven of Trump Hotels in Chicago, Honolulu, Las Vegas, New York, Miami and Toronto for more than a year.

The executive with the institution on the West Coast estimates that about 1 million credit and debit accounts have likely have been exposed in this most recent incident.

Trump Hotels never revealed how many cards may have been exposed last year, but the company said in a statement that cards used at those properties between May 19, 2014 and June 2, 2015 may have been affected.

A New Breach?

John Buzzard, formerly the head of FICO's Card Alert Service who now works as director of product management for security firm Rippleshot Fraud Analytics, says he does not believe Trump Hotels has been breached a second time.

"Before anyone gets excited over the suggestion that the Trump brand has been singled out with a new targeted attack, there should be some consideration given to the fact that the last breach was less than a year ago," he says. "This seems more like a double-dip replay on the cards already breached in July, classic fraudster bad behavior. Ask anyone. If there is a card that has been breached and remains open, as most do today, the criminals just wait and strike again when the memory of that breach fades."

But Seth Ruden, senior fraud consultant of payment risk solutions for payments platform provider ACI Worldwide, contends that it's likely that attackers waged a second attack using a backdoor or network-entry point used to access the POS system during the first attack that was not secured after the last breach was discovered. If that's the case, then it's probable that a sophisticated criminal group, not a group motivated to attack Trump Hotels for political reasons, is behind it, Ruden adds.

"This is unlikely the typical hacktivists that I've encountered that have made charitable donations with their gains to make the point out of protest," he says. "This has the fingerprints of typical fraud. ... The hospitality industry has been heavily targeted in the last couple of years; as a result, many hoteliers have moved to new technologies, such as tokenization, to mitigate the risk and protect their customers and their brand."

Al Pascual, head of fraud and security at Javelin Strategy & Research, also says this most recent apparent breach is not likely politically motivated.

"Donald Trump has made quick enemies of cyberterrorists, including Anonymous, which started their attacks back in December," he says.

As recently as last week, the hacktivist group known as Anonymous took several of Donald Trump's campaign sites offline, according to political news site The Hill. Attacks against Trump's websites have reportedly been waged for political reasons, part of a digital war against Trump's campaign.

"But if there's a pattern of fraud associated with the compromised data, then I'd be hard pressed to believe it was motivated by anything more than financial gain, especially if no one claims responsibility. Until then, a cyber-terror attack is convenient cover for fraudsters, and useful to Donald Trump for political points."

In November, hotel chain Hilton Worldwide acknowledged that a breach affecting an unspecified number of hotels, exposed customer and payment card data between November 2014 and April 2015.

Hilton's breach notification came on the heels of a breach notice from Starwood Hotels and Resorts, which also in November confirmed that POS systems used in its restaurants, gift shops and other locations had been breached at multiple properties across North America.

Hotels a Prime Target

Zach Forsyth, director of technology innovation at security firm Comodo, says the hospitality industry is increasingly being targeted by cybercriminals because they hold valuable personal information about cardholders.

"Large, well-known chains are even more susceptible targets, due to the sheer volume of data that they store and share," he says. "Unfortunately, many of these companies have antiquated IT security technology in place, which is an easy workaround for the hackers. It's a harsh reality that the technology some organizations use today is as effective as installing a home security system that alerts you to a break-in after the robbers have already stolen everything, vandalized the house and left. By then, it's too late."

Kevin Watson, CEO at Netsurion, which provides remote security services, says malware, once on a network, often enables hackers to tunnel their way to connected POS systems with ease.

"Many recent breaches have involved malware that, once installed, exfiltrates sensitive data," Watson says. "There's no silver-bullet strategy to defend against every threat. However, a strong line of defense is making sure that data doesn't leave the network without the admin's knowledge - and if data is sent out, it only goes to verified internet addresses. Security must be layered with a properly managed firewall, data encryption, network segmentation, passwords and access controls, software updates and antivirus/anti-malware software. Along with protecting incoming traffic and preventing access by malicious actors, it's critical to limit outbound internet traffic as well."

Anti-Money Laundering (AML) , Compliance , Data Breach

The fallout from the so-called "Panama Papers" leak continues.

See Also: Rethinking Endpoint Security

So far, the leak of 11.5 million records - emails, databases, images - allegedly from Panama-based law firm Mossack Fonseca has led to difficult questions for politicians and public figures, including Russian President Vladimir Putin and the government of Pakistan. On April 5, it even triggered the resignation of Iceland Prime Minister Sigmundur David Gunnlaugsson after his name appeared in the leaked documents, tied to a previously undeclared shell company.

From an information security standpoint, however, experts say the breach highlights how one law firm apparently failed to have the right defenses in place. Essentials, security experts say, include encrypting sensitive data, using access controls as well as monitoring access patterns for signs of data exfiltration.

Here are six security takeaways from the massive data leak:

1. Law Firms: Wake Up

The Panama Papers should be a wake-up call for all law firms, says Brian Honan, who heads Dublin-based information security consultancy BH Consulting.

"All law firms should review where their critical data is located, be that on servers, laptops, phones, portable devices and even paper, to determine how best to secure it," says Honan, who's also an adviser to Europol, which is the EU's law enforcement intelligence agency. "They should look at the various security risks that are posed to the data wherever it is located and look to implement proper security controls as a result."

2. Prepare to Be Breached

The FBI has long warned law firms that they're at risk of being hacked, but it's unclear how many firms take that threat seriously. Last week, meanwhile, The Wall Street Journal reported that both Cravath Swaine and Weil Gotshal, law firms that represent Wall Street and Fortune 500 firms for everything from lawsuits to merger deals worth billions of dollars, have recently been breached.

Such breaches are a concern because the information law firms handle could be used to give an organization the upper hand in negotiation. Or it could be used for insider trading (see Feds Charge 9 with $30M Insider Trading, Hacking Scheme).

While Weil Gotshal declined to comment to the newspaper, Cravath confirmed that it had suffered a "limited breach" last summer and that the firm is "not aware that any of the information that may have been accessed has been used improperly." Both the Manhattan U.S. attorney's office and FBI have reportedly been probing the breaches since last year.

These incidents show that all organizations - not just law firms - must assume they will be breached, says Itzik Kotler, CTO of Israeli cybersecurity startup firm SafeBreach. "Hackers getting in - it's a given. They will find a way, by using social engineering or an exploit," he says. "Stopping them from getting access to a server, or taking information from a server - exfiltration - is the key here."

3. Beware Insiders

It's not yet clear when Mossack Fonseca first discovered that sensitive information had been exfiltrated. An anonymous source first approached German newspaper Süddeutsche Zeitung at the end of 2014, it says, offering to provide data. The newspaper says the leaks continued until this spring.

"All this time, [the firm] had a chance to do damage control," Kotler says, but apparently failed, despite the vast amount of information that was being stolen.

On April 1, the firm alerted clients that it was investigating "an unauthorized breach of our email server," according to a copy of the message posted by whistleblowing site WikiLeaks.

The scale of the breach has led some security experts to suggest that an insider leaked the data, given the vast quantity of data that had to be copied, as well as the timeframe. For now, however, the insider angle remains conjecture.

Meanwhile, the founding partner of Mossack Fonseca on April 5 claimed that his firm was a victim of a hack from outside the company, Reuters reports.

4. Don't Miss Breach Warning Signs

It's also not yet clear whether Mossack Fonseca's April 1 warning had anything to do with the exfiltration that allowed someone to walk away with 2.6 terabytes of corporate information.

"Similar to the Sony Entertainment breach, a huge amount of data has been compromised," Honan says (see Will Sony Settle Cyber-Attack Lawsuit?). "We are yet unclear as to how this happened. However, one would expect that if appropriate security monitoring mechanisms were in place this large exfiltration of data should have been detected earlier."

5. Cull Data

Too many organizations retain too much data, despite the security risks. "In our experience people working in office environments tend to hoard data, very often the only justification being 'in case we need it again,'" Honan says. "However, if you keep information you then have to secure it."

Otherwise, stored data becomes a target for attackers, and a liability to organizations, as last year's Ashley Madison data dump demonstrated. In that case, the online dating service retained former subscribers' data, including their email addresses and GPS coordinates (see The 2 Worst Breaches of 2015).

If firms choose to - or must - retain information in either digital or physical form, they shouldn't underestimate the challenges associated with keeping it secure, Honan says. Barring any legal, regulatory or contractual obligations, "the safest way to secure it is to destroy it in a secure manner," he says.

6. Keep Reviewing Access Permissions

For any data that an organization chooses to retain, security managers must review who has access to that information and then keep reviewing it. The goal is to keep information compartmentalized and thus lower the chance that an attacker - or malicious insider - could execute a data breach of catastrophic, or "Panama Papers," proportions.

"Companies should regularly review their access controls to see who has access to what information and whether or not that access is still relevant to peoples' roles," Honan says. "Appropriate monitoring of access to key data stores and detection of data being moved from a secure location should also be in place."