Posted on May 5, 2023
Ransomware attack affects Dallas police and court websites
3.6K
3
3
2
2
0
Posted >1 y ago
Responses: 2
The folks executing ransomware are complete scum. I've been on several incident response engagements in the last couple of years, and not only can it affect a country (or countries), but the members of the target are often put through an enormous amount of stress and concern for their jobs. These attacks have also endangered lives. Thus far I have seen how it can affect the energy, financial, medical, and transportation/supply chain sectors, government services, and even non-profit orgs trying to help others (including Veterans). Also, insurance does not always help (if they even have any) as most of the damage is already done where money cannot fix it.
That said, while susceptible users are typically a good vector to gain a foothold into an org's environment, that does not take the blame away from the org's leadership and IT/Security personnel. Are they providing effective training? Exercising certain security elements and testing controls? Are they making balanced decisions to ensure that business operation decisions for access and availability are made with security in mind? Do they create a culture of making security important by setting the example? And finally, are IT and security personnel working together to build established defense-in-depth strategies with the support from their senior leadership?
It's easy to say users are dumb as they constantly click the links of phishing attacks, surf unsafe Internet locations, and install vulnerable applications but that is no excuse. This is not to excuse them by any means, but how were they able to do some of this in the first place? Are they allowed to have privileged access to their systems, enabling them to install applications? Is there a whitelist/blacklist and or controls for unsafe Internet behavior? Let me also point out that with enough research and knowledge, I could easily target individuals enough to know how to send a legitimate spear phishing attack to gain that foothold into a network. It's what I can do after I get that foothold, that orgs also need to think about. Do they have good password policies? Are privileged accounts monitored and separated from regular user accounts? What kind of controls and detection/prevention tools are employed and are they keeping them up to date with the latest TTP safeguards? Do they consume proactive cyber intelligence reporting specific to what threat actors are likely going to do against their networks?
I could go on...
That said, while susceptible users are typically a good vector to gain a foothold into an org's environment, that does not take the blame away from the org's leadership and IT/Security personnel. Are they providing effective training? Exercising certain security elements and testing controls? Are they making balanced decisions to ensure that business operation decisions for access and availability are made with security in mind? Do they create a culture of making security important by setting the example? And finally, are IT and security personnel working together to build established defense-in-depth strategies with the support from their senior leadership?
It's easy to say users are dumb as they constantly click the links of phishing attacks, surf unsafe Internet locations, and install vulnerable applications but that is no excuse. This is not to excuse them by any means, but how were they able to do some of this in the first place? Are they allowed to have privileged access to their systems, enabling them to install applications? Is there a whitelist/blacklist and or controls for unsafe Internet behavior? Let me also point out that with enough research and knowledge, I could easily target individuals enough to know how to send a legitimate spear phishing attack to gain that foothold into a network. It's what I can do after I get that foothold, that orgs also need to think about. Do they have good password policies? Are privileged accounts monitored and separated from regular user accounts? What kind of controls and detection/prevention tools are employed and are they keeping them up to date with the latest TTP safeguards? Do they consume proactive cyber intelligence reporting specific to what threat actors are likely going to do against their networks?
I could go on...
(0)
(0)
Wonder which it will turn out to be ... clueless user or clueless administrator.
The majority of successful ransomware attacks occur because of email phishing or Remote Desktop Protocol being improperly configured.
The first has been a plague on the IT staff for years - for some reason, no matter how many times you tell them, some user will click on links from emails because they want to see a video of the latest whatever.
The first has actually taken the lead in the last couple of years as many systems were set-up for remote access due to COVID. The issue is that many were set-up improperly and have large vulnerabilities that weren't addressed (default settings being one of the biggest issues).
The majority of successful ransomware attacks occur because of email phishing or Remote Desktop Protocol being improperly configured.
The first has been a plague on the IT staff for years - for some reason, no matter how many times you tell them, some user will click on links from emails because they want to see a video of the latest whatever.
The first has actually taken the lead in the last couple of years as many systems were set-up for remote access due to COVID. The issue is that many were set-up improperly and have large vulnerabilities that weren't addressed (default settings being one of the biggest issues).
(0)
(0)
Maj Kevin "Mac" McLaughlin
"clueless user or clueless administrator"
Both and more. Security has to be part of the culture within an organization, and it is upon leadership to push that culture. All too many times I have seen leadership place unrecommended exceptions upon themselves, IT/security get complacent (or downright negligent), and of course there are bad/untrained users.
From a military perspective, is a commander of an installation not responsible for the overall security? Note, ransomware is typically a threat actor, not only getting in, but collecting critical information/system control and rendering them inoperable or inaccessible. Would a commander of an installation retain command of their installation after a similar attack in the physical sense? Doubt it. Especially if it was not only an individual on base enabling a threat actor to get in, but to see that actor get deeper (SCIFs, Flight Line, munitions, etc).
Both and more. Security has to be part of the culture within an organization, and it is upon leadership to push that culture. All too many times I have seen leadership place unrecommended exceptions upon themselves, IT/security get complacent (or downright negligent), and of course there are bad/untrained users.
From a military perspective, is a commander of an installation not responsible for the overall security? Note, ransomware is typically a threat actor, not only getting in, but collecting critical information/system control and rendering them inoperable or inaccessible. Would a commander of an installation retain command of their installation after a similar attack in the physical sense? Doubt it. Especially if it was not only an individual on base enabling a threat actor to get in, but to see that actor get deeper (SCIFs, Flight Line, munitions, etc).
(1)
(0)
Read This Next