Improving InformationSecurity via MockMalware Incidents

Christopher Frenz

Free PowerPoint Templates

Insecure & Legacy Systems

Compliance ≠ Security

• Many healthcare organizations are concerned with HIPAA compliance but stop there

• Compliance should be viewed as the minimum benchmark not the end goal

• You can easily be compliant and still be insecure

We met the goals of compliance and stopped

Real World Case Study• WEP security for wireless came out in 1997• By 2001 it was known to be seriously flawed and a more

robust replacement (WPA) was released in 2003• By 2004 WEP could be cracked in an average of just 3

minutes• In 2005 TJX was breached via its WEP secured network

and had 45 million credit card numbers stolen• It was not until 2008 that PCI-DSS was updated to say

WEP needed to be replaced and it gave businesses until 2010 to do so

• Compliance often lags behind what is really required to be secure

The People Problem• People are often the weak link in information security

and can be readily exploited• For example the 2015 Verizon Data Breach Report

shows that

Security Culture

• Employees need to be aware that security is EVERYONE’S responsibility and not just the responsibility of those with Security or Privacy in their job title

OWASP Anti-Ransomware Guide

• A defense in depth based guide consisting of 36 suggested controls in the following categories– Perimeter Defenses– Network Defenses– Endpoint Defenses– Server Side Defenses– SIEM and Log Management– Backup and Recovery– Awareness Training– Incident Response

https://goo.gl/uOGAtZ

Now What???

• How do we make sure we are not just compliant but actually secure?

• How do we get employees to realize that security is important and not just something they need to know for their annual HIPAA quiz?

• Mock Incidents (Red Team Exercises)

Incident Handling

• Preparation (Pre Incident)• Identification• Containment• Eradication• Recovery• Lessons Learned (Post Incident)

Mock Mass Malware Outbreak

• Made use of the EICAR test file

• A harmless file that all AV makers recognize as a virus for testing purposes

• Wanted to evaluate:– How well our AV software was able to detect

the outbreak– How quickly staff would identify, respond to,

and contain the outbreak

Simulating the Outbreak

• Wrote a Perl script that accepts a listing of all computers in the organization

• It was setup to copy the EICAR test file to each PC on the list and execute the file to set off the AV

• Script was executed without the knowledge of other staff members to get a realistic evaluation of real world response

During the Outbreak

The Good

• IT staff members did identify the outbreak, track down the source of the infection, and remove it from the network

• Many in place security features stopped the spread of the infection to parts of the network (some examples):– ACLs between VLANs– Security configuration of our VDI desktops

The Bad

• While the incident was detected and contained response time could be improved

• No normal users reported anything to the help desk even though AV infection prompts appeared on their desktop at the time of detection by AV

Lessons Learned• The configuration of our AV software was updated to

make the outbreak more noticeable to IT staff• Internal training was conducted to better improve the

ability of IT staff members to detect the source of such an incident and how to handle it

• IT staff members now better understand the need for certain security practices

• Based on the results of the test we are able to further harden the security of network infrastructure and endpoints

Another Malware Incident

• Ransomware commonly runs from locations with the user’s profile such as:– C:\Users\<User>\AppData\Local\*.exe

• To deal with malware that may not yet have a signature Software Restriction Policies were put into effect

Testing Software Restrictions• Software

Restrictions were tested by trying to launch harmless executables from suspicious locations

• Tested to see how well the restrictions worked and if users reported the suspicious activity

Going Forward

• More such exercises are planned to further test the security of systems and the ability of staff members to appropriately respond to such situations

• Currently working on changing explorer.exe to a harmless exe that loads a mock “ransomware” screen and how long it takes to be discovered and reported to IT.

Acknowledgements

• Christian Diaz – coauthor of guide• Ken Belva – help with OWASP project

submission

Questions???