Cyber Incident · cybersecurity · Distaster Recovery · Hacking · Malware · Ransomeware

Trick or Treat – Ransomware is a Trick disguised as a Treat

This time of year, causes me to think about cyber lessons learned, malware related questions from customers and colleagues and all the ghoulish activities we have witnessed in 2017. We have seen obvious phishing mails that are clearly spoofed email addresses or URL’s and have provocative messages to drive users to click. These provoke the users to click the message, open an attachment or a click infected URL that cause the execution of the malware. Another common way to be become infected is through compromised websites that can trigger the installation of an unintentional program download.  These are “Tricks” used to cause a user to change their normal behaviors. As we have more and more awareness of Phishing and Ransomware, our ability to be “Tricked” has been reduced, but not eliminated.

Ransomware has now become synonymous with Phishing. The two attack types are merged together into an embedded encryption attack. The statistics are showing that over 90% of all Phishing attacks now contain Ransomware encryption. The technique of the Phishing mails is changing in the business world to draw employees in and cause the attack to be successful. The emails that are now seen include a personalized message with a correct salutation that includes subjects of interest by job category. These are effective attacks and are gaining popularity. Sophistication of social engineering is improving in these types of attacks, while the skilled and resources required by an attacker execute them has diminished rapidly Any criminal can leverage ‘ransomware as a service’ on the dark web and inflict serious damage along with potentially huge financial gains.

Ransomware is also getting in to business systems through the vulnerability of operating systems and software. Targeted attacks are being delivered on outdated security software or system software. These types of attacks are broad and successful as we have seen over the past few months. The Malware enters the organization via targeted attacks of known vulnerabilities and they migrate through systems to infect the entire network and its connected devices.

Ransomware works in a very orchestrated manner. Once the ransomware program has been executed it starts communicating with its host to acquire an encryption key. This happens very quickly. Once the program has its key it encrypts the data on a system. The data is then unusable. Encrypted data can “typically” be recovered using the decryption key, but there are no guarantees given the source of the attack. Once the decryption key is delivered back to the program, the process can then be reversed.

The best preparation an organization can take is to follow common best practices. From updating end-point protection products, to implementing stringent data back-up procedures to patching and updating of software, best practices are not difficult in themselves, but require commitment and focus. These along with a cybersecurity process of Identify, Protect, Detect, Respond and Recover are extremely valuable for any business. Phishing/Ransomware Employee education and training continues to be a highly valuable process to do on a continual basis.

In addition to developing a Cybersecurity process and following a standardized framework, vulnerability scanning and monitoring network behavior are must have proactive countermeasures.

Lastly, nothing is guaranteed to keep your business safe, but, reducing your attack surface area will be worth the investment. The ability to know in real-time if an attack is in process and the knowledge to remediate or immediately take the suspect system off-line, can save you significant time, energy and money, the real “treats” of this Halloween season.

Read more of our Cytellix Cybersecurity blogs –

Cyber Incident · cybersecurity · Distaster Recovery · Hacking · Incident Response

Life was so simple, then Equifax, SEC, Whole Foods, Deloitte all hacked!

I have been getting calls and emails for the last few weeks about all the hacks and cyber events.  The central question is always, “what do I do to protect myself?”  It’s actually an impossible question to answer.  Why?  We do not have control of our own identities and assets.  They are managed and may even be owned by 3rd parties.  How can this be true?

The Credit Reporting Agencies (CRAs) own and or sell our credit identity information as a business.  Who owns your identity from a credit reporting perspective?  Perhaps it is not you.  But, let’s ask the question, how did I lose control of my credit identity to a 3rd party?  The information in your credit report comes directly from companies that have extended you credit in the past or from those with which you have open accounts. Credit card companies, banks, credit unions, retailers, and auto and mortgage lenders all report the details of your credit activity to the credit reporting agencies (CRAs).  The CRAs also receive information from debt collectors, and they purchase public records, such as bankruptcies, tax liens, and judgments, from public record providers.  Now, we know how our credit identity was assembled, but, what obligation do the CRAs have, to protect this information?

The Federal Trade Commission (FTC) has published a Safeguards Rule for protecting consumer information.  Institutions under FTC jurisdiction must have measures in place to keep customer information secure.  The CRAs fall under the FTC jurisdiction by definition. The safeguards are designed to be flexible for implementation by each organization vs prescriptive in nature.  The references for implementation processes to protect consumer information reference:

The recent testimony and prepared statement from Equifax point to a failure in process and implementation of a standard software patching process.  The other fact from the prepared testimony that was alarming was the lack of monitoring and process of a known vulnerability then the awareness (and lack of action), several months later, of a vulnerability through network traffic monitoring.  The vulnerability identified led the forensics team back to the original software that had an identified vulnerability that was not patched.  The contradiction and or lack of monitoring tools usage is a key message.  Monitoring of critical systems, identified vulnerabilities and changes of behavior of the network traffic are critical controls of a cybersecurity program.  In addition to training and process management, a cyber event can be prevented and/or observed in real-time based the network behaviors.

Back to the original question… “What do I do to protect myself?”  Here are some helpful tactics that are just good cyber hygiene.

    1. Change your passwords to be unique, do not repeat the same password
    2. Use complex passwords or a password generator
    3. Set up identity service monitoring through reputable sources
    4. Set up monitoring and alerts of banking accounts for money movement
    5. Option to shut down all credit application services
    6. Run device anti-virus/anti-malware products on all owned devices
    7. Make sure you have a firewall and the settings are not set to “default”
    8. Make sure all connected devices are protected and not set to default, segment if possible
    9. Learn about phishing and ransomware best practices
    10. Don’t surf unknown web sites
    11. If it looks suspicious or you are questioning its authenticity- investigate vs act


CUI · Cyber Incident · cybersecurity · Distaster Recovery

Defining CUI – Controlled Unclassified Information for the Manufacturing Segment

The definition of CUI, or Controlled Unclassified Information, by the Department of Defense is challenging for most small and medium manufactures to grapple. The NIST Frameworks for Cybersecurity SP800-171 have defined CUI under the context of “Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.” The security requirements of 800-171 apply to all components of nonfederal systems and organizations that process, store or transmit CUI, or that provide security protection for such components. I will walk through the various standards and definitions to highlight the specifics that affect our manufacturers who need to meet compliance with the NIST cybersecurity guidelines. As this background currently applies to commercial manufacturing under DOD contracts, the guidance and definitions are in either draft or consideration for other verticals, including financial services, healthcare, food safety, automotive and other related verticals.

What is CUI? According to the National Archives, “Only information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies may be CUI. this excludes all information that is classified under Executive Order 13526 of December 29, 2009, or the atomic Energy act, as amended.” In commercial manufacturing, this would be anything other than COTS (Commercial Off-The-Shelf) and includes modified COTS products. The summary and extension is to any organization that provides a product or solution that is designed for government or modified for government, the information associated with such would be considered CUI. CUI is: (i) provided to the contractor by or on behalf of DoD in connection with the performance of the contract; or (ii) collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract; falls in any of the following categories: (i) controlled technical information, (ii) critical information, (iii) export control (iv), any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies (e.g., privacy, proprietary business information).

How do you protect CUI? Provide adequate security to safeguard covered defense information that resides on or is transiting through a contractor’s internal information system or network. Adequate security is defined as implementation of NIST SP800-171 that include the 14-controls for cybersecurity and is required by 12/31/2017. Compliance with 800-171 is considered 100 percent complete with any waivers or deviations approved by the DOD CIO. An organization can demonstrate through Plans of Action (POAM) and System Security Plans (SSPs) that they are in-progress as part of a contractor’s risk management decision of CUI protection by their supply chain.

Cyber incidents are another component of the compliance or CUI program. A cyber incident is an action(s) taken through the use of computer networks that results in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein. “Compromise” means disclosure of information to unauthorized persons, or a violation of the security policy of a system, in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object, or the copying of information to unauthorized media may have occurred.

What steps must be taken if a cyber incident occurs? Affected parties must:

  • Review contractor network(s) for evidence of compromise of covered defense information using contractor’s available tools including, but not limited to, identifying compromised computers, servers, specific data and user accounts.
  • Identify covered defense information that may have been affected in the cyber incident.
  • According to DFARS Clause 252.204-7013(c)(1), they must rapidly report (within 72 hours of the discovery of an incident) directly to DoD and the subcontractors need to provide the incident report number, automatically assigned by DoD, to the prime Contractor (or next higher-tier subcontractor) as soon as is practical.

The need for critical infrastructure and supply chain cyber improvement has now become a requirement. We are seeing more and more cyberattacks on this market segment that result in the rapid and “unknown” theft of intellectual property, data and designs. Copied and counterfeit products, parts and infrastructure cause damage to the US economy.

The extension of the standards to other vertical markets is not a question of “if,” but a question of “when.”  Prepare to adopt the NIST framework in every vertical market as a measurable, identifiable and comprehensive approach to understanding cyber posture of any organization.


**DFARS Clause 252.204-7012(c)(1)

Visit for more posts.


Cyber Incident · Disaster Recovery · Incident Response · Malware · Ransomeware

Corporate Cyber Incident Response Plan – Do You Even Have One?


Corporate Cyber Incident Response Plan – Do You Even Have One?

I was messaging with a very good friend and colleague this week and we started chatting about incident response plans. We noted that most people have a plan in place at home; he raised examples around personal security elements such as home alarms, dogs, door locks and cameras. The comment that resonated with me most was, you know what to do when you come home and your home has been burglarized. Call the police, insurance company, etc. He went on to pose the question, what about when your company is electronically burglarized? For most organizations, that question is met with silence.

While burglary in the workplace takes on many forms, we will focus on burglary in the form of cyberattacks. The attacker is “stealing” information from your company for monetary purposes. Yes, the cyberattack is intended to take something from you: data, money or both. Cyberattackers work systematically and operationally efficiently to pick either high-value targets or high-probability targets to extort what they are targeting—data, intellectual property, personal identifiable information or cash extortion from a ransomware event. It’s a business and the value to the attacker is what they take for future gains or currency to potentially give you back what they have access to or control of. The results of this are highly distracting, expensive and potentially severely impactful to the business.

Circling back to the concept of corporate cyber incident response, what is your answer? Is the first step to call the authorities and FBI? Is it to pay the ransom? Is it time to deploy your Disaster Recovery (DR) policy? Do you even have a DR plan? Have you identified your critical data?

What exactly is the FBI’s role in cyber? The FBI’s role is to hunt down the “bad guys” and prosecute them, plain and simple. Their role is not to recover your assets, cash or data. Should you call the FBI if you are burglarized (cyberattacked)? Absolutely! We want to shut down as many cyber criminals as possible. Should you pay the ransom? Well, that depends—do you have a data recovery plan implemented that remains unscathed by the encryption tactics used by the attacker? If yes, why would you pay? Sometimes organizations need to make a time vs. money decision, as the time to recover may exceed the threshold a company can accept for their business. Law enforcement suggest not paying the ransom, but your business objectives need to drive your decision.

Many organizations talk about the topic of incident response, but very few have a realistic plan. Some suggestions that can help include: building a plan that includes recovery steps, using realistic scenarios and identifying leaders within your company who will drive those decisions.  Have a true plan of action that is executable. Do a few tests of the plan “dry run” a few scenarios.  Be prepared, be ready, be diligent—the odds prove that this will happen to your company at some point. The small and medium business market is the largest potential target, while also the least prepared. Start today!