Way forward on “Wannacry”ransomware

It has been reported that a new ransomware named as “Wannacry” is spreading widely. Wannacry encrypts the files on infected Windows systems. This ransomware spreads by exploiting vulnerable Windows Systems. As you must be aware that there is huge Ransomware attack across globe which affected more than 90 countries. Following are few details about the threat.

What does it do?

  • Encrypts files on Windows desktops/servers
  • Computer is not usable until 300 bitcoins r paid to given acct
  • There is a timer until which the amt is to be paid
  • After that seemingly, all the files are deleted.

What is the root cause?


Vulnerabilities in Windows SMB (samba) service is exploited by a phishing attack.


How does it infect?


Approach1:

  • User clicks on phishing link
  • An exe is downloaded from the page – it downloads other files
  • Encrypts files on the machine
  • Deletes some system files
  • Finds other machines on network via samba ports

Approach2

  • If samba ports of Windows servers/pcs are open to internet, they can be directly attacked by hackers
  • Approach3
    Exe in email attachment
    From the speed at which it is spreading, Approach2 seems more common.

Are Linux based servers/applications in danger?

  • Until now, Linux server/desktop is not yet reported.
  • But as a safety measure we should block incoming connections to samba ports
  • Samba ports to block in external firewall
    139
    445
    3389

Analysis of Wnacryptor 2.0

The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.

On Twitter, whistleblower Edward Snowden blamed the NSA.

“If NSAGov had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened,” he said.

“It’s very easy for someone to say that, but the reality is the US government isn’t the only one that has a stockpile of exploits they are leveraging to protect the nation,”

“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”

The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare.The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA). At the time, there was skepticism about whether the group was exaggerating the scale of its hack.

On Twitter, whistleblower Edward Snowden blamed the NSA.

“If @NSAGov had privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, this may not have happened,” he said.

“It’s very easy for someone to say that, but the reality is the US government isn’t the only one that has a stockpile of exploits they are leveraging to protect the nation,”

“It’s this constant tug of war. Do you let intelligence agencies continue to take advantage of vulnerabilities to fight terrorists or do you give it to the vendors and fix them?”

The NSA is among many government agencies around the world to collect cyber weapons and vulnerabilities in popular operating systems and software so they can use them to carry out intelligence gathering or engage in cyberwarfare.

Concerns

  • Indicator of compromises, batch file content and affected files are changing with similar worm sample on different endpoints. Hence scale is gigantic, complex and worm is changing its functioning.
  • Decryption is difficult. Older decryption techniques of similar ransomware families not proving to be useful.
  • Immature asset mapping not helping in defense. Mapping servers and endpoints against windows version is a key to the mass disinfection in an organization (if already done).
  • Worm reverse engineering is helping but because it is self-replicating, complete erasure is proving to be an arduous task.
  • Reaching out to workforce for awareness is imperative. Its success yet to be realized due to weekend. Some organizations have organized project and functions specific awareness sessions for two weeks going forward.
  • Rules reconfiguration in Firewall/IPS/IDS helping but DLP rules reconfiguration resulting in false positives .Hence affecting business email services or access to key resource places.
  • It is difficult to analyze the SMB traffic. Switching off SMB services seems to be the only option.
  • Encryption is performed in the background. Hence, it is difficult to detect.
  • Malware is proxing the traffic hence able to achieve anonymity.
  • Malware is designed in such a way that it can deliver many type of payloads. What organizations would block in upcoming days is a big question?
  • Blocking connection to TOR ‘nodes and network’ working for organizations.
  • SMB publicly accessible via internet should block inbound traffic
  • Be ready with backups and disaster recovery strategy.
  • SoCs and NoCs of Indian organizations to implement IoCs received or issued by Cert-India.
  • Few variants of these attacks partially works. They may not be encrypting files because ransomware archives are corrupted in it. It is analyzed they are acting as backdoors for other similar variants families to enter in to organizational network.
  • Creating a skill hole to redirect is an effort, which has worked to slow down the infections.
  • Monitoring all vectors is imperative for the organizations. Do not restrict it only to email and SMB aspects.
  • It is also executing massive scanning on internet IP addresses to find and infect other vulnerable computers.r

Steps to run on user’s terminal to prevent and protect against this threat

  • To get the latest protection from Microsoft, upgrade to Windows 10. Keeping your computers up-to-date gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows.
  • We recommend customers that have not yet installed the security update MS17-010 do so as soon as possible. Until you can apply the patch, we  also recommend two possible workarounds to reduce the attack surface:
    • Disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as recommended previously
    • Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445
  • Windows Defender Antivirus detects this threat as Ransom:Win32/WannaCrypt as of the 1.243.297.0 update. Enable Windows Defender Antivirus to detect this ransomware. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.
  • For enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.
  • Use Office 365 Advanced Threat Protection, which has machine learning capability that blocks dangerous email threats, such as the emails carrying ransomware.
  • Monitor your network with Windows Defender Advanced Threat Protection, which alerts security operations teams about suspicious activities.  Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection – Ransomware response playbook.
    https://blogs.technet.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
  • We request you to send a mail to all users. A mail to aware the users about the precautions to avoid their Desktop from getting infected by Ransomware. In that mail, ask users to not open any unexpected mail or attachment from the mail. Ask users to avoid opening the Microsoft Office Attachments like docx, pptx, etc. if the mail is expected.

Best practices for prevention of ransomware attacks:

  • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
  • Regularly check the contents of backup files of databases for any unauthorized encrypted contents of data records or external elements, (backdoors /malicious scripts.)
  • Keep the operating system and the third party applications (MS office, browsers, browser Plugins) up-to-date with the latest patches.
  • Maintain updated Antivirus software on all systems and deploy gateway level security as well.
  • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly from browser
  • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
  • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
  • Follow safe practices when browsing the web. Ensure the web browsers are secured enough with appropriate content controls.
  • Network segmentation and segregation into security zones – help protect sensitive information and critical services. Separate administrative network from business processes with physical controls and Virtual Local Area Networks.
  • Disable remote Desktop Connections, employ least-privileged accounts.
  • Ensure integrity of the codes /scripts being used in database, authentication and sensitive systems, Check regularly for the integrity of the information stored in the databases.
  • Restrict users’ abilities (permissions) to install and run unwanted software applications.
  • Enable personal firewalls on workstations.
  • Implement strict External Device (USB drive) usage policy.
  • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
  • Restrict execution of PowerShell /WSCRIPT in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
  • Application whitelisting/Strict implementation of Software Restriction Policies (SRP). Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Consider installing Enhanced Mitigation Experience Toolkit, or similar host-level anti-exploitation tools.
  • Block the attachments of file types, exe|pif|tmp|url|vb|vbe|scr|reg|cer|pst|cmd|com|bat|dll|dat|hlp|hta|js|wsf
  • Employ data-at-rest and data-in-transit encryption.
  • Network and Application Audit, vulnerability Assessment and Penetration Testing (VAPT) and information security audit are mandatory for critical networks/systems (especially database servers) at regular intervals.
  • 3rd party Risk Assessment, deployment of Information Security Framework (like ISO 27001:2013) will ad values.
  • Individuals or organizations are not encouraged to pay the ransom, as this does not guarantee files will be released.

References :

https://sushobhanm.wordpress.com/2017/05/14/wannacry/

https://technet.microsoft.com/library/security/MS17-010

http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/

http://blog.talosintelligence.com/2017/05/wannacry.html

Leave a comment

Filed under Security, Technology

ISO 27001 Audit Checklist

If you are planning your ISO 27001 internal audit, you may be looking for some kind of an ISO 27001 audit checklist.

Every company is different. And if an ISO management system for that company has been specifically written around it’s needs (which it should be!), each ISO system will be different, and the internal auditing process will be different. We explain this in more depth here

However, you can create your own basic ISO 27001 audit checklist, customised to your organisation, without too much trouble. Read on to find out how.

By the way, We’re taking a broad, simple approach in this blog. But for the best results, we’d recommend some training to make the whole process much easier. However, sharing some basics will, at least, demystify the process and provide a basic framework.

And these broad principles are applicable for internal audit of other standards, such as ISO 9001, ISO 14001, etc.:

So, some basic steps in the process:-

  • Document review. Quite simple! Read your Information Security Management System (or part of the ISMS you are about to audit). You will need to understand processes in the ISMS, and find out if there are non-conformity in the documentation with regard to ISO 27001. A call to your friendly ISO Consultant might help here if you get stuck(!)
  • Creating the checklist. Also quite simple – make a checklist based on the document review, i.e., read about the specific requirements of the policies, procedures and plans written in the documentation and write them down so that you can check them during the main audit. For example, if the data backup policy requires the backup to be made every 6 hours, then you have to note this in your checklist in order to check if it really does happen. Take time and care over this! – it is foundational to the success and level of difficulty of the rest of the internal audit, as will be seen later.
  • Planning the main audit. Or “make an itinerary for a grand tour”(!) . Plan which departments and/or locations to visit and when – your checklist will give you an idea on the main focus required.
  • Performing the main audit. It is astonishingly practical! Walk around the company talk to staff, check computers and other equipment, observe physical security, etc. Your previously-prepared ISO 27001 audit checklist now proves it’s worth – if this is vague, shallow, and incomplete, it is probable that you will forget to check many key things. And you will need to take detailed notes.
  • Reporting. Summarize all the non-conformities and write the Internal audit report. With the checklist and the detailed notes, a precise report should not be too difficult to write. From this, corrective actions should be easy to record according to the documented corrective action procedure.
  • Follow-up. It’s the internal auditor’s job to check whether all the corrective actions identified during the internal audit are addressed. The checklist and notes from “walking around” are once again crucial as to the reasons why a nonconformity was raised. The internal auditor’s job is only finished when these are rectified and closed, and the ISO 27001 audit checklist is simply a tool to serve this end, not an end in itself!

Checklist Format – Some Basic Guidelines

A suggestion to aid simplicity! We’d recommend 4 columns as follows:-

  1. Reference – e.g. the clause number, section number of a policy, within the standard.
  2. What to look for – what to examine, monitor, etc., during the main audit – whom to speak to, which questions to ask, records to look for, facilities to visit, equipment to check, etc.
  3. Compliance – Simply, has the company has complied with the requirement? Yes or No, or occasionally “not applicable”.
  4. Findings – Details of the more-specific “findings” of the main audit I.e. staff spoken to, quotes of what they said, IDs and content of records examined, description of facilities visited, observations about the equipment checked, etc.

So,the internal audit of ISO 27001, based on an ISO 27001 audit checklist, is not that difficult – it is rather straightforward: you need to follow what is required in the standard and what is required in the documentation, finding out whether staff are complying with the procedures.

With a good ISO 27001 audit checklist audit checklist, your task will certainly be a lot easier.

And if you need our help, or even want us to run some training for you, please drop us a line at info@primeinfoserv.com

Leave a comment

Filed under ISO

Issues with Jobs

Jobs , Job Seeker and Employers are never friends. They always have repelling  effect between them. Below are perennial problems of the society and those are increasing day by day:

  • People do not get jobs,
  • Employers do not  get right candidate,
  • High level of attrition in the organizations
  • People are not ready to join even they are offered
  • Please read the blog of our Co-Founder where he has shared his experience on “Why do people leave job?”

We are conducting an interesting Webiner on”Why do people fail to get job“. Anyone interested may register here.

In addition to that we carry out Skill Development, Campus Connect, Live project based training etc. Expression of interest for converting “Ability to Employability” can be recorded here.

Comments Off on Issues with Jobs

Filed under Uncategorized

Vijaya Greetings

Dear Well Wisher,

Subha Bijaya from Prime!

Trust you have spent good times with your family, friends and relatives. Durga Puja, being the one of the largest festivals in Bengal, gives all of us the desired break in our busy schedule to refresh / energize ourselves. Even though Duargapuja, Dussera, EID and Lakshmi Puja got over, the festive times lingers with upcoming Kalipuja, Diwali and Bhaiphonta/Bhaiduj.

Hence this is not the time for an enterprise to invest, but rather to look back  on previous investments. This is the time to compile, consolidate, optimize and plan to achieve best ROI from the infrastructure built already.

In our lives, we get very minimal chances/time like this where we can have the freedom to look beyond OEM/Manufacturer’s, System Integrator’s influence and take independent decisions. This is the time to have a gap analysis in People, Process, and Tools inside the organization and  to plan for the future

Each product/solution is having its own merits provided its features/functionalities are configured/customized/synchronized as per Organizational needs. Otherwise it is like a black box or any other competitive box and we tend to get trapped into it. Every product becomes great whenever it is fine-tuned as per enterprise requirements.

With the blessings from the evil-slayer goddess Durga, it is time to  figure out the evils/ black holes/gaps in your enterprise and focus to bridge the gap.

In this journey, if you need a right partner to set the guideline for you without any commercial obligation, you may consider us.

Let our journey continue together for  greater heights in life.

NEWS DESK

PRIME INFOSERV LLP

Subha Bijoya

Leave a comment

Filed under Greetings

Lady Coordinator Opening at Prime

JOB OPENING AT PRIME

Company: Prime Infoserv LLP

Role: Lady Coordinator for Back Office Operations:

Location: Kolkata. West Bengal, India

Scope

  • Co-ordination with customers for orders, proposal, payment collection etc
  • Co-ordination with vendors/contractors/OEMS for pricing, material delivery
  • Creation of Proposal
  • Raising Invoice
  • Co-ordination with Accounts/Finance for VAT, CST, TDS calculation, return submission
  • Mail Communications with different stake holders
  • Tracking proposal, orders, invoices in terms of CRM
  • Communicating with existing customers for relationship management ( taking feedback, identification of cross-selling/upselling opportunities)

Eligibility:

  • Education – No bar, Good English communications skills (reading, writing , speaking) mandatory
  • Experience – No bar, Freshers are also welcome with good attitude (desire for learning , ownership and accountability)
  • Desirable (not mandatory) – Working knowledge with Talley, Accounts background will add values

Contact : jobs@primeinfoserv.in, info@primeinfoserv.com

Comments Off on Lady Coordinator Opening at Prime

Filed under Job

Systems Integration Services

OpenSource Based Systems Integration

  • Redhat, SuSE Linux
  • SSO, LDAP, DHCP, DNS, Web Services, Database.E-mails etc

Network Management System implementation

Voice-Data Solutions

Video Conferencing Solution(Software based)

Comments Off on Systems Integration Services

Filed under Solution & Services

Linux Based Solutions & Services

Linux Internet Servers:-

  •     Web – Apache HTTP Server, Apache Tomcat
  •     Databases – MySQL, PostgreSQL, Oracle
  •     Programming and scripting – PHP, Java, Perl,
  •     JavaScript, CSS, XHTML, Bash
  •     FTP – ProFTPD, Pure-FTPd, vsftpd
  •     SMTP (outgoing email) – exim, postfix, qmail, sendmail
  •     POP3 and IMAP (incoming email) – qpopper, UW IMAP, Courier-IMAP
  •     DNS (Domain Name System) – BIND, djbdns
  •     Web control panels – cPanel and WebHost Manager
  •    Plesk, DirectAdmin, Webmin

Linux Virtualization:-

  •     VMware ESX, ESXi, VMware Server
  •     Xen – Amazon EC2 Cloud, Citrix XenServer
  •     User Mode Linux (UML)
  •     Manage Large Networks (MLN)
  •     Linux Remote Access:-
  •     SSH (Secure SHell) – OpenSSH
  •     VNC (Virtual Network Computing)
  •     X Window System (X.Org, X11)
  •     OpenVPN

Linux Security:-

  •     Network monitoring – SNMP, Nagios, Big Brother/Hobbit, MRTG, Cacti
  •     SSL/TLS encryption – OpenSSL, stunnel
  •     Intrusion Detection Systems (IDSs) – Snort
  •     Tripwire (file integrity checker)

Linux Internal Network Servers:-

  •     File server – Samba (SMB, CIFS), NFS, iSCSI
  •     LDAP (directory services) – OpenLDAP
  •     DHCP – ISC DHCP
  •     Routing – Quagga, OSPF, RIP, VRRP, CARP

Linux Distributions:-

  •     Red Hat Enterprise Linux (RHEL)
  •     CentOS
  •     SUSE Linux Enterprise Server (SLES)
  •     Debian GNU/Linux
  •     Ubuntu Server and Desktop Editions
  •     openSUSE
  •     Fedora

Leave a comment

Filed under Solution & Services