Featured Posts

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the average ransom payment has ballooned to over $200,000.

But the true cost of ransomware can go beyond the headline-grabbing payments. The hit to a business’s reputation can be long lasting, as can the effect of protracted downtime. And over 15% of businesses never retrieve their data. Even more, some companies lose their data even though they pay a ransom.

That’s the bad news. The good news is that were gaining a better understanding of how ransomware attacks happen. Learning how ransomware sneaks into our personal and business lives is the key to protecting ourselves.

Risks to Small and Medium Businesses

In episode 1 of Carbonite + Webroot’s new series on ransomware, security experts, futurists and business leaders discuss the risks faced by small and medium businesses.

Before the latest surge of ransomware, some small and medium businesses could get away with thinking they weren’t a target. After all, the largest companies are the ones that can afford to pay the largest ransom payments. But the truth is there are only so many Fortune 500 companies to prey on.

Now with so many new victims of ransomware, businesses are turning to cyber security experts and asking why they’re a target. The short answer is … they aren’t. Small businesses fall victim to ransomware because of misconfigured systems, lack of proper security and human error. In other words, attackers sneak in by focusing their attention on vulnerable systems. They look for things like outdated firewalls and outdated servers because those gaps in security make for easy targets.

Protecting Your Data

Jon Murchison, CEO of Blackpoint Cyber, succinctly sums up why attacks happen, “It’s bad IT hygiene.” He’s seen municipalities attacked repeatedly because of holes in their network. He once fought off six waves of attacks, crediting Webroot’s capacity to hunt down malware and his ability to respond in real time. Without that, he guarantees there would have been a mass ransom event.

That’s why investing in cyber security is so important. With the explosion of ransomware, businesses that don’t protect themselves can fall victim to a ransomware. By establishing strong security measures, you can keep your company out of the next ransomware headline.

Acknowledging the Threat

Dr. Kelley Misata, CEO & founder of Sightline Security, says it’s an exciting time for technology, with the proliferation of IoT and mobile devices. But she adds, “people aren’t realizing that by interacting with that technology, they are putting themselves at risk for a cyber security event to happen.”

Dr. Misata has dedicated her career to helping others understand cyber security and teaching them how to adopt best practices in their own lives. Because ransomware attackers look for the easiest target, she tells her clients that “it’s not just how they protect their businesses, it’s how they protect their lives, how they protect their customers, and how they protect those around them.” Ransomware doesn’t just sneak in through our work computers and business servers. If our mobile devices are vulnerable, attackers will break in that way.

First Step in Preventing Ransomware

The first step in preventing ransomware is knowing who it targets and how it sneaks in. Big businesses make headlines, but small and medium businesses are increasingly falling victim to ransomware. And more and more often, ransomware piggy backs on our personal devices to sneak into our business lives.

Taking all this together will help you to focus your efforts when you invest in cyber security. Dive into expert analysis on 2021’s ransomware surge in our YouTube series: Ransomware 2021.

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction

It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed to prepare and respond to cyber threats or attacks against your organization.

It may be as simple as the deployment of antivirus plus backup and recovery applications for your end users, or a more complex approach with security operations center (SOC) tools or managed response solutions coupled with network security tools such as DNS and Web filtering, network and endpoint firewalls, VPNs, backup and recovery and others.

It’s also essential to ensure end-users are trained on ransomware threats as a part of a good security awareness training program. The bottom line is, if prevention tools and training fail and your organization is compromised, you need to have a protection plan that gets your company assets and resources back to work quickly and securely.

What preparation is needed

When contemplating an in-depth plan, specific questions come to mind—the whats, the hows, the whys, and most importantly, the whos must be defined in the plan. When asking these questions, we need to be prepared to identify the resources, people and applications inlcuded. We must determine how to react to the situation and execute the logical steps and processes required to reduce damage as quickly as possible. 

Below are some questions to get us started.

Key questions

  1. Who will be involved in recovery and communication when your DR plan is in action?
  2. How much downtime can your organization withstand?
  3. What service level agreement (SLA) do we need to provide to the business and users?
  4. What users do we need to recover first?
  5. What tools do we have to reduce risk and downtime within the environment?
  6. How are user networks separated from operational or business networks?
  7. How quickly can data protection tools get us up and running again?
  8. Can users get their data back if an endpoint device is compromised?
  9. Can we determine when the ransomware first hit the network or endpoint devices?
  10. Are we able to stop the proliferation of ransomware or malware throughout the network?
  11. Can we recover quickly to a specific point in time?
  12. Can our users access their data from the cloud before it has been restored?

Application Needs

The solutions below, coupled with an exercised BC/DR plan, will help reduce your organizational risk exposure and allow for quick remediation.

  • An endpoint security solution capable of determining what events took place and when
  • A DNS security solution capable of turning away security threats at the network level
  • A solution for endpoint backup and recovery that can safeguard data should these other solutions be compromised

Lines of Communication

Equally important as the technology are the people who manage and maintain the systems that support the different business units within an organization. For example, your security team and your endpoint support team need to be in regular discussions about how the teams will communicate when under attack. You need to determine who is responsible, what systems, and when they should be brought into the process when under attack.

System Response Ratings

A system response rating system can assist in determining which systems or employees require a higher degree or speed of response. To do this, organizations must specify the value of the system or resource and where that resource sits regarding protection or remediation priority. This is often determined by the value of the resource in monetary terms. For example, suppose the loss of a specific system would incur a massive loss of incoming revenue. In that case, it might be necessary to place a higher priority in terms of protection and remediation for it over, say, a standard file server. 

The same can be said for specific individuals. Often C-level resources and mid-tier executives need to be out in front of a situation, which highlights the importance of making sure their resources like laptops and portable devices are protected and uncompromised. They are often as important as critical servers. It is necessary to classify systems, users and customers regarding their criticality to the business and place priorities based on the rating of those resources.

Now that we know a bit of the who, what, and how, let’s look at how to recover from a single system to an entire enterprise.

Recovery and Remediation

Recovery is an integral part of any BC/DR plan. It gives organizations a playbook of what to do and when. But it’s not enough to recover your data. Admins also need to understand the remediation process that should be followed to prevent further infection of systems or proliferation of malware within an organization.

Scenario

Ransomware hits user’s laptops, encrypting all of the data. The laptops have antivirus protection, but no DNS protection. All network security is in as firewalls and VPNs, with some network segmentation. There is also a security team in addition to the end-user support team. The ransomware that hit is polymorphic, meaning that it changes to prevent detection even if the first iteration of the ransomware is isolated.

Solution

The first step is consulting the endpoint security console to learn when and where the malware was first seen. If backups are still running, they should be suspended at this point to prevent infected data from being being backed up with malware. This can be done either from the dashboard or from an automated script to suspend all devices or devices that have been compromised.

A dashboard should provide the ability to do single systems easily, while scripts can help with thousands of devices at a time. APIs can help to automate processes like bulk suspend and bulk restore of devices. At this time it may be prodent to block traffic from the infected areas if network segmentation is enabled to prevent the spread of malware. 

Now it’s time to review the protection platform to determine the date the file was noticed, the dwell time and when the encryption/ransomware started executing. Once these facts have been determined, it’s possible track down how the organization was breached. Understanding how malware entered the network is critical to prevent future infections. Since, in our example, ransomware infected devices, a tested and reliable recovery process is also necessary.

Understanding the timeline of events is critical to the recovery process. It is essential to know the timing for the first step in the restore process to set your time to restore. Once an admin can zero in on date and time to restore, affected devices can be compiled into a CSV file and marked with a device ID number to reactivate any backups that were halted once the breach was discovered..

Once the data, source, target device IDs, date, and time to restore from are combined with a bulk restore script, a bulk restore can be pushed to the same laptops or new laptops. As heppen, solutions offering web portals can return to work quickly.

Summary

Thre right tools, planning, importance hierarchy and communication channels across a business are essential for establishing cyber resilience. Once a timeline of a breach has been determined, these elements make restoring to a pre-infection state a process that can be planned and perfected with practice.  

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic. For MSPs, that makes up a good portion of their clientele.

Remote workers were abruptly pulled out from behind the corporate firewall, immediately becoming more susceptible to the targeted attacks of cybercriminals. Acceptable use policies could no longer be easily enforced, home devices became work devices, and employees distracted by life around them became more likely to click carelessly.

What’s worse, because the pandemic was affecting more or less all of us at the same time, cybercriminals had a virtually limitless pool of targets on which to test out new scams. Phishing scams imitating eBay skyrocketed during the first months of product shortages brought on by COVID-19. Scam emails claiming to be from Netflix rose by more than 600% in 2020.

We were fish in cybercriminals’ collective barrel. Now, even with vaccinations rising in the U.S., many companies are rethinking the way they work. It’s up to MSPs to have a strategy for security remote workers, because they’ll likely need to serve more than ever before.

Find out how to ensure your clients’ remote workers are resilient against attacks across networks in this informative conversation between ChannelE2E and MSSP Alert editor Joe Panettieri and his guest Jonathan Barnett. In addition to being a network security expert and senior product manager for Webroot’s DNS solution, Barnett brings 20 years of experience as the head of his own MSP business to the podcast.

Here’s what he has to say about ensuring a cyber resilient remote workforce.

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous term; everyone wants it to be better, but what exactly does that mean? And how do you properly measure it? After all, if a security product is effective, then that means few or no cyberattacks should be getting through the lines of defense to the actual infrastructure. Yet, faced with modern cyber threats, that seems like a pretty impossible goal, particularly as many attacks are designed to operate under the radar, evading detection for weeks or months at a time.

As a result, many businesses and managed service providers may try to account for their efficacy needs in the tools that they choose, vetting the solutions with the highest reviews and the best third party testing scores. But the tools aren’t everything. What else can you do?

Here are our top 5 tips for getting the best possible efficacy out of your IT security stack.

  1. Partner with solution vendors who can guide you to the right setup.
    Most small to medium-sized businesses and many MSPs just don’t have the resources to keep dedicated security experts on staff. That’s not a problem, per se, but it does mean you might have to do some extra legwork when selecting your vendor partners. For example, it’s important to take a hard look at the true value of a solution; if it requires costly or time-consuming training to attain a skill level high enough to get maximum value from the product, then the cost-benefit ratio is much different than it initially appears. Be sure to choose vendors who provide the type of guidance, support, and enablement resources you need; who can and will advise you on how best to configure your cybersecurity and backup and disaster recovery systems; and who are invested in helping you ensure maximum return on the investment you and your customers are making in these solutions.

  2. Trust your tools, but make sure you’re using them wisely.
    According to George Anderson, director of product marketing for Carbonite + Webroot, OpenText companies, many of the tools IT admins already use are extremely effective, “as long as they’re being used properly,” he cautions. “For example, Webroot® Business Endpoint Protection includes powerful shielding capabilities, like the Foreign Code Shield and the Evasion Shield, but these are off by default, so they don’t accidentally block a legitimate custom script an admin has written. You have to turn these shields on and configure them for your environment to see the benefits; many people may not realize that. But that’d be one simple way admins could majorly improve efficacy; just check out all your tools and make sure you’re using them to their fullest capacity.”
  • Consider whether EDR/MDR/ADR is right for you.
    If you’re not already using one of the solutions these acronyms stand for, you’ve likely heard of them. Endpoint detection and response has a lot of hype around it, but that’s no reason to discount it out of hand as just another industry buzzword. It’s just important to demystify it a little so you can decide what kind of solution is right for your needs. Read more about the key differences here. Keep in mind, there’s often a high level of involvement required to get the most out of the additional information EDR provides. “It’s really more of a stepping stone to MDR for most MSPs,” per George Anderson. “Webroot Business Endpoint Protection actually provides all the EDR telemetry data an MDR solution needs, so I don’t recommend EDR alone; it should be used with an MDR or SIM/SIEM solution.”
  • Lock down common security gaps.
    Some of the easiest ways to infiltrate an organization’s network are also the easiest security gaps to close. Disable remote desktop protocol (RDP.) If you really need these kinds of capabilities, change the necessary credentials regularly and/or use a broker for remote desktop or terminal services. Use hardened internal and external DNS servers by applying Domain Name System Security Extensions (DNSSEC), along with registry locking domains; looking at certificate validation; and implementing email authentication like DMARC, SPF and DKIM. Be sure to disable macros and local admin privileges, as well as any applications that are not in use. And, of course, run regular patches and updates so malicious actors can’t just saunter into your network through an old plugin. These are all basic items that are often overlooked, but by taking these steps, you can drastically reduce your attack surfaces.

  • Train your end users to avoid security risks.
    Phishing and business email compromise are still top security concerns, but they’re surprisingly preventable at the end user level. According to the 2021 Webroot BrightCloud® Threat Report, regular phishing simulations and security awareness training can reduce phishing click-through by as much as 72%. Such a significant reduction will absolutely improve the overall efficacy of your security program, and it doesn’t impose much in the way of administrative burden. The secret to successful cyber-awareness training for end users is consistency; using relevant, high-quality micro-learning courses (max of 10 minutes) and regular phishing simulations can help you improve your security posture, as well as measure and report the results of your efforts. 

All in all, these tips are simple, but they can make all the difference, especially if you have big efficacy goals to meet on a lean budget.

For more industry tips and tricks and product-related news, follow @webroot and @carbonite on Twitter and LinkedIn.

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually corresponding shifts in crypto-based crime, such as ransomware, though it’s not necessarily the kind of change you might predict.


According to Tyler Moffitt, senior threat researcher and resident crypto expert, “whatever Bitcoin does, the altcoins are going to follow. When [Bitcoin] crashes, the rest crash.” But that doesn’t necessarily mean you’ll see big spikes in ransomware or cryptojacking. In fact, Moffitt states, because Bitcoin is known for being fairly volatile, it can undermine any direct effect on, say, the amount demanded in a ransomware scheme. It’s very possible for a Bitcoin ransom to lose value over time due to market flux, making it less profitable than it might otherwise appear.

So, what’s the real story? As we see cryptocurrency values rise and fall, how should we interpret shifts in the threats we can expect to see? Is it safe for ordinary folks to try to get into the crypto market, or does that just give malicious actors another method to scam and steal from you?

Get answers to these questions and more in this informative Hacker Files podcast with Joe Panettieri, in which he and Tyler Moffitt discuss the ins and outs of crypto, what the market looks like, how it actually affects cybercrime, and what everyone from crypto novices and to bigtime enthusiasts need to know.