These cities have a common foe.
Albany, New York; Baltimore, Maryland; Orange County, N.C.; Sammamish, Wash; Atlanta, GA
They have all been subject to Ransomware attacks in the past 12 months. The most recent victim being Baltimore, MD which has been the target of ransomware twice in the past year. According to the 2019 Verizon Data Breach Investigations Report, Ransomware remains a major threat and is the second most common type of malware reported.
Why do cities seem to be the new preferred target of ransomware attacks? I believe there are two reasons.
- Lack of adequate resources to secure their infrastructure
- Criticality of services being offered make them more likely to pay the ransom
What do most, if not all, of these attacks have in common? They all start on an endpoint of some kind: a PC, laptop, server, mobile device, etc. These endpoints, and the users who operate them, are vulnerable to many types of attack that can lead to a ransomware infection, such as phishing.
Phishing e-mails are still one of the most effective ways that hackers deliver their payloads. Hackers bank on the fact that enough people will take the bait and click a malicious link or open a compromised attachment.
Dr. Zinaida Benenson conducted two studies about mock phishing attacks, and the results were surprising. Her studies, conducted at Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany and presented at Black Hat USA 2016, revealed that users are even more vulnerable to phishing attacks than we thought.
20 percent said they clicked the link in the e-mail, but 45 percent actually clicked
According to her study “Exploiting Curiosity and Context – How to make people click on a dangerous link in spite of their security awareness”, 78 percent of participants stated in a questionnaire that they were aware of the risks of unknown links. However, users are not always careful—or honest—about exposing their systems to the threats hidden in these links. Among the first group tested with a mock phishing email, 20 percent said they clicked the link in the e-mail, but 45 percent actually clicked. Among the second group tested, 16 percent said they clicked the link in the e-mail, but 25 percent actually clicked. In both cases, a higher percentage of users actually clicked than the percentage who admitted doing so.
How do we get from a phishing attack to a compromised endpoint?
One compromised endpoint in your environment can give hackers access to your most critical assets if the initial attack is not detected. For example, in Windows environments, hackers like to compromise an endpoint, look for super-user password hashes, and then move laterally in the environment trying to find the company’s most critical systems and cripple them. This is commonly known as a “Pass-the-Hash” attack. (See: Pass the Hash definition).
How can cities stop the bleeding? One effective solution would be to remove local admin rights from these endpoints. Over 75 percent of cyber-attacks occur because of privilege misuse.
Here’s a good read: How to remove admin rights without reducing productivity
By removing local admin and using an application control solution such as Privilege Manager which can utilize application whitelists and greylists, and along with real-time reputation checking can greatly reduce the attack surface and stop ransomware before it can do any damage. Privilege Manager also can manage the local admin accounts on endpoints which protects them from lateral movement.
There are no silver bullets in cyber security, but cities with tight budgets should look at tools such as Privilege Manager, which can be deployed on premise or in the cloud to greatly reduce, if not eliminate the threat of ransomware. Having solid backups is probably a good idea as well.
*** This is a Security Bloggers Network syndicated blog from Thycotic authored by Terence Jackson. Read the original post at: http://feedproxy.google.com/~r/Thycotic/~3/RwgDgzaSB_g/