Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
6 Things To Know About the Ransomware That Hit Norsk Hydro
Threaded  |  Newest First  |  Oldest First
REISEN1955
100%
0%
REISEN1955,
User Rank: Ninja
3/28/2019 | 9:00:48 AM
Re: Pending Review
Disaster Recovery plan.  Business continuity.  Your six points do not address this one.  After September 11, and I am a survivor of the south tower so I know something of the subject, my manager became a certified expert in this area.  It is crucial that IT departments have a plan, test it and update it every six months.  It is crucial to have offsite, rotating backup media.  It is crucial to consider that at 2:30 am working on a data center restoration is a mental nightmare.  TEST the plan ensures that staff knows what they ARE doing.  Our data tapes for Aon went offsite on September 10 and thus we had our portion of the network up FAR faster than Risk services.  They were months recovering data.  Now the destruct of a data center is AS bad as ransomware if not worse if not addressed.  So once again plans gone bad and rebuild of everything seems the only process known.  I have said this a thousand times here. HAVE A PLAN, TEST AND UPDATE. 
sgreene02101
100%
0%
sgreene02101,
User Rank: Apprentice
3/28/2019 | 4:56:38 PM
Re: Pending Review
Second the off-site backup. Datto Box (cloud) might be one place to start. We do a "fire drill" every year - stress test UPS's, Restore servers from the cloud, restore desktops, restore NAS's Kill the power to the building to insure that the on-site generator kicks in and the auto cut-over operates nominally.

Desktops are backed up concurrently with timestamped histories

Same with servers.

It all goes out to the cloud.

We're a tiny little outfit. Others should try and do at least these things. Especially larger organizations.

I hope you all land on your feed at the firm. Good luck.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:29:42 PM
Re: Pending Review
restore NAS's Kill the power to the building to insure that the on-site generator kicks in and the auto cut-over operates nominally. Yes. Testing the plan is important. Things do not go the way planned.
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
4/1/2019 | 3:43:26 PM
Re: Pending Review
Testing a plan has a real purpose beyond finding out what works and does not work.  These are critical of course but i will guarantee you that making such discoveries at 2:30 AM when nobody is thinking is FAR harder than finding out in the afternoon under a planned environment.  I'm not awake at that hour.  Nobody is.  And when you have real work to do make sure it is a known variable.  Because if it is not tested, then mistakes will happen and a recovery plan can destroy even more material than intended.   Or make it impossible even to recover.  At 2:30 am I am on a serious coffee burn!!!!
michaelmaloney
50%
50%
michaelmaloney,
User Rank: Apprentice
4/9/2019 | 3:13:41 AM
Different scales
It is essential to know that attacks do not often target finances alone. Sometimes their intention is just to destroy or at least slow down operations. This is basically the reason why we need to stop any potential attacks regardless of their individual scale before they can even hit.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:24:10 PM
Re: Pending Review
Disaster Recovery plan. Business continuity. Your six points do not address this one. BC should play role in all incidents, most organizations do not have one unfortunately.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:25:11 PM
Re: Pending Review
TEST the plan ensures that staff knows what they ARE doing This is a good advice. If it does not work when you need it it is too late.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:27:07 PM
Re: Pending Review
I have said this a thousand times here. HAVE A PLAN, TEST AND UPDATE. That makes sense. Another important is to keep it updated.
California4
100%
0%
California4,
User Rank: Apprentice
3/28/2019 | 2:31:10 PM
More Definitive Security Required
Additionally, for critical industrial infrastructure we are finding success with a more effective application process and filesystem monitoring in conjunction with fileless attack protection and a full-scale memory defense.  
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:28:08 PM
Re: More Definitive Security Required
fileless attack protection and a full-scale memory defense. It sounds like fileless attacks are becoming common. Good point.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:14:13 PM
Ransomware
Ransomware-related events have declined 91% year over year and the number of new ransomware families in the marketplace has declines 32%, Some good news. May be we are becoming more carefull clicking the links anymore.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:16:34 PM
consequence
"The consequence is that in many cases, the victim may not even be able to view the ransom note, let alone attempt to comply with any ransom demands," Interesting. What would be the purpose of attach in that case I wonder.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:18:16 PM
re-imaging
The goal is "to further isolate the affected computer and to complicate recovery, necessitating direct local intervention." This beings up image to my mind. Less about recovery more about re-imaging.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:20:25 PM
Copy files
"indicates the actors simply manually copy files from computer to computer," They would need network interface for that to work.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
3/30/2019 | 2:22:45 PM
AD
An example is where an attacker might have access to the Active Directory infrastructure Once you ave AD access you can even deploy ransomware to other part of the network.


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15505
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1, and Sentry before 9.7.3 and 9.8.x before 9.8.1, allow remote attackers to execute arbitrary code via unspecified vectors.
CVE-2020-15506
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to bypass authentication mechanisms via unspecified vectors.
CVE-2020-15507
PUBLISHED: 2020-07-07
MobileIron Core and Connector before 10.3.0.4, 10.4.x before 10.4.0.4, 10.5.x before 10.5.1.1, 10.5.2.x before 10.5.2.1, and 10.6.x before 10.6.0.1 allow remote attackers to read files on the system via unspecified vectors.
CVE-2020-15096
PUBLISHED: 2020-07-07
In Electron before versions 6.1.1, 7.2.4, 8.2.4, and 9.0.0-beta21, there is a context isolation bypass, meaning that code running in the main world context in the renderer can reach into the isolated Electron context and perform privileged actions. Apps using "contextIsolation" are affecte...
CVE-2020-4075
PUBLISHED: 2020-07-07
In Electron before versions 7.2.4, 8.2.4, and 9.0.0-beta21, arbitrary local file read is possible by defining unsafe window options on a child window opened via window.open. As a workaround, ensure you are calling `event.preventDefault()` on all new-window events where the `url` or `options` is not ...