#ITPro in a DevOps world, Sr. Site Reliability Eng. @ MSFT. Montanan at ❤️! My tweets are my own & not a reflection of my employer. They are happy about that 👍
570 stories
·
2 followers

Using DR to Protect Against Ransomware

1 Comment

While 2020 will surely be remembered as the year of the pandemic, it’s quite possible that 2021 will be remembered as the year of ransomware too. Ransomware attacks seem to be running amok through 2021 and almost daily occurrences have been reported. Ransomware is a type of malware that blocks access to a company’s files until a ransom is paid. The ransomware typically encrypts your files rendering them inaccessible until a ransom is paid and the attacker delivers a key that can decrypt the files.  Ransomware attacks are often spread using a Trojan that is disguised as a legitimate file that a user is tricked into running from an email attachment or website.

Following hot on the heels of the infamous east coast Colonial Pipeline and the JBS Meatpacking ransomware exploits over the 4th of July weekend, there was a Kaseya software supply chain attack that hit up to 1500 companies. Kaseya has an international headquarters in Dublin, Ireland and the company’s US headquarters is in Miami, Florida. The latest Kaseya attack is notable as Kaseya supports Managed Service Providers (MSPs) who in turn support many small and medium-sized businesses.

Kaseya provides a unified remote monitoring and management tool called VSA that enables MSPs to manage the IT for remote businesses making it a central part of a wider software supply chain. Kaseya reported that approximately 60 of its VSA customers were compromised. Those customers supply IT management services to other businesses and they passed the malware on to approximately 1,500 other organizations. Security experts believe the attack was triggered by an authentication bypass vulnerability in the Kaseya VSA web interface which allowed the attackers to circumvent authentication controls. This allowed them to establish an authenticated session in order to upload malicious software and execute commands.

The ransomware group REvil claimed responsibility for the attack and initially demanded a $70 million payment in Bitcoin for a “universal” decryption tool.  At this point, Kaseya has not stated whether they will pay the ransom or not. Somewhat ironically, the offer of a universal tool reflects the problems REvil would have in needing to separately negotiate with 1500 different potential victims.

In a July 5th statement Kaseya said that a fix to prevent this attack has been developed. They have also released a new, free comprise detection tool that customers can use to check networks and computers. However, for many of those companies that that have been hit it’s time to dust off the disaster recovery (DR) plans.

Protecting Against Ransomware with Planning and DR

While you could just pay the ransom, and in many cases that will work, there’s no guarantee that your files and services will be restored. Plus, there’s nothing to stop the attacks from happening again. DR is one of the essential pillars of protection from ransomware attacks that can help your company to avoid and recover from ransomware attacks. Effective protection from ransomware requires:

  • User education – While ransomware can be introduced in a number of different ways, end users are the most common cause for ransomware infections. Users need to be educated about the dangers of clicking on malicious links in email or compromised websites as well as the signs for recognizing suspicious items.
  • Software updates – In this age of cyberattacks keeping up with software security updates is absolutely essential. In the case of the Kaseya attack, REvil is thought to have exploited a known vulnerability in VSA that Kaseya intended to patch but hadn’t done so yet.
  • Protect your identities and permissions – If it’s possible use multifactor authentication (MFA) for your administrative accounts and take advantage of the principle of least privilege and Role-Based Access (RBAC) to limit permissions in order to prevent lateral movement of malware across your network.
  • Use network segregation – Take advantage of Software Defined Networking (SDN) or micro-segmentation to limit unrestricted traffic flow across your network.
  • Use air-gapped backups — Some types of ransomware are capable of selectively targeting backups. Offline backups that cannot be directly accessed from you primary network is one are your best protections from a ransomware attack as they can be used to restore your systems using a state that was captured before any corruption occurred. Your air-gapped backup should employ a separate authentication method to further limit the possibility of corruption.
  • Having a tested DR plan — Having a working and tested DR plan is the final safeguard for a ransomware attack. A ransomware attack can take down your essential business workloads and services every bit as effectively as a natural disaster or system failure. Having an isolated recovery environment can help ensure that you can get pristine copies of your systems back online with no further corruption. Having a tested DR plan can ensure that you have an effective method to restore your essential services — even if those systems have been compromised by ransomware.
Read the whole story
jshoq
3 days ago
reply
Take to heart the lessons learned in this and other attacks and breaches. Spending the proper time and money on securing and protecting your digital assets while making them available to your employees in any situation is the key to a good Business Continuity plan. Today, these plans are not just about natural or man-made disasters that takes out hardware. They need to treat your assets, the information that makes your company run, as the keys to the world they are. Build up plans for small and large possible losses and attacks.
JS
Seattle, WA
Share this story
Delete

The best email client for Linux, Windows and macOS isn't Outlook

1 Comment
In businesses and homes, email is still a necessity for communication. But which email client is the best to use? You might be surprised to find out that it's not Microsoft Outlook.
Read the whole story
jshoq
6 days ago
reply
Wow. I think Jack is stuck in the stone age personally. IMAP is not the protocol to make all of our worlds easier for email management. I have had so many issues with IMAP mail connections getting out of sync and messing up mailboxes to the point of non-recovery. I admit I have not looked at Thunderbird's modern version but I remember running Thunderbird and it was not the easiest thing to run and manage. That's just my opinion. YMMV
JS
Seattle, WA
Share this story
Delete

Don’t Wanna Pay Ransom Gangs? Test Your Backups.

1 Comment and 3 Shares

Browse the comments on virtually any story about a ransomware attack and you will almost surely encounter the view that the victim organization could have avoided paying their extortionists if only they’d had proper data backups. But the ugly truth is there are many non-obvious reasons why victims end up paying even when they have done nearly everything right from a data backup perspective.

This story isn’t about what organizations do in response to cybercriminals holding their data for hostage, which has become something of a best practice among most of the top ransomware crime groups today. Rather, it’s about why victims still pay for a key needed to decrypt their systems even when they have the means to restore everything from backups on their own.

Experts say the biggest reason ransomware targets and/or their insurance providers still pay when they already have reliable backups is that nobody at the victim organization bothered to test in advance how long this data restoration process might take.

“In a lot of cases, companies do have backups, but they never actually tried to restore their network from backups before, so they have no idea how long it’s going to take,” said Fabian Wosar, chief technology officer at Emsisoft. “Suddenly the victim notices they have a couple of petabytes of data to restore over the Internet, and they realize that even with their fast connections it’s going to take three months to download all these backup files. A lot of IT teams never actually make even a back-of-the-napkin calculation of how long it would take them to restore from a data rate perspective.”

Wosar said the next most-common scenario involves victims that have off-site, encrypted backups of their data but discover that the digital key needed to decrypt their backups was stored on the same local file-sharing network that got encrypted by the ransomware.

The third most-common impediment to victim organizations being able to rely on their backups is that the ransomware purveyors manage to corrupt the backups as well.

“That is still somewhat rare,” Wosar said. “It does happen but it’s more the exception than the rule. Unfortunately, it is still quite common to end up having backups in some form and one of these three reasons prevents them from being useful.”

Bill Siegel, CEO and co-founder of Coveware, a company that negotiates ransomware payments for victims, said most companies that pay either don’t have properly configured backups, or they haven’t tested their resiliency or the ability to recover their backups against the ransomware scenario.

“It can be [that they] have 50 petabytes of backups … but it’s in a … facility 30 miles away.… And then they start [restoring over a copper wire from those remote backups] and it’s going really slow … and someone pulls out a calculator and realizes it’s going to take 69 years [to restore what they need],” Siegel told Kim Zetter, a veteran Wired reporter who recently launched a cybersecurity newsletter on Substack.

“Or there’s lots of software applications that you actually use to do a restore, and some of these applications are in your network [that got] encrypted,” Siegel continued. “So you’re like, ‘Oh great. We have backups, the data is there, but the application to actually do the restoration is encrypted.’ So there’s all these little things that can trip you up, that prevent you from doing a restore when you don’t practice.”

Wosar said all organizations need to both test their backups and develop a plan for prioritizing the restoration of critical systems needed to rebuild their network.

“In a lot of cases, companies don’t even know their various network dependencies, and so they don’t know in which order they should restore systems,” he said. “They don’t know in advance, ‘Hey if we get hit and everything goes down, these are the services and systems that are priorities for basic network that we can build off of.'”

Wosar said it’s essential that organizations drill their breach response plans in periodic tabletop exercises, and that it is in these exercises that companies can start to refine their plans. For example, he said, if the organization has physical access to their remote backup data center, it might make more sense to develop processes for physically shipping the backups to the restoration location.

“Many victims see themselves confronted with having to rebuild their network in a way they didn’t anticipate. And that’s usually not the best time to have to come up with these sorts of plans. That’s why tabletop exercises are incredibly important. We recommend creating an entire playbook so you know what you need to do to recover from a ransomware attack.”

Read the whole story
jshoq
7 days ago
reply
This seems like a "no brainer" but how many companies do not test their backups or their "Business Continuity" systems in general. Take the time to switch your primary systems over to your backups and know what problems could occur if you have to use them in a real situation. Another great aspect of changing them on a regular basis is that you can use the "downtime" to do maintenance on those primary systems or just switch between them on a monthly basis.
JS
Seattle, WA
MotherHydra
7 days ago
If only it were that simple. Downtime is hard to come by for factories that rely on automation pieces and plant systems software. But I’d imagine if those aren’t in the mix testing failovers and the like are within the scope of business continuity divisions.
jshoq
7 days ago
I know it is not simple. Companies, not the IT Pros, need to invest in their business continuity. Yes, you can't have two big automation/machine systems but they should invest in some way to build out and test their Business Continuity systems. This could be were "Digital Twins" can be helpful depending on good configurations.
Share this story
Delete

5 Reasons Software License Tracking Hardens Your Organization

1 Comment
Software license tracking is important for compliance, but it can also help make your organization more secure.

Read the whole story
jshoq
17 days ago
reply
Configuration Management and its database (CMDB) is critical for supporting all aspects of Information Technology. It is critical to do the best implementations to have the best information possible. Seeing how it can help you with security management is just another reason to have an updated and current CMDB.
JS
Seattle, WA
Share this story
Delete

Privileged Identity Management with Azure Lighthouse enables Zero Trust

1 Comment and 2 Shares

Recent incidents from ransomware to supply chain compromises have shown both the interconnectedness of our digital world and the critical need to secure these digital assets from attackers, criminals, and other hostile third parties. To achieve this, our customers need Zero Trust security and least privilege access for users and resources. This becomes even more important in the context of a customer’s partners who may require continuous access to a customer’s environment to provide management and support services.

As organizations migrate to the cloud and engage service providers (internal or external) to manage Azure Infrastructure to run business and mission-critical workloads, it is imperative that we continue to secure cloud and hybrid footprints. Partners have been working closely with Azure and Microsoft to keep up to date with the latest guidance and services that Microsoft offers to ensure customer security as well as achieve a zero-trust security strategy, including enforcing least-privileged access for all parties across cloud and hybrid environments.

To serve both our customers and their partners, Microsoft has invested deeply in Azure Lighthouse. Azure Lighthouse makes it easier for service providers to automate their management of customer infrastructure. At the same time, it provides fine-grained access control that places the customer in charge of which resources are available to which service providers. With Azure Lighthouse, customers can be confident that their exposure to security risks from integrating with partners is appropriately limited. John Tabako, Director of IT Infrastructure at PM Pediatrics, notes, “Moving to Azure through Azure Lighthouse was easy. We have peace of mind knowing [our service provider] can programmatically provision the right people at the right time with zero-touch provisioning.

Today we are very excited to announce the latest iteration in our journey towards Zero Trust and least privilege access: The preview of Azure Active Directory Privileged Identity Management (Azure AD PIM) integration with Azure Lighthouse.

To understand how this integration enables least privilege access, consider the example of the company Contoso, which partners with a service provider to manage their network security. Contoso wants to make sure that this partner is following best practices around least privilege. In particular, Contoso doesn’t want the partner to have standing access to their resources. Instead, the partner should gain access only when it is necessary for them to perform some operation.

To achieve this, the service provider crafts their offer in Azure Lighthouse so that it requires their operators to elevate their access to a privileged role before they can work on Contoso’s network. This just-in-time (JIT) access only lasts for a limited period (up to eight hours), after which the access for that operator is automatically removed, and they go back to having read-only access to Contoso’s delegated resources. Additionally, Contoso can require that the service provider obey a defined set of policy options when authenticating, such as requiring multifactor authentication. These capabilities are free to Contoso as a customer because they are granted as part of the service provider’s tenant.

In addition to the peace of mind that JIT access provides for Contoso, there are benefits for the service provider as well. By limiting each operator’s access to just when it’s needed, the service provider can demonstrate clearly when operators had and (more importantly) did not have access to their customer’s resources using traceable Azure AD PIM audit logs that can be reviewed with the customer.

The great news for service providers that want to take advantage of these capabilities to deliver Zero Trust services for their customers is that creating an Azure AD PIM-enabled Azure Lighthouse offer is simple. After the customer accepts the offer, service provider users can activate an Azure role on the delegated scope through an intuitive portal experience. Only the eligible roles that have been assigned to that specific user can be activated, significantly reducing the risk of operator errors.

We’re thrilled that these capabilities are already demonstrating their value to Azure Lighthouse customers. James Brookbanks, from Microsoft partner rhipe, notes, "The integration of Azure AD PIM with just-in-time access controls through Azure Lighthouse is a tremendous value-add for our clients. We already had granular and secure access, but now we’re able to add security best practices of least-privilege principles, providing even more comfort and confidence for our clients."

Of course, these new security capabilities are only a part of our journey to make it easier for service providers to deliver reliable, secure, and automated services to Azure customers. The Azure Lighthouse team is hard at work on Azure Advisor recommendations to leverage Azure Lighthouse for cloud solutions provider subscriptions. We are also integrating the Azure AD PIM activity logs with the standard Azure Resource Manager (ARM) activity logs for a unified view of who did what when. And for those of you who prefer Azure CLI-based integration, we will soon be delivering an onboarding experience for Lighthouse and Azure AD PIM integration through PowerShell and Azure CLI.

Learn more

New to Azure Lighthouse? Get started now by visiting the Azure Lighthouse website, learn how to use Azure Lighthouse with your managed service business on Microsoft Learn, and read the story of a Microsoft partner, Vandis, on how they’re leveraging Azure Lighthouse to scale their offerings to organizations.

If you are a service provider already using Azure Lighthouse, you can update your existing offers to include eligible authorizations with approvers using the marketplace managed services offers, or by updating your ARM templates. To learn more about Azure AD PIM, visit our website and check out the Azure Lighthouse and Azure AD PIM documentation.

Join us for a deeper look at Azure Lighthouse at Microsoft Inspire. Azure Lighthouse will be featured in two sessions:

Read the whole story
jshoq
17 days ago
reply
Spending time securing your environment is critical for keeping your data and systems safe and secure. This helps allow the use of external partners to help you manage and operate your systems. Review the capabilities and look at configuring it in your own environment.
JS
Seattle, WA
Share this story
Delete

Apps for everyone: updates to Power Apps pricing and licensing

1 Comment
This week we’re wrapping up our fiscal year, a year of unprecedented growth for Power Apps. It’s a good moment to reflect on how far we’ve come together as a community and what it means to take the low code movement to the next, even larger scale. Today we announced on the official Microsoft Licensing blog that we’ll be making some changes to the price of Power Apps this Fall – reducing our prices for both the Per User and Per App plans and simplifying Per User in the process.
Read the whole story
jshoq
22 days ago
reply
I am super happy to hear this. I was not a fan of the Licensing prices for Power Platform systems set a while ago. The price change made a lot of customers rethink their strategy for Power Platform use. I hope this change makes it so that businesses rethink and use Power Platform systems.
JS
Seattle, WA
Share this story
Delete
Next Page of Stories