Poor cybersecurity practices complicated recovery from the Arizona Beverages ransomware attack.

What appears to have been a targeted ransomware attack knocked over 200 networked computers and servers offline at Arizona Beverages, one of the largest beverage suppliers in the U.S., TechCrunch reports. The attack, which the company was still struggling to recover from two weeks later, halted sales operations for days, allegedly costing the company millions of dollars.

Arizona Beverages ransomware attack yet another lesson in what not to do

The ransomware that hit Arizona Beverages is believed to be iEncrypt, a form of ransomware that is used in targeted attacks. A few weeks before the iEncrypt attack hit, the FBI contacted Arizona Beverages to warn them that they had been compromised by another form of malware called Dridex, which leverages Microsoft Office macros and is usually delivered through phishing emailsphishing emails. The Dridex infection may very well have opened the door to the iEncrypt attack, possibly by stealing login credentials.

An anonymous source told TechCrunch that the Dridex infection had been ongoing for “at least a couple of months” at the time the FBI contacted Arizona Beverages. The same source remarked to TechCrunch that they were surprised something like this hadn’t happened sooner, given the company’s poor cybersecurity posture. This included servers that relied on on legacy versions of Windows that are so old, they’re no longer supported. These installations hadn’t been updated with security patches for “years.”

In addition to servers and computers, the iEncrypt ransomware locked down Arizona Beverages’ email server, leaving the company unable to process customer orders. The fun didn’t stop there. When internal IT staff attempted to restore the company’s network from backups, they discovered that they couldn’t – because the backups hadn’t been configured properly. Staff members scrambled for days to get the backups to work before, TechCrunch’s source said, “they started throwing money at the problem” and brought in a third-party vendor.

In addition to millions of dollars in lost sales, Arizona Beverages has allegedly spent “hundreds of thousands” more on new hardware, new software, paying the vendor to clean up the problem, and rebuilding its entire network. As of the publication of the TechCrunch article, the company was reportedly 60% restored.

Targeted ransomware attacks on the rise

Although there has been a drop in the overall number of ransomware attacks over the past year, attacks are becoming more sophisticated and targeted. Meanwhile, the bar for launching a complex attack has been significantly lowered by the proliferation of ransomware-as-a-service, which allows just about anyone to launch an attack regardless of technical ability.

The iEncrypt malware that hit Arizona Beverages uses the victimized company’s name as a file extension and also mentions it in the ransom note. It’s a very new strain of ransomware, discovered in November 2018, and its behavior is unpredictable. One thing is certain; once an infection hits, it is especially difficult to remove because the malware impersonates legitimate files.

What would happen if sales at your company halted for a week?

This is the question every company needs to be asking itself right now. Arizona Beverages lost millions of dollars because it literally couldn’t process customer orders for several days; this was on top of cleanup costs. As a very large company, Arizona Beverages could take this sort of financial hit. Many small companies aren’t so fortunate. Around the same time the Arizona Beverages ransomware attack hit the news, a small Michigan medical practice permanently closed after a ransomware attack destroyed their electronic health records system.

The Arizona Beverages ransomware attack may not have happened in the first place if the company had not been relying on old, unpatched, unsupported versions of Windows. When it did occur, the company should have been able to restore from a backup. Not having properly configured network backups is inexcusable. In addition to being able to restore systems after a cyberattack, backups allow companies to recover from events such as vandalism and natural disasters.

Arizona Beverages’ poor handling of the basics beg the question of what else was wrong with their internal cybersecurity. Was the Dridex infection properly mitigated? Why didn’t the company find out about it until they were contacted by the FBI? Whatever happened, it would have been far less expensive and disruptive for Arizona Beverages to have implemented proactive cybersecurity measures instead of throwing money at a problem after it happened.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

NIST SP 800-177 Rev. 1 was written with federal email security in mind, but SMBs can also use the guidance to secure their email systems.

Email breaches can be just as destructive to organizations as customer data breaches; just ask Sony Pictures and the Democratic National Committee. A breach of a federal government agency’s email system may not just be embarrassing or scandalous to the agency; it could put national security at risk. To help agencies protect sensitive and classified information from being stolen in an email hack, the National Institute of Standards and Technology (NIST) has released a finalized revision of SP 800-177 (Revision 1).

Titled Trustworthy Email, the framework outlines best practices for federal email security and updates the minimum standards for FISMA compliance. SP 800-177 complements SP 800-45, which was published in 2007, by providing more up-to-date email security recommendations and guidance, including guidelines regarding digital signatures and encryption (via S/MIME), minimizing unwanted email (spam), and other aspects of email system deployment and configuration. It also includes an appendix with an overlay of the NIST SP 800-53 Rev. 4 controls and a detailed description of how email systems can comply with the applicable controls.

While SP 800-177 was designed specifically for federal agencies, NIST notes that small and medium-sized business in the private sector can benefit from using the same email security best practices to protect confidential business information.

Federal Email Security: Beyond SMTP

The internet’s underlying core email protocol, Simple Mail Transport Protocol (SMTP), was first developed in 1982, when email security was not a consideration. SP 800-177 recommends the continued use of SMTP, along with the existing Domain Name System (DNS), but notes that the protocols are increasingly vulnerable to a wide range of cyber threats, including man-in-the-middle content modification and cyber spying. Federal agencies must implement proactive safeguards such as spoofing protection, integrity protection, encryption, and authentication to ensure that their email systems are sufficiently secure for use in government, financial, and medical communications.

The publication describes best practices for authenticating a sending domain and ensuring email transmission and content security using the Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), the Domain based Message Authentication Reporting and Conformance (DMARC) protocol, and the Transport Layer Protocol (TLS). It also recommends using Secure Multipurpose Internet Mail Extensions (S/MIME) for email communications that require end-to-end authentication and confidentiality.

SP 800-177 also outlines best practices for protecting against common email security threats impacting the integrity, availability, and confidentiality of email systems, including email spoofing and forging, phishing and spear phishing, eavesdropping and traffic analysis attacks, content modification of emails in transit, email bombing attacks, and spam.

NIST points out in SP 800-177 that securing an email system is far more complex than securing a website, and there is no magic bullet for email security. Different federal agencies will have different needs, data environments, and risk levels. However, with nation-state hackers funded by foreign governments increasingly targeting federal agencies and government contractors, it is crucial to national security to ensure that sensitive and classified government email communications remain confidential.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.

Hybrid cloud security survey shows that most organizations are implementing hybrid clouds far faster than their security teams can manage them.

For many organizations, particularly those in highly regulated industries such as healthcare, hybrid cloud environments offer the best of both worlds. Companies get to enjoy the easy scalability and other benefits of AWS, Microsoft Azure, or Google Cloud while isolating their critical workloads and sensitive data in a private cloud that they have complete control over.

At least, that’s the theory. As it turns out, not all clouds have a silver lining. Firemon’s State of Hybrid Cloud Security Survey, which polled over 400 security practitioners, revealed a severe disconnect between hybrid cloud adoption and hybrid cloud security. Among the findings:

• Most organizations are running multiple disparate cloud systems, which greatly increases complexity. Half of organizations deploy at least two different cloud environments (multicloud), and 40% have hybrid cloud deployments. Further, 39% use Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), and Software-as-a-Service (SaaS) models concurrently.
• Despite this complexity, many organizations expect non-security personnel to handle public and hybrid cloud security. 56% of respondents reported that cloud security was handled by network security, security operations, or security compliance teams. The rest of the time, the responsibility is placed on IT/cloud teams, application owners, or other teams outside the security organization.
• Security personnel lack the resources to keep up. 60% of respondents indicated that their organizations’ cloud initiatives were outpacing their ability to secure them. This isn’t surprising, given that 57.5% indicated that less than 1/4 of their security budget was dedicated to cloud security, and 52% reported that their security teams consisted of 10 or fewer members. Only 28% have network security tools that work across multiple environments to secure their hybrid clouds.
• In many cases, DevOps and security teams are siloed, further impeding cloud security.7% of respondents reported being part of their organizations’ DevOps team as part of the DevSecOps trend, but 30% indicated their relationship with DevOps was either complicated, contentious, not worth mentioning, or non-existent.

Hybrid cloud security issues are challenging, but not insurmountable

Like public clouds, hybrid cloud environments are not inherently less secure than on-prem infrastructures, but hybrid clouds are complex, requiring expertise with APIs and network configurations that many traditional system administrators are unfamiliar with. While the technical specifics of securing a hybrid cloud environment will vary, certain best practices apply in all environments.

Eliminate organizational silos and give security a seat at the table. Cyber security should be the primary concern when deploying a hybrid cloud environment, not an afterthought. Security teams must be involved every step of the way.

Don’t forget compliance concerns. Compliance is tricky in a hybrid cloud environment. You must understand the differences in compliance responsibility in each environment; be able to demonstrate that both your private cloud and your public cloud meet applicable compliance mandates; ensure that any data moving between the two clouds is protected in transit; and establish safeguards that prevent sensitive data from being moved from compliant storage on a private cloud into non-compliant storage on a public cloud. Most AWS breaches are due to sensitive data being uploaded onto improperly configured AWS buckets.

Establish consistent risk management processes throughout the hybrid cloud environment. While some processes will have to be different, keep things as consistent as possible to reduce complexity. For example, the principle of least privilege applies in both environments; ensure that your employees do not have more privileges in one environment than they do in the other.

Seek help from cyber security professionals with expertise in hybrid cloud security. Both the cloud computing and cyber security domains are suffering from a significant skills shortage that is projected to persist into the foreseeable future. Pawning off the responsibility to staffers who lack security expertise only sets your company up for a cyberattack. Organizations that do not have sufficient staff in-house to ensure hybrid cloud security need to seek outside help.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance.