This is a quick HSE Ransomware Update

At the time of recording, we’re just one day shy of it being 5 weeks since we learned of the devastating impact of the HSE ransomware incident. To all of those experts that were on TV, Radio, Newspapers and other online media who were saying “Just pay the ransom and we’ll get back up and running.”

Here we are 5 weeks later and they’re still not back up and running. That’s even with them getting the key to decrypt the data within 3 days of the incident. So even having the key, it’s taking them so much longer to recover.

Why is it taking so long?

This is because the HSE has huge, vast quantities of data that needs to be checked and made sure the integrity is perfect. Because you don’t want your health records to be damaged in anyway, do you? I certainly wouldn’t. So they have to be so very careful with getting the data back.

What hope does a small business owner have?

For smaller businesses, which is where more my focus would be, things can be a lot simpler. It can be a lot easier for you to be able to recover from these type of ransomware incidents, if you put in place a decent backup strategy. I am happy to talk to any small business owner that needs any kind of assistance in making sure they have good backups in place.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

The post #WeekendWisdom 083 HSE Ransomware Update appeared first on L2 Cyber Security Solutions Ltd..

My favourite subject – NOT!

I touched on this back in #WeekendWisdom number 043, but just this week I’ve seen some posts from IT people and I was also on a webinar this week where there was an IT person that claimed they have cybersecurity skills and they all implied that if you get hit with ransomware that if you just paid the ransom you will be back in business. If you hear somebody say that to you, do not believe them because it is completely false! It is totally wrong! They are lying to you!

What is the reality in dealing with Ransomware?

First of all if you do manage to pay the ransom and get your data back, it will take a long time to recover your data, to decrypt all that stuff that’s been encrypted.

But you might not get your data back at all after paying it. They might not give you the key.

Even if you do get your data back some of it may be corrupted. Particularly if you have large databases.

But even still, if you get the data back, you still have to go through an exercise of sanitizing your complete infrastructure to make sure you remove all traces of the ransomware and any other infections they may have left behind. Any kind of back doors.

A lot of time and effort will be required to recover from a ransomware incident.

What should you do?

So if some IT service person says to you “Ah yeah. Pay the ransom. You’ll be grand” They’re lying. Walk away from them. They haven’t a clue what they’re talking about.

What you really need to have in place folks, is have a good backup strategy which is tested. Also have in place incident handling procedures, which you again need to test. Having them in place will help you recover from such an incident much more quickly and easily.

So that’s it for this week. Lets be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 078 Dealing with Ransomware appeared first on L2 Cyber Security Solutions Ltd..

OK. Who wasn’t securing backup servers?

Earlier this week I was reading a story about a large Canadian second-hand car business which had a data breach involving some 260,000 users. What had happened was that they had a backup server that wasn’t appropriately secured. People were able to get onto that backup server and download the data of all these users.

Basically that business did not appropriately secure the backup server. Maybe they thought “It’s a backup server it doesn’t need that much protection.” But think about it. A backup server is going to have a lot of your production data.

So what does it need to set to?

So the backup server needs to have the same level of security if not more so than your primary servers. Make sure that they are properly secured.
Also with backups, I would also highly recommend having offline copies of the backups. Just in case that backup server ever gets damaged in any way by ransomware. So it’s important to back those up offline as well.

Is that all?

No. It’s not just backup servers that you need to take consideration of. Things like development servers or test servers. If you have some of those in your environment, they should have appropriate protections on there as well, because maybe they have some test data with actual personal data on them too. So ask your IT or your development team “Have you put appropriate protections in place on these servers?”

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

For small business, we can carry out assessments on your server infrastructure and point out discrepancies on the security configurations.

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 046 Securing Backup Servers appeared first on L2 Cyber Security Solutions Ltd..

What’s brought you back to your favourite topic?

Late last month, the city of Lafayette, in Colorado, USA, suffered a ransomware incident. Now some reporting on this incident indicated that they had paid the ransom because they did not want to go through cleaning up of their systems after the incident.

Lots of people do that, right? So everyone just gets on with paying the ransom.

However the statement on their own website was quite contradictory to that. Yes they did pay the ransom but that was because they hadn’t adequate backups. So they did a cost benefit analysis and the cost of rebuilding the data as opposed to recovering it through paying the ransom was quite substantial.

Did they do anything else?

But they also did a lot of other things right in that incident. The first thing they did was to hire a Digital Forensics expert whose job would be to come in and determine how the incident occurred in the first place so that they could prevent it from happening again and also to determine if any data was breached as result of the incident.

OK, but they still have dirty machines, right?

They also then were carrying out cleaning and rebuilding of all affected servers and computers which is really a good idea and I would insist on that.
Also they were looking to improve their backups, so that they would never be in that situation again. So while it’s regretful that they did have to pay the ransom, they’re in a better position now for the future.

What does Paying the Ransom fund?

When you pay the ransom, you are funding organised crime. You are paying criminals who not only do cyber crime, but also human trafficking, drug smuggling, gun running, child sexual abuse, terrorism, etc. So paying the ransom really should be avoided at all costs. Put in place proper preventative measures to stop it happening.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*. We show people the types of phishing emails that are sometimes used to execute #Ransomware, but more often than not they break into a network through poorly protected Remote Access solutions. So we can advise on how to protect your organisation from these types of risks.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 043 Paying The Ransom appeared first on L2 Cyber Security Solutions Ltd..

Why do you need data backups?

If you have any computers in your organisation then you will probably have data that you need to backup. Data backups are really crucial to be able to recover your data in case of an incident such as a fire, flood or ransomware.

I have somebody responsible for doing my backups

If you have an IT Department or IT service provider, I suggest that you challenge them to prove to you that they are backing up your data correctly and that the backups are working. That could be getting a monthly log from them to show the backup successes and failures.

Also you should challenge them to prove that they have tested the recovery of data from those backups. They don’t have to do that every week or every day but perhaps on a monthly basis they could do it or no more than on a quarterly basis that they test the recovery of some of the data.

I have everything in the cloud, so I’m OK

If you depend on the cloud, don’t just put all your eggs in the one basket and stick things in the cloud and believe they’re safe. that’s not always the case, you should have some offline copies of your backup as well.

Oops – I have no Data Backups. What can I do?

So if you have no backup strategy in place at the moment, I would suggest you use a strategy I call 3-2-1-1. That’s having 3 copies of your data, one of which is your live working copy. The other 2 copies should be on two separate media. So that could be an external hard drive, USB sticks or in the cloud. Then 1 copy should be off-site which could be a cloud copy. Finally 1 copy should be off-line. This means it iss not connected to any computer unless its being backed up to. So that will protect you against Ransomware.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

www.L2CyberSecurity.com

www.twitter.com/L2Cyber

The post #WeekendWisdom 013 Data Backups appeared first on L2 Cyber Security Solutions Ltd..

They claim that their Standard Fare Notices and Tax Saver Ticket pages are not affected and are still available. I wonder about this, as I went to the version of their website from last December and there is no other part of the site there that records personal data. So the data breached must be belonging to those types of people. We’ll hear soon enough about this. It’s not what I want to focus on.

The site has been down for a long time.

For a company as large as Transdev is, I’m surprised at how long the home page for their major operation in Ireland has been unavailable. If they were following best practice, then this is, at a high-level, what should have happened on Wednesday night last:

1. Ransomware compromises the web site.
2. IT team become aware – incident response effort commences – server, web and security teams scrambled.
3. Server(s) disconnected from all networks by physically pulling the network connectors out of the server(s), but they are left powered on.
4. Security team take a forensic snapshot of the affected server’s memory and disk. This is a long slow process.
5. Server team, bring up backup server or request a new server from service provider.
6. Web team commence restore of the website from most recent backup on that server. Tests that all the pages work.
7. Replacement server(s) put into production – website back online.
8. Once the security team have completed their snapshots of the affected servers, these machines can be wiped and put to use again.
9. Security team analyse the forensic images to discover source of the compromise and any loss of data. This process could take days and even weeks.

Given that the Luas site is pretty basic, step 7 above should easily have been achievable, I think, within 24 hours. Probably even faster if they had a backup server on stand-by, ready to take the restore.

Why is it taking so long?

I’m going out on a limb here. I’m guessing that they don’t have decent backups of their website. If they don’t have that, then they literally have to rebuild it from scratch and this will take time. Probably days.

Perhaps they thought they did have backups, but here’s the thing. You actually should test your backups occasionally to see if they are working OK. If they never tested that these backups work, they may have discovered that they weren’t backing up enough and they are going to have to rebuild it from scratch.

With good, tested backups this would not take much time at all.

How did the Luas Ransomware get in?

That’s a good question. We may never find out, but the likely cause is that they had a poorly secured website or webserver. It looks like they use WordPress and if you have a very old version of that, then it is trivial for a hacker to compromise it. The message from the bad guys was interesting:

This person states that he warned the company some time ago that they had vulnerabilities and they never responded. This could be a complete lie, but it’s also quite possibly true.

Based on the wording of the message above, if I received a similarly worded e-mail, warning me about something wrong on my website, I might dismiss that too. However, I take my website security seriously and keep it updated on a weekly basis. I also back it up daily and finally, I have tested those backups.

What can you do to avoid such a long outage?

You don’t want to be affected by something like the Luas Ransomware do you?

There’s some simple steps that you can take. Basically keep your website updated regularly and have good backups which get tested. There are more, but these two will give you a quick win.

You could also give us a call on 087-436-2675 or drop a line to info@L2CyberSecurity.com and we can have a chat about the service that I can provide. We also have some Cyber Security training coming up soon too, which you can book a place on.

Lets be careful out there.

#SecuritySimplified #GDPR

The post Luas Ransomware Incident – Offline a while now appeared first on L2 Cyber Security Solutions Ltd..