Ieri ho concluso i seminari di "Introduction to Cybersecurity" per i nostri studenti di dottorato: 4 incontri 2 ore ognuno. Considerato che i seminari erano in streaming, l'impostazione era volutamente non tecnica (gli studenti di dottorato avevano provenienza molto eterogenea), l'argomento è molto importante, ho cercato di diffondere l'informazione tra alcuni miei contatti. Ho ricevuto circa 80 (ottanta) richieste di partecipazione, compresi i 10-12 dottorandi, da varie organizzazioni. La partecipazione effettiva è stata di circa 50 persone, comprese quelle che hanno visto le registrazioni offline. Credo che sia un buon risultato. Spero che i partecipanti abbiano apprezzato.
Diffondere la consapevolezza di quanto siano profondi e pervasivi i problemi di cybersecurity è molto importante. Negli ultimi anni ho cercato di dedicarmi molto a questo aspetto (alcuni esempi sono qui) ma temo di non avere avuto grande successo. All'interno dell'organizzazione a cui appartengo certamente non ho avuto successo.
Ho alcune considerazioni finali per i partecipanti. Sono lunghe e possono essere di interesse più generale, quindi invece di inviarle per email le riporto qui di seguito.
Two links for those really interested
One of the suggested readings was about "cybersecurity for small businesses", by Steve Bellovin, a professor of the University of Columbia.
Yesterday that same person published a short blog post that summarizes and updates those suggestions. Nothing particularly surprising, but I would like to emphasize his closing remark because it is exactly what I said yesterday (if nobody on the board of your organization understands cybersecurity then there is almost nothing that can be done):
Note how much of this requires good system administration and good management. If management won’t support necessary security measures, you’ll lose.
Security Priorities SMBlog -- 25 February 2021 (columbia.edu)
What it means "manually operated ransomware", exactly?
A ransomware attack on a single machine is executed with a malware that works automatically: once installed on a machine, it encrypts everything on the local disk and writes a message on the screen asking for a ransom in bitcoins.
A ransomware attack on an organization can be executed in either of two ways:
- A malware that works in a fully automated way: once installed on a machine, it silently attempts to propagate itself on other machines nearby (lateral movement) and on servers (privilege escalation); it does so by executing a predefined sequence of attempts programmed in the malware (vulnerability exploits, bad configuration practices and so on); once it has replicated in a sufficient number of places, each copy of the malware encrypts everything on the local disk.
- Once a malware is installed on a machine, the malware "calls home": his owner (the attacker) starts controlling that malware remotely in order to collect information about nearby machines and then perform lateral movement/privilege escalation; these actions are performed by the attacker "manually";.
Obviously, actions taken "manually" based on knowledge of the specific environment are more likely to succeed, and potentially much more disruptive, than a set of predefined and immutable actions chosen once and for all.
Up to 2-3 years ago, virtually all ransomware incidents were fully automated. The Maersk incident, for example, belonged to that category. Now most major ransomware incidents are instead "manually operated".
Two links for those really interested
The internal story of the Maersk incident, by one of their key IT personnel
Maersk, me & notPetya - gvnshtn
A technical report by Microsoft Security about manually (or human) operated ransomware
Human-operated ransomware attacks: A preventable disaster
Windows admin self-assessment
Please have a look at these assertions (without searching on Google):
- I don't know what pass-the-hash means.
- I don't know what Mimikatz is.
- I don't know what Bloodhound is.
- I usually perform remote administration of user workstations and servers; in doing so I use the same username/password for wks and for servers; this is normal and acceptable practice because that password is very strong.
If one or more of those is true for you, especially the last one, then I warmly suggest you to upgrade/refresh your knowledge of Windows administration.
It is not easy, but in my opinion it is really important. I emphasize again: just my opinion.
This may be a good place to start: search "Mitigating Pass-the-Hash and Other Credential Theft" and download the Microsoft report.
Commenti