All posts by Jen Ellis

A Year on from the Ransomware Task Force Report

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2022/05/24/a-year-on-from-the-ransomware-task-force-report/

A Year on from the Ransomware Task Force Report

If you follow cybersecurity, you’ve likely seen one of the many articles written recently on the one-year anniversary of the Colonial Pipeline ransomware attack, which saw fuel delivery suspended for six days, disrupting air and road travel across the southeastern states of the US. The Colonial attack was the biggest cyberattack against US critical infrastructure, making it something of a game-changer in the realm of ransomware, so it is absolutely worth noting the passage of time and investigating what’s changed since.

This blog will do that, but I’ll take a slightly different tack, as I’m also marking the anniversary of the Ransomware Task Force’s (RTF) report, which offered 48 recommendations for policymakers wanting to deter, disrupt, prepare, and respond to ransomware attacks. The report was issued a week prior to the Colonial attack.

Last week, I participated in an excellent event to mark the one-year anniversary of the RTF report. During the session, various ransomware experts discussed how the ransomware landscape has evolved over the past year, how government action has shaped this, and what more needs to be done. The Institute for Security and Technology (IST), which convenes and runs the RTF, has issued a paper capturing the points above. This blog offers my own thoughts on the matter, but it’s not at all exhaustive, and I recommend giving the official paper a read.

High-profile attacks raised the stakes

Looking back over the past year, in many ways, the Colonial attack – along with ransomware attacks on the Irish Health Service Executive (HSE) and JBS, the largest meat processing company in the world, all of which occurred during May 2021 – highlighted the exact concerns outlined in the RTF report. Specifically, the RTF had been convened based on the view that the high level of attacks against healthcare and other critical services through the pandemic made ransomware a matter of national security for those countries that are highly targeted.

In light of this, one of the most fundamental recommendations of the report was that this be acknowledged and met with a senior leadership and cross-governmental response. The Colonial attack resulted in President Biden addressing the issue of ransomware on national television. Subsequently, we have seen a huge cross-governmental focus on ransomware, with measures announced from departments including Homeland Security, Treasury, Justice, and State. We’ve also seen both Congress and the White House working on the issue. And while the US government has been the most vocal in its response, we have seen other governments also focusing on this issue as a priority and working together to amplify the impact of their action.

In June 2021, the Group of Seven (G7) governments of the world’s wealthiest democracies addressed ransomware at its annual summit. The resulting Communique capturing the group’s commitments includes pledges to work together to address the threat. In October 2021, the White House hosted the governments of 30 nations to discuss ransomware. The event launched the Counter Ransomware Initiative (CRI), committing to collaborate together to find solutions to reduce the ransomware threat. The CRI has identified key themes for further exploration and action, with a similar focus on deterring and disrupting attacks and driving adoption of greater cyber resilience.

Status of the RTF recommendations

This is all heartening to see and strongly aligns with the ethos and recommendations of the RTF recommendations. Drilling down into more of the details, there are many further areas of alignment, including the launch of coordinated awareness programs, introduction of sanctions, scrutiny of cryptocurrency regulations, and a focus on incident reporting regulations. The RTF paper provides a great deal more detail on these areas of alignment and the progress that has been made, as well as the areas that need more focus.

This, I believe, is the key point: A great deal of progress has been made, both in terms of building understanding of the problem and in developing alignment and collaboration among stakeholders, yet there is a great deal more work to be done. The partnerships between multiple governments — and between the public and private sectors — are hugely important for improving our odds against the attackers, but progress will not happen overnight. It will take time to see the real impact of the measures already taken, and there are yet measures to be determined, developed, and implemented.

Uncertain times

We must keep our eye on the ball and stay engaged, which is not easy when there are so many other demands on governments’ and business leaders’ limited time and resources. The Russia/Ukraine conflict has undoubtedly been a very time-consuming area of focus, though expectations that offensive cyber operations would be a key element of the Russian action have perhaps helped increase awareness of the need for cyber resilience. The economic downturn is another huge pressure and will almost certainly reduce critical infrastructure providers’ investments in cybersecurity as the cost of business increases in other areas, resulting in budget cuts. While both of these developments may distract governments and business leaders from ransomware, they may also increase ransomware activity as economic deprivation and job scarcity encourage more people to turn to cybercrime to make a living.

According to law enforcement and other government agencies, as well as the cyber insurance sector, the reports of ransomware incidents are slowing down or declining. Due to a long-standing lack of consistent incident reporting, it’s hard to contextualize this, and while we very much hope it points to a reduction in attacks, we can’t say that that’s the case. Security researchers report that activity on the dark web seems to be continuing at pace with 2021, a record year for ransomware attacks. It’s possible that the shift in view from law enforcement could be due to fears that involving them will result in regulatory repercussions; reports to insurers could be down due to the introduction of more stringent requirements for claims.

The point is that it’s too early to tell, which is why we need to maintain a focus on the issue and seek out data points and anecdotal evidence to help us understand the impact of the government action taken so far, so we can continue to explore and adjust our approach. An ongoing focus, continued collaboration, and more data will help ensure we put as much pressure as possible on ransomware actors and the governments and systems that allow them to flourish. Over time, this is how we will make progress to reduce the ransomware threat.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Digital Citizen’s Guide to Navigating Cyber Conflict

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2022/03/25/the-digital-citizens-guide-to-navigating-cyber-conflict/

The Digital Citizen’s Guide to Navigating Cyber Conflict

As security professionals, we are currently being bombarded with warnings and alerts of a heightened threat level due to the possibility that Russia will start to more aggressively leverage cyberattacks as part of their offensive. If you are feeling the pressure of getting everything done, check out this post that identifies the 8 most important emergency conflict actions for your security program.

This post is meant as a companion piece that gives advice for non-security-pro digital citizens to protect themselves and, by extension, help protect their organizations.

As security pros, we do not live in a perfect technical vacuum where we make system-wide Decisions That Will Be Obeyed by Everyone in Our Domain. Rather, we must acknowledge that our users are part of the equation. They can be tricked and manipulated. They lose devices or leave them unlocked in public. They may not follow policy, connecting to unsecured networks, using personal devices for work, or buying unvetted apps.

In other words, they make your life more complicated. But they are likely also watching the same news reports you are and may be wondering what they can do to help protect against the prospect of Russian aggression. This is your opportunity to harness that desire to help, and educate your non-security friends, family, and end users on making it through a cyber conflict. This could be a step toward inspiring them to think more about security in the long term.

1. Control who can access your accounts, apps, or devices

Password hygiene and password managers

These days, most technical devices or apps will give you the option to set up a password, PIN, or pattern. It’s highly recommended that you do so in addition to avoiding reusing passwords and changing them often.

If you follow that advice, you’ll end up with a lot of information to remember. This is where a password manager comes in. They automatically store and fill passwords as needed. They’ll also help you generate passwords if you want them to, ensuring each one is unique and adheres to the requirements of the site, app, or device. Some also offer other benefits, such as working across multiple devices so your passwords can sync across your laptop, tablet, and mobile. Another cool feature is the ability to share selected passwords with designees — for example, if you want to give a family member access to your Netflix account. There are plenty of decent and inexpensive password managers out there. Examples include LastPass, Bitwarden, 1Password, and Dashlane.

Turn on a second layer of protection for your accounts (2FA/MFA)

Having unique and hard-to-guess passwords is important, but it’s not a magical fix that will make you invulnerable to hacking. Cyberattackers will try to trick you into giving them your password, or they may try to guess or crack it. If you are reusing passwords (which is a bad bet), they may already have your password from a previous successful hack.

In situations such as these, having a second way to prove who you are when accessing your accounts is critical to help you protect your private data and accounts. This is referred to as two-step verification, two-factor authentication (2FA), or multi-factor authentication (MFA). The second step or factor might be a code sent to a trusted device, a physical token (such as a scannable key tab or a yubikey), or a biometric (such as your fingerprint or a facial scan). You don’t have to set up 2FA on everything (though it definitely doesn’t hurt to do so), but we strongly recommend you add it to anything holding very sensitive information, such as your online or mobile banking apps, your mobile phone, or other devices.

2. Pay attention to experts

Listen to your employer or other affiliated organization

Pay attention to all internal communications from your work/school/organization, as they likely have situation-specific guidance pertaining to any malicious activity against that organization. Be sure to follow any guidance or policies they issue.

Look out for alerts from apps and services

The vendors and other organizations you do business with should notify you if they are victims of a cyberattack. Look out for communications from them, but be cautious of anything asking you for info or to take an action, as these could be fraudulent. If you receive a communication asking you to take an action, instead of clicking on links within the email, we recommend going directly to the company website or using a search engine to find the information. You should find information to indicate whether it’s legitimate or a scam.

Relevant regional information

Ensure you know where to find information on local services and infrastructure — for example, your local government’s website, social media feeds, or other forms of local media, such as TV, radio and print.

Credit reports

One way that Russia may try to gain footholds on organizations is through identity theft of individuals. Signing up to credit reports — and actually paying attention to them — is one way to catch and respond to this activity early on. Many credit card companies offer this service for free.

3. Hope for the best, but prepare for the worst

Attacks against critical infrastructure

There is a lot of speculation that Russia will target cyberattacks at critical infrastructure. A great deal of effort is going into building resilience into these organizations and systems, and we hope that widespread outages will not occur. However, the Colonial Pipeline, JBS, and HSE attacks in 2021 highlighted the scale of disruption that can be caused by cyberattacks against critical infrastructure. In the same way you would plan for warnings of incoming hurricane activity, we recommend you consider what you might need to weather outages of power, water, or other critical services.

Backup your data offline

The major technology companies typically invest a great deal in cybersecurity to ensure your data is protected; however, they also may make for attractive targets of Russian hacking. They will also be just as affected as everyone else is in the case of power outages. If you are worried about being able to access information in these events, you may want to create an offline backup of your most essential data.

The guidance above focuses on the most critical actions to help individuals navigate the current threats of cyber conflict related to the Russian invasion of Ukraine. For more general advice to individuals for protecting your digital identity, check out this guide, which was created in a collaboration with the UK government’s Cyber Aware campaign.

Additional reading:

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Ransomware: Is Critical Infrastructure in the Clear?

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2021/09/24/ransomware-is-critical-infrastructure-in-the-clear/

Ransomware: Is Critical Infrastructure in the Clear?

Recently I’ve been getting asked whether I believe ransomware is on the decline, particularly for critical infrastructure. Part of the reason for this question seems to be a recent security briefing from White House deputy national security adviser Anne Neuberger, suggesting that language on the site of a new-but-already-high-profile ransomware gang, BlackMatter, could indicate that President Biden’s comments to President Putin regarding consequences for attacks against US critical infrastructure may have hit their mark. Yet just this week, this same gang demanded a ransom of $5.9 million for an attack on Iowa-based feed and grain cooperative, NEW Cooperative.

So the question remains: Is critical infrastructure in the clear, is it a specific target of ransomware attackers, or is it simply on the same footing as any other organization? As we’ll see — and as current developments confirm — it’s clear that critical infrastructure is indeed at risk from ransomware attacks.

Before I get into the nuances of this, I want to quickly note upfront that much of this is going to be opinion or theories based on discussion with — and anecdotal evidence from — various security experts, ransomware victims, and news stories. I’m not a ransomware attacker, nor am I directly in touch with any, so I can only speculate on their motivations, interests, and plans. Where possible, I provide reference to further reading to provide context, but in general, it’s important to note that broad under-reporting and inconsistent handling of ransomware incident data means that any predictions, projections, or summaries of ransom activity (on this blog or elsewhere) are likely somewhat incomplete.

The BlackMatter at hand

The BlackMatter website indicates that the group is somewhat selective in which organizations it will target for attacks. According to The Record, BlackMatter is particularly interested in organizations with a revenue of over $100 million a year, with networks of 500 to 1,500 hosts located in the US, the UK, Canada, or Australia. They state they are specifically not planning to attack organizations in the following sectors and would in fact decrypt data for free should they infect any organizations in them:

  • Hospitals
  • Critical infrastructure facilities (nuclear power plants, power plants, water treatment facilities)
  • Oil and gas industry (pipelines, oil refineries)
  • Defense industry
  • Nonprofit companies
  • Government sector

Interestingly, they do not include the food and agriculture sector in this list, though it is included in the US government’s list of 16 critical infrastructure sectors. When NEW Cooperative’s representatives pointed this out to BlackMatter, the ransomware group’s response was:

You do not fall under the rules, everyone will only incur losses, everything is tied to the commerce, the critical ones mean the vital needs of a person.

On the surface, it’s funny to think they are saying food isn’t a vital need for people. The JBS attack at the start of June highlighted the importance of the food supply chain. The cost of basic meat food staples is still higher in the US as a result of the attack, which can make a huge difference to those living on or under the poverty line. BlackMatter explains the distinction in terms of the impact — it views loss of money for the company itself as the only real impact of the NEW Cooperative attack.

This may be because NEW Cooperative is a fairly small, regional entity, nowhere near the scale of JBS, and therefore disruption for them is not going to create anywhere close to the same level of impact on the US food supply chain. This leads to the question of whether these types of organizations really count as critical infrastructure on an individual level. That’s a question for the US government to answer as they determine whether to respond to this attack and others like it. If you want to get into this more, Joseph Marks has a great write-up on the different aspects in his coverage for the The Washington Post’s Cybersecurity 202.

In the meantime, it is interesting to see BlackMatter communicate so proactively on the topic of critical infrastructure and what they consider to be in scope. This could, as Anne Neuberger suggested, reflect a heeding of the President’s warning. It could also be somewhat influenced by the lessons learned from DarkSide’s experiences following the Colonial Pipeline attack back in May. BlackMatter states, “The project has incorporated in itself the best features of DarkSide, REvil, and LockBit,” so it’s entirely possible their communications strategy is informed by the blowback DarkSide experienced in the wake of Colonial.

After coming under intense scrutiny and focus following the Colonial Pipeline attack, the DarkSide group published a statement describing themselves as “apolitical” and asserting, “Our goal is to make money and not creating problems for society.” When its infrastructure was then compromised and their bitcoin drained, the group decided it was time to shut up shop and lay low. This prompted a great deal of speculation from security commentators over whether they would reappear under a different name after sufficient time had passed. It didn’t take long after the appearance of BlackMatter for security researchers to start pointing to indicators that the new ransomware group may be the phoenix rising from DarkSide’s ashes.

Hackers with hearts of gold?

DarkSide and BlackMatter are not the only ransomware gangs to draw a line around healthcare and other targets that can impact public safety.

In March 2020, as the pandemic ramped up in ferocity, Bleeping Computer reached out to a number of high-profile ransomware groups and asked if they would lay off healthcare organizations in light of COVID-19. The group behind the CLOP ransomware stated that they have “never attacked hospitals, orphanages, nursing homes, charitable foundations, and we won’t.” They went on to state, “We are not enemies of humanity… our goal is money, not harm,” and they indicated that if a healthcare organization was encrypted by accident, they would provide the decryptor for free.

Four other ransomware groups responded to Bleeping Computer with similar assertions that hospitals are never targets or would not be during the duration of the pandemic. Some even sounded offended by the suggestion that hospitals could ever be considered fair game for attacks.

Critical infrastructure attacks abound

Yet, despite this, attacks against the healthcare sector were prolific throughout 2020. According to the 2021 Unit 42 Ransomware Threat Report, “the healthcare sector… was the most targeted vertical for ransomware in 2020. Ransomware operators were brazen in their attacks in an attempt to make as much money as possible, knowing that healthcare organizations – which needed to continue operating to treat COVID-19 patients and help save lives – couldn’t afford to have their systems locked out and would be more likely to pay a ransom.”

We see the same trend continuing in 2021. The fantastic Black Fog site tracks publicly disclosed ransomware attacks on The State of Ransomware in 2021. Their stats highlight that 2021 continues to be a busy year for ransomware attackers and their victims, with more attacks in every month of 2021 than during their 2020 counterpart. They break down the attacks they track by industry sector, and the top 9 are all covered within the US government’s description of its 16 sectors of critical infrastructure. Healthcare is the fourth most impacted sector according to their analysis, with government and education taking the first and second spots.

So does this mean that these sectors are in fact being highly targeted for attack? The answer is complicated, and there are a number of factors at play.

It’s worth calling out again that ransomware and other cybercrime remains terribly under-reported. It’s possible that one of the reasons we “see” most attacks in the sectors mentioned earlier is because they are very public-facing in nature. Thus, disruptive attacks against their systems may be more visible to the public — and hence more easily tracked and reported. Other sectors may be better able to avoid public disclosure, possibly in the hopes of avoiding a loss of customer confidence or regulatory or legal implications.

This does not mean that these sectors are not also appealing targets for some cybercriminals. Healthcare, government, and educational organizations are often highly vulnerable to attack due to a number of factors including a deficit of resources, reliance on legacy systems, complexity of technical ecosystems and user behavior models, and lack of tolerance for downtime due to the consequences to the public of a halt in operations. This latter point may also mean these sectors are more likely to pay a ransom demand: If an entity can’t tolerate downtime enough to patch their systems, an attacker may speculate that they will also likely want to resolve a ransomware incident as quickly as possible, resulting in a paid ransom.

So, the question comes down to whether attackers think this way and specifically target these sectors.

Targets locked and loaded?

One of the things that most caught my attention about the DarkMatter website information, the responses to Bleeping Computer, and Unit 42’s research was that they all seem to reflect the notion that ransom attacks are targeted. Indeed, in its response to Bleeping Computer, the Nefilim Ransomware group stated, “We work very diligently in choosing our targets.”

Yet the BlackMatter site and a couple of the other responses also alluded to organizations being infected by accident. In its response to Bleeping Computer, the Netwalker group stated:

Hospitals and medical facilities? do you think someone has a goal to attack hospitals? we don’t have that goal -it never was. it coincidence. no one will purposefully hack into the hospital. [sic]

But they then went on to add:

If someone is encrypted, then he must pay for the decryption.

The implication here is that while they may not go out of their way to target hospitals or any other organization, their attacks are opportunistic and whoever is hit is fair game and expected to pay.

So how do these things relate to each other? How can an attack be both targeted and run the risk of accidentally infecting unintended organizations?

First, consider the nature of profit-motivated attacks of this type. While there are profit-driven attacks that are extremely targeted —for example corporate espionage attacks — in the case of ransomware attacks, it is more likely that groups of organized cybercriminals are going to try to maximize their potential profits by orchestrating attacks at scale. By casting their nets wide, they are able to get more bang for their buck/ruble, making the most of their upfront investment to increase the odds of hitting organizations that are willing to pay. They may have an ideal target profile as indicated on BlackMatter’s site, but that doesn’t mean they won’t take a spray-and-pray approach to see what they can hit. Even with a focus on a specific demographic, they are still likely to take a fairly broad approach to maximize the potential for profit.

This is consistent with the most common attack methodologies for extortion-based attacks. According to Digital Defense, phishing, RDP, and vulnerable systems are the top three attack vectors for ransomware attacks. While any of these can be leveraged in highly targeted attacks, it’s more common for them to be used at scale. Phishing emails are sent out to vast lists of potential recipients, and malware to exploit RDP or other exposed systems is automated and set loose on the internet. With this in mind, it’s not surprising that organizations that weren’t being directly targeted will be impacted.

While it’s important to note that the opportunistic nature of these attack methodologies means any organization can fall victim to a ransomware attack, that does not mean that specific sectors or geographies are not more likely to be hit. The majority of profit-motivated attackers may not be targeting specific organizations (unless there is another motivation at play), but that doesn’t mean they can’t target groups or classes of organization, as we see with BlackMatter’s website. The sheer volume of attacks hitting the US indicates that whatever the chosen attack vector, it is often pointed towards specific geographical regions. Likewise, it’s possible or in some cases, likely, that attackers develop phishing target lists with data specific to certain sectors that they believe will be more easily compromised or likely to pay. As already noted, critical infrastructure is viewed by many as sitting firmly in this category.

Critical infrastructure not in the clear

So what does all this mean? The incomplete data we have clearly shows that ransomware attacks are not in decline and critical infrastructure is certainly not in the clear.

We need more consistent reporting of ransom incidents to get a clearer picture of what’s really happening, but we can confidently say healthcare providers, governments, and education are regularly being hit and need greater support to help them tackle the security issues I mentioned earlier.

The good news is that this is a problem that many are scrutinizing, and we’re starting to see more resources and assistance for critical infrastructure. If you work in one of the US critical infrastructure sectors, check out the free tools and services CISA provides to help you protect yourself. If you are working for a government entity (including public education and healthcare providers), you may also qualify for free services from the MS-ISAC.

In addition, the US Senate recently passed infrastructure legislation that would provide federal grants and funding to several critical infrastructure sectors — such as state and local governments, energy, and water — to help them strengthen their cybersecurity postures. We hope this may be extending and that, as Congress considers large spending bills, the healthcare sector should be provided access to federal funding and other resources dedicated to cybersecurity.

The US government has also announced a number of other measures both to address ransomware and to shore up cybersecurity in critical infrastructure. We hope that, over time, we will see these efforts bearing fruit in the form of less successful attacks against critical infrastructure.

The Ransomware Task Force also identified a number of recommendations for governments to better support critical infrastructure, from grant funding (pages 40 and 41) to mandated adoption of cyber hygiene measures (page 39) and provision of emergency response authorities in the event of a successful attack (page 42). The US government is already taking action on some of these priorities, such as requiring greater cyber hygiene for federal agencies and contractors, and including a response and recovery fund for victims of cyberattack in the pending infrastructure legislation.

Although all public data sources agree that far more ransomware attacks are being reported in the US than in any other country, this is not only a US issue. Many other countries are impacted, and we see critical infrastructure being hit around the world. Governments in other affected countries are likely taking or investigating similar measures, though to date, they have mostly been less vocal on it in public.

In an ideal world, governments will work together to amplify the impact of their actions and proactively deter and disrupt the global ransomware market. To that end, I look forward to seeing what will come from the Extraordinary Senior Officials Forum on ransomware that the G7 has committed to holding before the end of 2021.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Reforming the UK’s Computer Misuse Act

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2021/08/12/reforming-the-uks-computer-misuse-act/

Reforming the UK’s Computer Misuse Act

The UK Home Office recently ran a Call for Information to investigate the Computer Misuse Act 1990 (CMA). The CMA is the UK’s anti-hacking law, and as Rapid7 is active in the UK and highly engaged in public policy efforts to advance security, we provided feedback on the issues we see with the legislation.

We have some concerns with the CMA in its current form, as well as recommendations for how to address them. Additionally, because Rapid7 has addressed similar issues relating to U.S. laws — particularly as relates to the U.S. equivalent of the CMA, the Computer Fraud and Abuse Act (CFAA) — for each section below, we’ve included a short comparison with U.S. law for those who are interested.

Restrictions on security testing tools and proof-of-concept code

One of the most concerning issues with the CMA is that it imperils dual-use open-source security testing tools and the sharing of proof-of-concept code.

Section 3A(2) of the CMA states:

(2) A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1, 3 or 3ZA.

Security professionals rely on open source and other widely available security testing tools that let them emulate the activity of attackers, and exploiting proof-of-concept code helps organizations test whether their assets are vulnerable. These highly valued parts of robust security testing enable organizations to build defenses and understand the impacts of attacks.

Making these products open source helps keep them up-to-date with the latest attacker methodologies and ensures a broad range of organizations (not just well-resourced organizations) have access to tools to defend themselves. However, because they’re open source and widely available, these defensive tools could still be used by malicious actors for nefarious purposes.

The same issue applies to proof-of-concept exploit code. While the intent of the development and sharing of the code is defensive, there’s always a risk that malicious actors could access exploit code. But this makes the wide availability of testing tools all the more important, so organizations can identify and mitigate their exposure.

Rapid7’s recommendation

Interestingly, this is not an unknown issue — the Crown Prosecution Service (CPS) acknowledges it on their website. We’ve drawn from their guidance, as well as their Fraud Act guidelines, in drafting our recommended response, proposing that the Home Office consider modifying section 3A(2) of the CMA to exempt “articles” that are:

  • Capable of being used for legitimate purposes; and
  • Intended by the creator or supplier of the article to be used for a legitimate purpose; and
  • Widely available; unless
  • The article is deliberately developed or supplied for the sole purpose of committing a CMA offense.

If you’re concerned about creating a loophole in the law that can be exploited by malicious actors, rest assured the CMA would still retain 3A(1) as a means to prosecute those who supply articles with intent to commit CMA offenses.

Comparison with the CFAA

This issue doesn’t arise in the CFAA; however, the U.S. is subject to various export control rules that also restrict the sharing of dual-use security testing tools and proof-of-concept code.

Chilling security research

This is a topic Rapid7 has commented on many times in reference to the CFAA and the Digital Millennium Copyright Act, which is the U.S. equivalent of the UK’s Copyright, Designs and Patents Act 1988.

Independent security research aims to reveal vulnerabilities in technical systems so organizations can deploy better defenses and mitigations. This offers a significant benefit to society, but the CMA makes no provision for legitimate, good-faith testing. While Section 1(1) acknowledges that you must have intent to access the computer without authorization, it doesn’t mention that the motive to do so must be malicious, only that the actor intended to gain access without authorization. The CMA states:

(1) A person is guilty of an offence if—

a) he causes a computer to perform any function with intent to secure access to any program or data held in any computer, or to enable any such access to be secured;

b) the access he intends to secure, or to enable to be secured, is unauthorised; and

c) he knows at the time when he causes the computer to perform the function that that is the case.

Many types of independent security research, including port scanning and vulnerability investigations, could meet that description. As frequently noted in the context of the CFAA, it’s often not clear what qualifies as authorization to access assets connected to the internet, and independent security researchers often aren’t given explicit authorization to access a system.

It’s worth noting that neither the National Crime Agency (NCA) or the CPS seem to be recklessly pursuing frivolous investigations or prosecutions of good-faith security research. Nonetheless, the current legal language does expose researchers to legal risk and uncertainty, and it would be good to see some clarity on the topic.

Rapid7’s recommendation

Creating effective legal protections for good-faith, legitimate security research is challenging. We must avoid inadvertently creating a backdoor in the law that provides a defense for malicious actors or permits activities that can create unintended harm. As legislators consider options on this, we strongly recommend considering the following questions:

  • How do you determine whether research is legitimate and justified? Some considerations include whether sensitive information was accessed, and if so, how much – is there a threshold for what might be acceptable? Was any damage or disruption caused by the action? Did the researcher demand financial compensation from the technology manufacturer or operator?

For example, in our work on the CFAA, Rapid7 has proposed the following legal language to indicate what is understood by “good-faith security research.”

The term “good faith security research” means good faith testing or investigation to detect one or more security flaws or vulnerabilities in software, hardware, or firmware of a protected computer for the purpose of promoting the security or safety of the software, hardware, or firmware.

(A) The person carrying out such activity shall

(i) carry out such activity in a manner reasonably designed to minimize and avoid unnecessary damage or loss to property or persons;

(ii)  take reasonable steps, with regard to any information obtained without authorization, to minimize the information the person obtains, retains, and discloses to only that information which the person reasonably believes is directly necessary to test, investigate, or mitigate a security flaw or vulnerability;

(iii) take reasonable steps to disclose any security vulnerability derived from such activity to the owner of the protected computer or the Cybersecurity and Infrastructure Security Agency prior to disclosure to any other party

(iv) wait a reasonable amount of time before publicly disclosing any security flaw or vulnerability derived from such activity, taking into consideration the following:

(I) the severity of the vulnerability,

(II) the difficulty of mitigating the vulnerability,

(III) industry best practices, and

(IV) the willingness and ability of the owner of the protected computer to mitigate the vulnerability;

(v) not publicly disclose information obtained without authorization that is

(I) a trade secret without the permission of the owner of the trade secret; or

(II) the personally identifiable information of another individual, without the permission of that individual; and

(vi) does not use a nonpublic security flaw or vulnerability derived from such activity for any primarily commercial purpose prior to disclosing the flaw or vulnerability to the owner of the protected computer or the [government vulnerability coordination body].

(B) For purposes of subsection (A), it is not a public disclosure to disclose a vulnerability or other information derived from good faith security research to the [government vulnerability coordination body].

  • What happens if a researcher does not find anything to report? Some proposals for reforming the CMA  have suggested requiring coordinated disclosure as a predicate for a research carve out. This only works if the researcher actually finds something worth reporting. What happens if they do not? Is the research then not defensible?
  • Are we balancing the rights and safety of others with the need for security? For example, easing restrictions for threat intel investigators and security researchers may create a misalignment with existing privacy legislation. This may require balancing controls to protect the rights and safety of others.

The line between legitimate research and hack back

In discussions on CMA reform, we often hear the chilling effect on security research being lumped in with arguments for expanding authorities for threat intelligence gathering and operations. The latter sound alarmingly like requests for private-sector hack back (despite assertions otherwise). We believe it is critical that policymakers understand the distinction between acknowledging the importance of good-faith security research on the one hand and authorizing private-sector hack back on the other.

We understand private-sector hack back to mean an organization taking intrusive action against a cyber-attacker on technical assets or systems not owned or leased by the entity taking action or their client. While threat intel campaigners may disclaim hack back, in asking for authorization to take intrusive action on third-party systems — whether to better understand attacks, disrupt them, or even recapture lost data — they’re certainly satisfying the description of hack back and raising a number of concerns.

Rapid7 is strongly opposed to private-sector hack back. While we view both independent, good-faith security research and threat intelligence investigations as critical for security, we believe the two categories of activity need separate and distinct legal restrictions.

Good-faith security research is typically performed independently of manufacturers and operators in order to identify flaws or exposures in systems that provide opportunities for attackers. The goal is to remediate or mitigate these issues so that we reduce opportunities for attackers and decrease the risk for technology users. These activities often need to be undertaken without authorization to avoid blowback from manufacturers or operators that prioritize their reputation or profit above the security of their customers.

This activity is about protecting the safety and privacy of the many, and while researchers may take actions without authorization, they only do so on the technology of those ultimately responsible for both creating and mitigating the exposure. Without becoming aware of the issue, the technology provider and their users would continue to be exposed to risk.

In contrast, threat intel activities that involve interrogating or interacting with third-party assets prioritize the interests of a specific entity over those of other potential victims, whose compromised assets may have been leveraged in the attack. While threat intelligence can be very valuable in helping us understand how attackers behave — which can help others identify or prepare for attacks — data gathering and operations should be limited to assessing threats to assets that are owned or operated by the authorizing entity, or to non-invasive activities such as port scanning. More invasive activities can result in unintended consequences, including escalation of aggression, disruption or destruction for innocent third parties, and a quagmire of legal liability.

Because cyber attacks are criminal activity, if more investigation is needed, it should be undertaken with appropriate law enforcement involvement and oversight. We see no practical way to provide appropriate oversight or standards for the private sector to engage in this kind of activity.

Comparison to the CFAA

This issue also arises in the CFAA. In fact, it’s exacerbated by the CFAA enabling private entities to pursue civil causes of action, which mean technology manufacturers and operators can seek to apply the CFAA in private cases against researchers. This is often done to protect corporate reputations, likely at the expense of technology users who are being exposed to risk. These private civil actions chill security research and account for the vast majority of CFAA cases and lawsuit threats focused on research. One of Rapid7’s recommendations to the UK Home Office was that the CMA should not be updated to include civil liability.

Washington State has helped protect good-faith security research in its Cybercrime Act (Chapter 9A.90 RCW), which both addresses the issue of defining authorization and exempts white-hat security research.

It’s also worth noting that the U.S. has an exemption for security research in Section 1201 of the Digital Millennium Copyright Act (DMCA). It would be good to see the UK government consider something similar for the Copyright, Designs and Patents Act 1988.

Clarifying authorization

At its core, the CMA effectively operates as a law prohibiting digital trespass and hinges on the concept of authorization. Four of the five classes of offenses laid out in the CMA involve “unauthorized” activities:

1. Unauthorised access to computer material.

2. Unauthorised access with intent to commit or facilitate commission of further offences.

3. Unauthorised acts with intent to impair, or with recklessness as to impairing, operation of computer, etc.

3ZA.Unauthorised acts causing, or creating risk of, serious damage

Unfortunately, the CMA does not define authorization (or the lack thereof), nor detail what authorization should look like. As a result, it can be hard to know with certainty where the legal line is truly being drawn in the context of the internet, where many users don’t read or understand lengthy terms of service, and data and services are often publicly accessible for a wide variety of novel uses.

Many people take the view that if something is accessible in public spaces on the internet, authorization to access it is inherently granted. In this view, the responsibility lies with the owner or operator to ensure that if they don’t want to grant access to something, they don’t make it publicly available.

That being the case, the question becomes how systems owners and operators can indicate a lack of authorization for accessing systems or information in a way that scales, while still enabling broad access and innovative use of online services. In the physical world, we have an expectation that both public and private spaces exist. If a space is private and the owners don’t want others to access it, they can indicate this through signage or physical barriers (walls, fences, or gates). Currently, there is no accepted, standard way for owners and operators to set out a “No Trespassing” sign for publicly accessible data or systems on the internet that truly serves the intended purpose.

Rapid7’s recommendation

While a website’s Terms of Service (TOS) can be legally enforceable in some contexts, in our opinion the Home Office should not take the position that violations of TOS alone qualify as “unauthorized acts.” TOS are almost always ignored by the vast majority of internet users, and ordinary internet behavior may routinely violate TOS (such as using a pseudonym where a real name is required).

Reading TOS also does not scale for internet-wide scanning, as in the case of automated port scanning and other services that analyze the status of millions of publicly accessible websites and online assets. In addition, if TOS is “authorization” for the purposes of the CMA, it gives the author of the TOS the power to define what is and isn’t a hacking crime under CMA section 1.

To address this lack of clarity, the CMA needs a clearer explanation of what constitutes authorization for accessing technical systems or information through the internet and other forms of connected communications.

Comparison with the CFAA

This issue absolutely exists with the CFAA and is at the core of many of the criticisms of the law. Multiple U.S. cases have rejected the notion that TOS violations alone qualify as “exceeding authorization” under the CFAA, creating a split in the courts. The U.S. Supreme Court’s recent decision on Van Buren v. United States confirmed TOS is an insufficient standard, noting that if TOS violations alone qualify as unauthorized act for computer crime purposes, “then millions of otherwise law-abiding citizens are criminals.”

Next steps

We hope the Home Office will take these concerns into consideration, both in terms of ensuring the necessary support for security testing tools and security research, and also in being cautious not to go so far with authorities that we open the door to abuses. We’ll continue to engage on these topics wherever possible to help policymakers navigate the nuances and keep advancing security.

You can read Rapid7’s full response to the Home Office’s CFI or our detailed CMA position.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Hack Back Is Still Wack

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2021/08/10/hack-back-is-still-wack/

Hack Back Is Still Wack

Every year or two, we see a policy proposal around authorizing private-sector hack back. The latest of these is legislation from two U.S. Senators, Daines and Whitehouse, and it would require the U.S. Department of Homeland Security (DHS) to “conduct a study on the potential benefits and risks of amending section 1030 of title 18, United States Code (commonly known as the ‘Computer Fraud and Abuse Act’), to allow private entities to take proportional actions in response to an unlawful network breach, subject to oversight and regulation by a designated Federal agency.”

While we believe the bill would be harmful and do not support the bill in any way, we do acknowledge that at least this legislation is attempting to address how hack back could work in practice and identifying the potential risks. This gets at the heart of one of the main issues with policy proposals for hack back — they rarely address how it would actually work in reality, and how opportunities for abuse or unintended harms would be handled.

Rapid7 does not believe it’s possible to provide sufficient oversight or accountability to make private-sector hack back viable without negative consequences. Further, the very fact that we’re once again discussing private-sector hack back as a possibility is extremely troubling.

Here, we’ll outline why Rapid7 is against the authorization of private-sector hack back.

What is hack back?

When we say “hack back,” we’re referring to non-government organizations taking intrusive action against a cyber attacker on technical assets or systems not owned or leased by the person taking action or their client. This is generally illegal in countries that have anti-hacking laws.

The appeal of hack back is easy to understand. Organizations are subject to more frequent, varied, and costly attacks, often from cybercriminals who have no fear of reprisal or prosecution due to the existence of safe-haven nations that either can’t or won’t crack down on their activities. The scales feel firmly stacked in the favor of these cybercriminals, and it’s understandable that organizations want to shift that balance and give attackers reason to think again before targeting them.

Along these lines, arguments for hack back justify it in a number of ways, citing a desire to recapture lost data, better understand the nature of the attacks, neutralize threats, or use the method as a tit for tat. Hack back activities may be conflated with threat hunting, threat intelligence, or detection and response activities. Confusingly, some proponents for these activities are quick to decry hack back while simultaneously advocating for authority to take intrusive action on third-party assets without consent from their owners.

Hack back is also sometimes referred to as Active Defense or Active Cyber Defense. This can cause confusion, as these terms can also refer to other defensive measures that are not intrusive or conducted without consent from the technology owner. For example, active defense can also describe intrusion prevention systems or deception technologies designed to confuse attackers and gain greater intelligence on them, such as honeypots. Rapid7 encourages organizations to employ active defense techniques within their own environments.

Rapid7’s criticisms of hack back

While the reasons for advocating for private-sector hack back are easy to understand and empathize with, that doesn’t make the idea workable in practice. There’s a wealth of reasons why hack back is a bad idea.

Impracticalities of attribution and application

One of the most widely stated and agreed-upon tenets in security is that attribution is hard. In fact, in many cases, it’s essentially impossible to know for certain that we’ve accurately attributed an attack. Even when we find indications that point in a certain direction, it’s very difficult to ensure they’re not red herrings intentionally planted by the attacker, either to throw suspicion off themselves or specifically to incriminate another party.

We like to talk about digital fingerprints, but the reality is that there’s no such thing: In the digital world, pretty much anything can be spoofed or obfuscated with enough time, patience, skill, and resources. Attackers are constantly evolving their techniques to stay one step ahead of defenders and law enforcement, and the emergence of deception capabilities is just one example of this. So being certain we have the right actor before we take action is extremely difficult.

In addition, where do we draw the line in determining whether an actor or computing entity could be considered a viable target? For example, if someone is under attack from devices that are being controlled as part of a botnet, those devices – and their owners – are as much victims of the attacker as the target of the attack.

Rapid7’s Project Heisenberg observes exactly this phenomenon: The honeypots often pick up traffic from legitimate organizations whose systems have been compromised and leveraged in malicious activity. Should one of these compromised systems be used to attack an organization, and that organization then take action against those affected systems to neutralize the threat against themselves, that would mean the organization defending itself was revictimizing the entity whose systems were already compromised. Depending on the action taken, this could end up being catastrophic and costly for both organizations.  

We must also take motivations into account, even though they’re often unclear or easy to misunderstand. For example, research projects that scan ports on the public-facing internet do so in order to help others understand the attack surface and reduce exposure and opportunities for attackers. This activity is benign and often results in security disclosures that have helped security professionals reduce their organization’s risk. However, it’s not unusual for these scans to encounter a perimeter monitoring tool, throwing up an alert to the security team. If an organization saw the alerts and, in their urgency to defend themselves, took a “shoot first, ask questions later” approach, they could end up attacking the researcher.

Impracticalities of limiting reach and impact

Many people have likened hack back to homeowners defending their property against intruders. They evoke images of malicious, armed criminals breaking into your home to do you and your loved ones harm. They call to you to arm yourself and stand bravely in defense, refusing to be a victim in your own home.

It’s an appealing idea — however, the reality is more akin to standing by your fence and spraying bullets out into the street, hoping to get lucky and stop an attacker as they flee the scene of the crime. With such an approach, even if you do manage to reach your attacker, you’re risking terrible collateral damage, too.

This is because the internet doesn’t operate in neatly defined and clearly demarcated boundaries. If we take action targeted at a specific actor or group of actors, it would be extremely challenging to ensure that action won’t unintentionally negatively impact innocent others. Not only should this concern lawmakers, it should also disincentivize participation. The potential negative consequences of a hack back gone awry could be far-reaching. We frequently discuss damage to equipment or systems, or loss of data, but in the age of the Internet of Things, negative consequences could include physical harm to individuals. And let’s not forget that cyberattacks can be considered acts of war.

Organizations that believe they can avoid negative outcomes in the majority of cases need to understand that even just one or two errors could be extremely costly. Imagine, for example, that a high-value target organization, such as a bank, undertakes 100 hack backs per year and makes a negatively impactful error on two occasions. A 2% fail rate may not seem that terrible — but if either or both of those errors resulted in compromise of another company or harm to a group of individuals, the hack-backer could see themselves tied up in expensive legal proceedings, reputational damage, and loss of trust. Attempts to make organizations exempt from this kind of legal action are problematic, as they raise the question of how we can spot and stop abuses.

Impracticalities of providing appropriate oversight

To date, proposals to legalize hack back have been overly broad and non-specific about how such activities should be managed, and what oversight would be required to ensure there are no abuses of the system. The Daines/Whitehouse bill tries to address this and alludes to a framework for oversight that would determine “which entities would be allowed to take such actions and under what circumstances.”

This seems to refer to an approach commonly advocated by proponents of hack back whereby a license or special authorization to conduct hack back activities is granted to vetted and approved entities. Some advocates have pointed to the example of how privateers were issued Letters of Marque to capture enemy ships — and their associated spoils. Putting aside fundamental concerns about taking as our standard a 200-year-old law passed during a time of prolonged kinetic war and effectively legalizing piracy, there are a number of pragmatic issues with how this would work in practice.  

Indeed, creating a framework and system for such oversight is highly impractical and costly, raising many issues. The government would need to determine basic administrative issues, such as who would run it and how it would be funded. It would also need to identify a path to address far more complex issues around accountability and oversight to avoid abuses. For example, who will determine which activities are acceptable and where the line should be drawn? How would an authorizing agent ensure standards are met and maintained within approved organizations? Existing cybersecurity certification and accreditation schemes have long raised concerns, and these will only worsen when certification results in increased authorities for activities that can result in harm and escalation of aggressions on the internet.

When a government entity itself takes action against attackers, it does so with a high degree of oversight and accountability. They must meet evidentiary standards to prove the action is appropriate, and even then, there are parameters determining the types of targets they can pursue and the kinds of actions they can take. Applying the same level of oversight to the private sector is impractical. At the same time, authorizing the private sector to participate in these activities without this same level of oversight would undermine the checks and balances in place for the government and likely lead to unintended harms.

An authorizing agent cannot have eyes everywhere and at all times, so it would be highly impractical to create a system for oversight that would enable the governing authority to spot and stop accidental or intentional abuses of the system in real time. If the Daines/Whitehouse bill does pass (and we have no indication of that at present), I very much hope that DHS’s resulting report will reflect these issues or, if possible, provide adequate responses to address these concerns.

These issues of practical execution also raise questions around who will bear the responsibility and liability if something goes wrong. For example, if a company hacks back and accidentally harms another organization or individual, the entity that undertook the hacking may incur expensive legal proceedings, reputational damage, and loss of trust. They could become embroiled in complicated and expensive multi-jurisdiction legal action, even if the company has a license to hack back in its home jurisdiction. In scenarios where hack back activities are undertaken by an organization or individual on behalf of a third party, both the agent and their client may bear these negative consequences. There may also be an argument that any licensing authority could also bear some of the liability.  

Making organizations exempt from legal action around unintended consequences would be problematic and likely to result in more recklessness, as well as infringing on the rights of the victim organization. While the internet is a borderless space accessed from every country in the world, each of those countries has its own legal system and expects its citizens to abide by it. It would be very risky for companies and individuals who hack back to avoid running afoul of the laws of other countries or international bodies. When national governments take this kind of action, it tends to occur within existing international legal frameworks and under some regulatory oversight, but this may not apply in the private sector, again begging the question of where the liability rests.

It’s also worth noting that once one major power authorizes private-sector hack back, other governments will likely follow, and legal expectations or boundaries may vary. This raises questions of how governments will respond when their citizens are being attacked as part of a private-sector hack back gone wrong, and whether it will likely lead to escalation of political tensions.

Inequalities of applicability

Should a viable system be developed and hack back authorized, effective participation would likely be costly, as it would require specialist skills. Not every organization would be able to participate. If the authorization framework isn’t stringent, many organizations might try to participate with insufficient expertise, which would likely be ineffective, damaging, or both. At the same time, other organizations won’t have the maturity or budget to participate even in this way.

These are the same organizations that sit below the “cybersecurity poverty line” and can’t afford a great deal of in-house security expertise and technologies to protect themselves – in other words, these organizations are already highly vulnerable. As organizations that do have sufficient resources start to hack back, the cost of attacking these organizations will increase. Profit-motivated attackers will eventually shift toward targeting the less-resourced organizations that reside below the security poverty line. Rather than authorizing a measure as fraught with risk as hack back, we should instead be thinking about how to better protect these vulnerable organizations — for example, by subsidizing or incentivizing security hygiene.

The line between legitimate research and hack back

Those who follow Rapid7’s policy work will know that we’re big proponents of security research and have worked for many years to see greater recognition of its value and importance in public policy. It may come as a surprise to see us advocate so enthusiastically against hack back as, from a brief look, they have some things in common. In both cases, we’re talking about activity undertaken in the name of cybersecurity, which may be intrusive in nature and involve third-party assets without consent of the owner.

While independent, good-faith security research and threat intelligence investigations are both very valuable for security, they’re not the same thing, and we don’t believe we should view related legal restrictions in the same way for both.

Good-faith security research is typically performed independently of manufacturers and operators in order to identify flaws or exposures in systems that provide opportunities for attackers. The goal is to remediate or mitigate these issues so we can reduce opportunities for attackers and thus decrease the risk for technology users. This kind of research is generally about protecting the safety and privacy of the many, and while researchers may take actions without authorization, they only perform those actions on the technology of those ultimately responsible for both creating and mitigating the exposure. Without becoming aware of the issue, the technology provider and their users would continue to be exposed to risk.

Research may bypass authorization to sidestep issues arising from manufacturers and operators prioritizing their reputation or profit above the security of their customers. In contrast, threat intel investigations or operations that involve interrogating or interacting with third-party assets prioritize the interests of the specific entity undertaking or commissioning the activity, rather than other potential victims whose compromised assets may have been leveraged in the attack.

While threat intelligence can help us understand attacker behavior and identify or prepare for attacks, data gathering and operations should be limited only to assessing risks and threats to assets that are owned or operated by the entity authorizing the work, or to non-invasive activities such as port scanning. Because cyber attacks are criminal activity, if more investigation is needed, it should be undertaken with appropriate law enforcement involvement and oversight.

The path forward

It seems likely that the hack back debate will continue to come up as organizations strive to find new ways to repel attacks. I could make a snarky comment here about how organizations should perhaps focus instead on user awareness training, reducing their attack exposure, managing supply chain risk, proper segmentation, patching, Identity Access Management (IAM), and all the other things that make up a robust defense-in-depth program and that we frequently see fail, but I shall refrain. Cough cough.

We shall wait to see what happens with Senators Daines’ and Whitehouse’s “Study on Cyber-Attack Response Options Act’’ bill and hope that, if it passes, DHS will consider the concerns raised in this blog. The same is true for other policymakers as cybercrime is an international blight and governments around the world are subject to lobbying from entities looking to take a more active role in their defense. While we understand and sympathize with the desire to do more, take more control, and fight back, we urge policymakers to be mindful of the potential for catastrophe.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

The Ransomware Task Force: A New Approach to Fighting Ransomware

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2021/08/03/the-ransomware-task-force-a-new-approach-to-fighting-ransomware/

The Ransomware Task Force: A New Approach to Fighting Ransomware

In the past few months, we’ve seen ransomware attacks shut down healthcare across Ireland, fuel delivery across parts of the US, and meat processing across Australia, Canada and the US. We’ve seen demands of payments in the tens of millions of dollars. We’re also continuing to see trends around ransomware-as-a-service and double or triple extortion continuing to rise. It’s clear that ransomware attacks are increasing in frequency, breadth, sophistication, scale, and impact.

Recognizing this, the Institute for Security and Technology put together a comprehensive Ransomware Task Force (RTF) to identify new approaches to shift the dynamics of ransomware and reduce opportunities for attackers. The Ransomware Task Force involved more than 60 participants representing a wide range of expertise and experience, including from multiple governments, law enforcement, civil society and public policy nonprofits, and security advancement groups. From the private sector, organizations of all sizes participated, including many that have experienced ransomware attacks firsthand or that are involved in dealing with the fallout, such as cybersecurity companies, law firms, and cyber insurers. Rapid7 was among those that participated — I was one of the co-chairs, and my amazing colleagues, Bob Rudis, Tod Beardsley, and Scott King participated as well.

From the outset, the intent of the Task Force was to look at the issue holistically and come up with a comprehensive set of recommendations to deter and disrupt ransomware attackers, thereby helping organizations prepare for and respond to attacks at scale. Recognizing the scale and severity of the issue — and the need for systemic and societal responses — our target audience was policymakers and government leaders.

The Task Force recognized that ransomware is not a new topic, and we had no desire to rehash previous efforts. Instead, we sought to learn from them and, where appropriate, amplify and extend them, supporting the next period of growth on this thorny issue. Ransomware’s reach and impact are increasing, which has a serious impact on society. The effects are only likely to worsen without significant action from governments and other leaders.

Key recommendations

The final report issued by the Task Force makes 48 recommendations, broken into actions to deter, disrupt, prepare for, and respond to ransomware attacks. The recommendations are designed to work in concert with each other, though we recognize there are a large number of them, and many will take time to implement. In reality, though, there truly is no silver bullet for addressing ransomware, no one thing that will magically solve this problem. If we want to shift the dynamics in a meaningful way that makes it harder for attackers to succeed, we need to make adjustments in a range of areas. It’s also worth noting that the Task Force’s goal was to provide recommendations to government and other leaders, not to provide tactical, technical guidance.

Given there are 48 recommendations, and they are well set out in the report, I won’t go over them now. I’ll just highlight a few of the big themes and, where relevant, what’s happened since the launch of the report.

Make it a top priority

One of the biggest challenges we face with any discussion around cybercrime is that it’s often viewed as a niche technical problem, not as a broad societal issue. This has made it harder to get the required attention and investment in solutions. The Task Force called for senior political leaders to recognize ransomware for what it is: a national security issue and a major threat to our ways of life (Action 1.2.5, page 26). We also called for a whole-of-government approach whereby leaders would engage various stakeholders across the government to help ensure necessary action is taking place collaboratively across the board (Actions 1.2.1 and 1.2.2, page 23).

One possible silver lining of the recent attacks against critical infrastructure is that they’ve helped establish this level of priority. In the US, we’ve seen various parts of the government start to take action: Congress has held hearings and proposed legislation; the Department of Justice has given ransomware investigations similar status to those for terrorism; the Department of Homeland Security has issued new cybersecurity guidelines for pipelines; the White House issued a memo to urge the private sector to take steps to protect against ransomware; and even President Biden has talked about ransomware in press conferences and with other world leaders.

Global action for a global problem

To take meaningful action to reduce ransomware attacks, we must acknowledge the geopolitical aspects. Firstly, the issue affects countries all around the world. Governments taking action should do so in coordination and cooperation in order to amplify the impact and hit attackers on multiple fronts at once (Actions 1.1.1 – 1.1.4, 1.2.6, pages 21-22, 26).

Secondly, and perhaps more crucially, one of the main advantages for attackers is the existence of nations that provide safe havens, because they’re either unwilling or unable to prosecute cybercriminals. This also makes it much harder for other countries to prosecute these criminals, and as such, ransomware attackers rarely seem to fear consequences for their actions.

The Task Force recommended that governments work together to tackle the issue of safe havens and adopt key practices to protect their citizens — or help them better protect themselves (Actions 1.3.1 and 1.3.2, page 27).

We’ve already seen some progress in this regard, as ransomware was raised at the recent G7 Summit, and the resulting communique included the following commitment from members:

“We also commit to work together to urgently address the escalating shared threat from criminal ransomware networks. We call on all states to urgently identify and disrupt ransomware criminal networks operating from within their borders, and hold those networks accountable for their actions.”

It will be interesting to see whether and how the G7 members will follow through on this commitment. I hope they’ll take action, build momentum, and recruit participation from other nations.

Reducing paths to revenue

As mentioned above, we’re seeing attackers demand higher and higher ransoms, which likely attracts other criminals to enter the market. Hopefully, the opposite is also true; if we reduce the opportunity to make money from ransomware, the number of attacks will decrease.

This rationale, coupled with discomfort over the idea of ransom payments being used to fund other types of organized crime — including human trafficking, child exploitation, and weapons trafficking — resulted in a great deal of discussion around the notion of banning ransom payments.

While the Task Force agreed that payments should be discouraged, the idea of a legal prohibition was challenging. Given the lack of real risk or friction for attackers, it’s likely that if payments were outlawed, attackers wouldn’t simply give up. Rather, they’d first play a game of chicken against victims, focusing on the organizations least likely to resist paying — namely providers of critical functions that can’t be disrupted without profound impact on society, or small-to-medium businesses that aren’t financially able to prepare for and weather an attack.

Given the concerns over these practicalities, the Task Force did not recommend banning payments. Rather, we looked at alternative ways of reducing the ease with which attackers realize a profit. There are two main paths to this: reducing the likelihood of victims making a payment, and making it technically harder for attackers to get their payment.

In terms of making victims think twice before making a payment, the RTF recommended a few measures:

  • Requiring the disclosure of payments (Action 4.2.4, page 46): This will help to build greater understanding of what is happening in the attack landscape and may enable law enforcement to build more information on attackers, or even recapture payments.
  • Requiring organizations to conduct cost-benefit analysis prior to making payments (Action 4.3.1 and 4.3.2, pages 47 and 48): This will encourage organizations to look into alternative options for resolution — for example, turning to the No More Ransom Project to seek decryption keys.
  • Creating a fund to assist certain organizations in recovery (Action 4.1.2, page 43): Often, organizations say the cost of recovery significantly outsizes that of the ransom, leaving them no choice but to give into their attacker’s demands. For qualifying organizations, this fund would rebalance the scales and give them a pragmatic alternative to paying the ransom.

On the other track — disrupting the system that facilitates the payment of ransoms — the RTF recommended that cryptocurrency exchanges, kiosks, and over-the-counter trading desks be required to comply with existing laws, such as Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) (Action 2.1.2, pages 29 and 30).

Better preparation, better response

During the explorations of the Task Force, it became apparent that part of the reason ransomware attacks are so successful is that many organizations don’t truly understand the threat, believe it’s relevant to them, or understand how to protect themselves. We repeatedly heard that, while there is a lot of information on ransomware, it’s overwhelming and often unhelpful. Many organizations don’t know what to focus on, and guidance may be oversimplified, overcomplicated, or insufficient.

With this in mind, one of our top recommendations was for the development of a ransomware framework that would cover measures for both preparing for and responding to attacks (Action 3.1.1, pages 35 and 36). The framework would need to be pragmatic, actionable, and address varying levels of sophistication and capability (Action 3.1.2, page 36). And because one of our main themes was around international cooperation, we also recommended there be a single source of truth adopted and promoted by multiple governments around the world. In fact, we recommended the framework be developed through both international and public-private collaboration. It should also be kept up to date to react to evolving ransomware attack trends.

Creating the framework is a lift, but it’s only part of the battle — you can’t drive adoption if you don’t also tackle the lack of awareness and understanding. As such, we also recommend that governments run high-profile awareness campaigns, partnering with organizations with reach into audiences that aren’t being well addressed today (Actions 3.2.1 and 3.2.2, pages 37 and 38). For example, many governments have toolkits or content aimed at small-to-medium businesses, but most leaders of these organizations seem largely unaware of the risk — until someone they know personally is hit by an attack.

The path forward

Unfortunately, ransomware continues to dominate headlines and harm organizations around the world. As a result, many governments are paying a great deal of attention to this issue and looking for solutions. I’m relieved to say the Ransomware Task Force’s report and recommendations have seen a fair bit of interest and support. For us, the next challenge is to keep the momentum going and help governments translate interest into action.

In the meantime, my colleagues at Rapid7 and I will continue to try to help our customers and community prepare for and respond to attacks. We’re working on some other content to help people better understand the dynamics of the issue, as well as the steps they can take to protect themselves or get involved in broader response efforts.

Look out for our series of blogs on different aspects of ransomware, and in the meantime, check out our interviews with ransomware experts on our Security Nation podcast. You can also check out my talk and Q&A on the Ransomware Task Force at Black Hat, or as part of Rapid7’s Virtual Vegas, which includes a Ransomware (un)Happy Hour — bring your ransomware war stories, lessons learned, or questions.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

Decrypter FOMO No Mo’: Five Years of the No More Ransom Project

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2021/07/26/decrypter-fomo-no-mo-five-years-of-the-no-more-ransom-project/

Decrypter FOMO No Mo’: Five Years of the No More Ransom Project

The amazing No More Ransom Project celebrates its fifth anniversary today and so we just wanted to take a moment to talk about what it has accomplished and why you should tell all your friends about it.

The name pretty much says it all — No More Ransom aims to help organizations avoid having to pay ransoms for cyber attacks by providing guidance for defending against attacks, connecting victims with law enforcement, and most crucially, by providing free decryption tools. Just think about that for a second … you get hit by ransomware and you get a demand for a ransom payment of tens of thousands of dollars, or more. Recently we’ve seen ransom demands go up as high as tens of millions of dollars. But there’s a chance that rather than having to shell out piles of your hard earned cash (in crypto form), you could, in fact, get what you need for free with minimal fuss or effort.

Sounds too good to be true, right? Like maybe you’re thinking that they only have decryptor tools for old encryptors that aren’t really being used anymore? Well, despite being just five years old today, No More Ransom’s tools have already been downloaded more than six million times, and have saved organizations an estimated $900 million in ransoms that didn’t have to be paid. In fact, the Project offers a staggering 121 free tools, which decrypt 151 ransomware families. So we’re talking about a project that is having a profound impact every day. See? You should totally check it out and tell all your friends about it!

The Project is a great example of what can be achieved with effective public-private partnership. The main backers are Europol, the Dutch Government, McAfee and Kaspersky. They have now recruited about 170 other partners from law enforcement, the private sector, and nonprofits around the world, which I’m guessing goes a long way towards helping them stay up to date with malware samples and decryption tools. Special shout outs should also go to Amazon Web Services and Barracuda for hosting the site.

Here’s the thing though, recently I co-chaired the Ransomware Task Force (RTF), which was brought together by the Institute for Security and Technology, to come up with recommendations for reducing ransomware on an international, societal level. As part of the RTF’s investigations into what is happening in the ransomware landscape, we spoke to numerous organizations that have suffered ransomware attacks, as well as, many of the entities they rely on to help them respond — law enforcement, cyber insurers, incident responders, legal counsel. We were surprised to discover that very few of the organizations we spoke with knew about the No More Ransom Project or thought to look there for free decryption tools before paying the ransom. This seemed to be particularly true in the US. Now granted, the tools have been downloaded 6 million times, so definitely some folks do know to look there, often encouraged by law enforcement teams, but there are clearly also many people and organizations who don’t know about it and should.

I suspect that the astonishing ‘six million’ figure is less about awareness and more about how incredibly prevalent ransom attacks have been over the past few years, which is why this project is so important and valuable. So help the No More Ransom Project celebrate its birthday by telling everyone you know about it. You can casually drop that $900 million saving stat into conversation — it’s so impressive I had to mention it twice.

If you’re interested in hearing more of me being incredibly enthusiastic about the Project, check out this week’s special edition of our Security Nation podcast, which will be published on Wednesday, July 28th and features an interview with Philipp Amann, Head of Strategy at the European Cybercrime Centre (EC3), which is part of Europol.

As a tease for the interview, we’ll give Philipp the final word on the No More Ransom Project:

“No More Ransom offers real hope to the victims, and also delivers a clear message to the criminals: the international community stands together with a common goal – to disrupt this criminal business model and to bring offenders to justice.”

Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2020/12/28/taking-inspiration-from-our-security-nation-in-an-otherwise-uninspiring-year/

Taking Inspiration from Our Security Nation in an Otherwise Uninspiring Year

Well, what a year it has been. I won’t waste your time by recapping the many, many difficulties that 2020 has offered us, and instead, I will try to take a slightly different tack. While it has been a challenging (for some, truly hellacious) year, as we close it out, I’ve been trying out a little “Life of Brian” thinking and “looking on the bright side of life.”

I’m fortunate to be able to say that for me, 2020 was not all bad, in part due to the security community with whom I work every day and who have inspired me throughout the year. I’m lucky to be in a position to hear about many of the amazing things this community does, and in particular, I am grateful that I get to interview people for the Security Nation podcast, hearing about and helping share their amazing stories. In reflection of this, I’d like to share some of my own 2020 highlights and thank the community behind them. I’ve also invited some of our 2020 Security Nation guests to also share their highlights from the year.

Reserve Your 2021 Cybersecurity History Calendar

Get Started

Me first!

This is my blog post, so I’m going to share my highlights first 🙂 As I mentioned above, it all kind of comes down to the security community for me.

I’ll start with the security community’s response to the pandemic. We quickly saw the emergence of various volunteer efforts—for example, the CTI League and Cyber Threat Coalition formed in response to COVID-themed attacks. The people participating in these efforts mostly did so on their own time and dime to try to keep others safe during a truly difficult time. As has been much commented on, never has cybersecurity been more important than during a time when both critical health services and the economy at large were suddenly extremely reliant on the internet to function. To those security volunteers that helped make this increased reliance on the internet safer, thank you for everything you did and continue to do!

This volunteering spirit was reflected in our first Security Nation podcast episode of the year, which featured an interview with the amazing Chris Hadnagy, who shares his year’s highlights below. Chris joined us to talk about the Innocent Lives foundation, the nonprofit he founded to help tackle the issue of child exploitation on the internet. Hearing Chris talk about ILF and the work they are doing was incredibly moving and inspiring. If you haven’t done so, I encourage you to check out both the interview and the ILF website.

And speaking of Security Nation, the final 2020 highlight I will share with you is that being the host of this podcast is truly a privilege. Not because I get to inflict my questionable sense of humor and lack of articulation on unwitting listeners (that’s just a side perk), but because every episode we interview “someone cool doing something interesting to advance security.” Or some episodes, it’s someone interesting doing something cool to advance security. There may be some recurring themes here.

The point is that these people are amazing (wow, I found another adjective) and they are doing inspirational things. And there are a LOT of them. In fact, there’s kind of a whole Nation of them <cough cough>. The work they are doing differs depending on their role and area of focus, but their dedication and passion unites them and inspires me. Having the chance to learn from them and help them share their stories is truly something for which I am grateful.

The Security Nation podcast was started by my friend and former Rapid7er, Kyle Flaherty. When, some time after Kyle had moved on, I first started talking about hosting a podcast to showcase the huge diversity of effort and evolution being made in security, we searched for a new name to differentiate ourselves, but I couldn’t get away from this idea that we are all a nation—diverse in so many ways, but unified by a desire to drive security forward and protect others. We kept the name, I owe Kyle some drinks, and it has been my great honor to get to meet and interview the various members of this great Security Nation since.

So, as I look back on a stressful year, I am so grateful to all the amazing people working tirelessly to move security forward, and even more so, to have been able to share the stories and successes of some small number of them. A few of this year’s Security Nation guests have also shared their 2020 highlights below. Here’s to hoping 2021 will be an improvement and offer even more highlights!

Tod Beardsley, Security Nation Co-Host

Tod is Rapid7’s director of research and also my co-host for Security Nation. Importantly, he is The One That Actually Knows Things, which balances me out quite nicely. As well as keeping me on the straightish and narrowish in interviews, he also leads the “Rapid Rundown” section, where he provides his point of view on the main security news of the time.In sharing his highlights, Tod shamelessly hijacked this blog to promote his other podcasts:

Not to play me-too too much, but hosting Security Nation through 2020 has been a real career highlight for me—while we’ve been technically producing this podcast since the summer of 2019, I feel like it was this year we really hit our groove, thanks in large part to the Herculean (or Amazonian?) efforts of Bri Hand, our producer, and of course my co-host, Jen Ellis.

In fact, I’ve had so much fun working on this podcast, I’ve gotten myself in two others! Starting in 2021, I’ll be a regular on a brand-new podcast from the CVE Project, called “We Speak CVE,” wherein we talk about all sorts of issues and topics around vulnerability disclosure and enumeration and assignments of IDs and all that super deep-in-the-weeds technocratic stuff about CVE. We’ve got one or two episodes in the can right now, but no link for public downloads yet, so keep an eye out for that.

Almost wholly unrelated is another podcast that I started in the spring of 2020, mostly as a pandemic isolation hobby. It’s called “Podsothoth: A Lovecraft Book Club,” and in it, I read-slash-perform horror and science fiction stories written a hundred years ago by H.P. Lovecraft, and also talk about things related to those stories with my lovely and insightful wife, Claire Reynolds. You should listen to it. It’s so very gothnerdy and a nice break from the current state of affairs.

In other, non-podcast-related news, I got myself even more involved in election security, which is both personally and professionally important to me. That kicked off in earnest at my first-ever speaking engagement at ShmooCon, along with Casey Ellis, Kimber Dowsett, Amélie E. Koran, and Jack Cable, which was super fun and hopefully enlightening. There was a lot of doom considered, but also a lot of positivity and real-talk about the state of affairs in election-land. This ended up being so well-received that we revisited the topics at DEF CON’s Voting Village, which you can watch here (my part was recorded in my then-new isolation office in my garage), and we four still chat among ourselves and help keep each other sane through the news cycles.

Through these and other efforts through the year, I like to think that I helped a little bit (along with thousands of other election workers across the country) to make the Nov. 3, 2020 election “the most secure in American history,” to quote Chris Krebs at CISA.

Bri Hand, Security Nation Producer

Bri is the great unsung hero of the podcast, as she is the one that actually makes it happen and puts all the work in. She’s not as loud and opinionated as Tod and me (mostly me), but without her, there really would be no episodes making it to the internet.

I am the type of person who measures my success at work in how much I’ve learned and grown—and I have done a lot of both this year! After realizing that my current approach of learning about cybersecurity through blog-editing osmosis wasn’t quite cutting it, I signed up for an introductory course with IBM to experience the space in more of a classroom setting. The result was surprising. I realized simultaneously that I knew a lot more than I was giving myself credit for and that I would never know everything there is to know about the space—and that’s okay! Take that, imposter syndrome!

I also added “animated video” to my repertoire of content types, since shooting anything in person this year was obviously off the table. Writing and producing our “This One Time on a Pen Test” series and “Elf on the Stealth” HaXmas video was an absolute blast!

As always, I’m also so grateful to be able to work across Rapid7 and beyond to compile and share information out with the security community. Whether it was copyediting all 150 pages of our NICER report, publishing important news content about critical vulnerabilities, helping our Security Nation guests share their inspiring stories, or editing COVID cybersecurity safety blogs from the Orlando Airport on March 15 as I fled my ill-timed vacation, I feel especially privileged in my role here.

And while I won’t pretend that 2020 wasn’t the weirdest year of my life, on a personal level I have greatly appreciated the opportunity to slow down a bit and take stock of what really matters. It’s cheesy, but it’s true. Ditching my daily two-hour commute in favor of a much more manageable five-second one has freed me up to focus on activities that make me an all-around happier and better person—going on walks with my dog, flinging my limbs around in virtual Zumba, cooking, reading, and writing. This joy has easily bled into my work life, and I am now more of an advocate than ever on having work-life balance and not wearing burnout as a badge of honor.

Chris Hadnagy, Chief Human Hacker, Social-Engineer.com

As well as running Social-Engineer.com, Chris is also the founder of the Social Engineering Village and various conferences, author of numerous books, an adjunct professor at the University of Arizona, and founder and CEO of the Innocent Lives Foundation. Like many of the folks that come on Security Nation, I have no idea how Chris fits everything in—I’m tired just writing it all out!

Chris’ interview was published on Jan. 27, 2020, kicking off the year for Security Nation. He came on to tell us about the amazing work that he and many other security professionals are doing at Innocent Lives Foundation, working to combat online child exploitation.

In reflecting on 2020, Chris shared the following:

2020 was a year of personal and professional growth for me and my company. We grew more in 2020 than any previous year and we developed new and innovative ways to help secure our clients. I was also about to transfer a class I never thought could be taught online to a fully digital format and got great reviews on it. Overall, I am leaving 2020 with many things learned and new appreciation for the wonderful relationships that have helped me through the year.

Stephanie Helm, Director, MassCyberCenter

Stephanie runs the MassCyberCenter, which is tasked with building cyber resilience for Massachusetts, and establishing Massachusetts as a center for cybersecurity talent and development.

She joined us on the podcast—published on April 16, 2020—to share with us the progress her team has been making in building cybersecurity capabilities in municipalities across Massachusetts. When we recorded the interview, it was just starting to be clear that telehealth and remote working would be super important in 2020, and local government would play a critical role.  

Stephanie and the MassCyberCenter had a number of impressive highlights to call out for the year:

‘Tis the week before Christmas and MassCyberCenter is counting a surprising number of blessings, despite all the craziness in the world. Building on our partnership with the Cyber Resilient Massachusetts Working Group, this summer we virtually held a series of workshops on Cyber Incident Response Planning. We transitioned the Massachusetts Cybersecurity Month to a virtual extravaganza of cybersecurity education events plus a campaign of awareness addressing Life’s Work at Home!  Finally, we established a Cybersecurity Mentorship Program, focusing on matching diverse cybersecurity college students with cybersecurity professionals.  The pilot program wrapped up on Dec. 14 with an announcement that we will be able to continue an expanded version of the program in the spring. A very exciting achievement to promote an inclusive and talented cybersecurity workforce in Massachusetts. With our partners in cybersecurity, we hope 2021 will demonstrate improved resiliency within the state! Best wishes for a Happy New Year!

Katie Moussouris, CEO, Luta Security

2020 was a big year for Katie. Not only did her company, Luta Security, grow hugely, but Katie was also able to spend time raising awareness of, and support for, the need for equality in pay and better hiring and employment practices. Katie has been vocal about practicing what she preaches, sharing a number of the policies Luta has to build employee satisfaction and wellness.

Katie is a world-renowned expert on vulnerability disclosure, and she shared some of this incredible expertise with us during her interview, which was published on June 9, 2020. She also touched on the impact of the pandemic on security and her plans to tackle pay inequality. As you can see from her 2020 highlights, she made some serious strides in the latter.

This year has been full of surprises. A highlight for me was bringing my attempted class action gender discrimination lawsuit against Microsoft to an end in favor of starting the Pay Equity Now Foundation and the law center named after my late mother. This pandemic has revealed the truly insidious disparity between classes. It’s had a disproportionate effect on women and people of color, both health-wise and economically. We can choose to continue the current trajectory of pay equity for women in 50–205 years, depending on race, or we can decide together to fix it. Those on the right side of history are taking action and taking the Pay Equity Now Pledge. If 2020 taught us anything, it’s that we’re all in this together, and that massive changes can happen in the workplace overnight. Let’s prioritize pay equity as one of them.

Christian Wentz, CEO, CTO and Founder, Gradient

Christian is another one of those guests that makes me feel like I have done nothing with my life —a serial entrepreneur that made the transition from from an electrical-engineering-applied-to-neuroscience background to founding Gradient Technologies, a company that is “building a trust fabric for the connected world.” So he’s tackling the small stuff, then.

During his interview—published on Sept. 25, 2020—Christian talked about his approach to building technology solutions that support a zero-trust approach. It sounds like 2020 has been a decent year for them, despite all the challenges.

In 2020, we grew our Boston office and expanded west with a beautiful San Francisco office, only to have a global pandemic push us to remote work. So, we’ve decided to turn this dumpster fire of a year into a 900-degree inferno for late-night rooftop pizzas to welcome our customers, partners, and Rapid7 friends in person. See you all in 2021!

So, this just leaves me to make an awkward sign-off, much as I do on every episode of the podcast. As usual, I will end with thanks, this time to all our wonderful 2020 guests and lovely listeners. If you are interested in subscribing to the podcast, you can do it here. If you would like to share your own 2020 highlights, please add a comment to the blog. Happy holidays!

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs

Help Others Be “Cyber Aware” This Festive Season—And All Year Round!

Post Syndicated from Jen Ellis original https://blog.rapid7.com/2020/12/17/help-others-be-cyber-aware-this-festive-season-and-all-year-round/

Help Others Be

Are you tired of being the cybersecurity help desk for everyone you know? Are you frustrated with spending all your time securing your corporate environment, only to have to deal with the threat that snuck in through naive end-users? Are you new to security and wondering how you ended up here? This blog is for you!

Introducing the Cyber Aware Campaign

Every year, November and December tend to be awash with media articles sharing tips for “safe” online shopping, particularly around Cyber Monday. This has been compounded in 2020, a year characterized in cybersecurity by increased remote working, reliance on online and delivery services, and COVID-19-themed scams and attacks. Many have viewed 2020 as a hacker’s playground.

It’s in this setting then that the U.K. government has relaunched its Cyber Aware campaign to help internet citizens navigate the rocky shores of defending their digital lives. The campaign—which features TV, radio, and print ads, as well as various (virtual) events—offers six practical and actionable tips for helping people protect themselves online.

The tips are designed to be applicable to the broadest audience possible. They are not necessarily the most sophisticated security best practices, but rather (and very intentionally), they are fairly basic and applicable to a wide range of people. The list has been devised as the result of considerable development and testing: The U.K. government not only sought input from security experts, but also from nonprofits and civil society groups representing various constituent groups. This helped them ensure the tips would be practical for everyone from your granny to your favorite athlete (maybe they are the same person).

As with enterprise security, there is regrettably no silver bullet for personal security, so these tips will not make people completely invulnerable. However, they do focus on steps that are manageable and will meaningfully reduce risk exposure for individuals. The U.K. government has focused on finding a balance between being thorough and not alienating people from making the effort, hence settling on just six tips. Naturally, we prefer things that come in sevens, but this is a decent start. 😉

The tips

Four of the six tips focus on passwords and identity access management. This seems like a good choice; it’s extremely hard to change behavior such that people stop sharing personal information or clicking on links, but if you can make it harder for attackers to access accounts, that’s a good step toward meaningfully reducing risk.

So, let’s take a look at the actual tips…

  1. Use a strong and separate password for your email
  2. Create strong passwords using three random words
  3. Save your passwords in your browser
  4. Turn on two-factor authentication (2FA)
  5. Update your devices
  6. Back up your data

We recommend clicking on the links and taking a look at the full guidance. Or, for more information on the tips, how they were developed, and what the Cyber Aware campaign entails, check out this Security Nation podcast interview with the delightful Cub Llewelyn-Davies of the UK National Cyber Security Centre.

As a starting point or personal security baseline, this is a very decent list, and we hope it will have a meaningful impact in encouraging individuals to make a few small changes to protect themselves online.  

As overzealous security enthusiasts, though, we had to take it one step further. We’ve created a free personal security guide of our own that starts with the Cyber Aware steps, then offers additional advice for those that want to go further. We know that for the vast majority of internet users, even six steps feels like too many, but we also hold out hope that many people may be inspired to dig deeper or may just have more specific circumstances they need help with.

You can download the guide for free here. Maybe include it with your holiday cards this year—personal security is the gift that keeps on giving!

Why should you care about this?

If you are reading the Rapid7 blog, the chances are that you already think about security and are almost certainly taking these steps or some appropriate alternative to them (if only more websites accepted 50-character passwords, eh?). Nonetheless, even if you are a security professional, the need to educate others likely affects you. Maybe it’s because you’re sick of constantly being asked for security tips or assistance by family and friends. Maybe you just can’t handle reading more headlines about security incidents that could have been avoided with some basic personal security hygiene. Maybe you’re worried that no matter how diligently you work to protect your corporate environment, an attacker will gain a foothold through an unwitting end-user with access to your systems.

The point is that we are all engaging in the internet together. A better informed internet citizenry is one that makes the job of attackers slightly harder, reducing the potential opportunities for attackers and raising the bar of entry into the cybercrime economy. It’s not a revolution or that ever-elusive silver bullet that will save us all, but increasing even the basic security level of all internet citizens creates a more secure ecosystem for everyone. As security professionals, we should be highly invested in seeing that become a reality, so send the guide or Cyber Aware web page to your less security-savvy friends, family, and/or users today.

Help them become more Cyber Aware, and help create a safer internet for us all.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.

More HaXmas blogs