The Same Oversights Over, Over, and Over... Again
Ransomware is not a new phenomena to our environment. There are regular news stories regarding breaches and ransomware being targeted at hospitals, military contractors, and others. The ransomware attacks began as a general attack against any person with an email address. This was adjusted as time passed and the focus was narrowed significantly. The new targeted industries included initially the law firms and hospitals. As time passed the new target has been universities. These institutions of higher learning have much the same data the other industries have-personally identifiable information (PII) and credit card information. These are very marketable on the dark web.
As this is a viable option for the attackers and openly applied, seemingly the institutions would have some level of security in place as protection, be it applications or an abundance of employee training to raise the awareness of ransomware.
This is especially rampant in the UK. In a recent survey of UK universities 63% of the respondents had the experience of ransomware on their system (Zorz, 2016; Kleinman, 2016). The infection vector typically has been emails, files to be downloaded, or websites that had been modified to further the malware infections. One of the worst instances occurred with Bournemouth University having been infected with ransomware 21 times in the last 12 months (Zorz, 2016; Kleinman, 2016).
Although this is a bit of a drastic example, it does evidence an astonishing trend. There appears to be a significant issue of repeated infosec errors or oversights. In completing a follow-up pen test or vulnerability assessment, there continues to be the same issues showing up year after year. The issues may be low on the criticality spectrum or higher. The problem is these issues are not cleared up or remediated.
This set of circumstances is unfortunately very familiar. Oversights and errors continue to be made on basic issues. To correct this activity, the mindset for infosec has to be altered. It appears as though infosec in certain instances is treated as a speed bump or a box to check. With a sufficient amount of attention to infosec, these occurrences would not continue, the businesses would not be repeat ransomware customers, and the expense associated with the infection. This can take the form of simple, repeated engaging employee training to hardening the enterprise.
Kleinman, Z. (2016, August 24). University hit 21 times in one year by ransomware. Retrieved from http://www.bbc.com/news/technology-37166545
Zorz, Z. (2016, August 24). UK universities hit repeatedly with ransomware, one over 21 times! Retrieved from https://www.helpnetsecurity.com/2016/08/24/uk-universities-ransomware/
About the Author
Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.