Deeper Dive: Ransomware – WannaCry and the Future of Ransomware-as-a-Service

In our 2017 BakerHostetler Data Security Incident Response Report, we addressed the increasingly ubiquitous scourge of ransomware, one of the fastest-growing types of malware causing data security incidents. We noted that ransomware attacks have been steadily expanding in both frequency and severity, and that those trends seemed set to continue for the foreseeable future.

Less than a month later, the most prominent ransomware attack to date swept the globe and dominated headlines. As we previously reported, on May 12, 2017, thousands of companies were affected by the so-called “WannaCry” ransomware variant, which exploited a known Microsoft Windows vulnerability (patched since March 2017) and spread rapidly across borders and industries. Despite the facial complexity of its origins, reportedly using an exploit revealed in National Security Agency documents, signs have emerged that the perpetrators of the WannaCry outbreak were perhaps less sophisticated than one might expect. Specifically, WannaCry’s authors seem to have included “amateur flaws” in their design, such as a straightforward kill switch, an “unsavvy” payment protocol and a poorly designed ransom function. As a result, WannaCry was halted by a simple domain name registration, and the financial yield for the perpetrators appears to have been surprisingly low. Continue Reading

Substantial Risk of Harm in Data Breach Class Actions Ripe for Supreme Court Review

credit card iStock_000009899701_LargeEarly in May, the U.S. Court of Appeals for the Second Circuit in Whalen v. Michaels Stores, Inc., No. 16-260 (L) (2d Cir. May 2, 2017), affirmed the dismissal of a data breach class action brought against Michaels Stores Inc. (Michaels) for failing to sufficiently allege an injury to support standing. This decision is significant because it widens the existing circuit split on what allegations constitute an injury-in-fact, particularly where a plaintiff seeks standing by alleging a substantial risk of harm resulting from a data breach.

Read more on BakerHostetler’s Class Action Lawsuit Defense blog >>

Deeper Dive: Forensics

Data-Incident-ReportA company’s ability to quickly and efficiently conduct a forensic investigation is critical to limiting the impacts of a data security incident and determining the scope of the incident.

In BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed data from the more than 450 incidents we worked on in 2016. A forensic investigation occurred in 34 percent of those incidents – a slight increase from 2015, when 31 percent of the incidents involved a forensic investigation. Healthcare entities used forensic investigations at a higher rate this year most likely because of the rise in ransomware incidents and the OCR guidance related to ransomware. A forensic investigation occurred in 27 percent of the incidents involving healthcare entities in 2016 versus only 13 percent in 2015. The average total cost of a forensic investigation in 2016 was $62,290, with the highest cost in excess of $750,000. The average cost of a network intrusion investigation was $93,322. It took forensic firms an average of 44 days after they were hired to complete their investigations of network intrusion incidents. Investigators found evidence of data exfiltration in 34 percent of the network intrusion incidents. A failure to find evidence of exfiltration does not always mean that data wasn’t stolen. Some attackers carefully remove evidence of their activities, and in other scenarios there is insufficient logging. Continue Reading

No More Tears: A Few Recommended Steps in Response to WannaCry Ransomware

Hacker wearing black glove clicking on ransomware buttonOn May 12, 2017, thousands of companies across the globe saw the first signs of a prolific malware outbreak. The malware, a ransomware variant labeled WannaCry, is capable of encrypting files on a device and moving laterally to encrypt files on associated file shares. On average, the ransom amount that is demanded is the equivalent of $300 in Bitcoin. Early reports indicate the ransomware, which may function in 27 different languages and  encrypted data on over 75,000 systems in 99 countries.  Russia, Ukraine, India and Taiwan appear to have been the hardest hit. The attack resulted in some hospitals canceling operations and appointments because critical patient data could not be accessed.

The WannaCry ransomware gained entry into computer systems by exploiting a vulnerability in certain versions of Microsoft Windows.  Microsoft released a patch for the vulnerability in March 2017. Microsoft also released a blog that guides individuals and businesses through the steps they should take to stay protected from WannaCry.  One reason this ransomware has been so prolific is that it is less susceptible to antivrus programs because it is injected into a running process instead of being written to disk.  Continue Reading

Coming Soon: Two-Factor Authentication for Social Security Website

Log OnThe Social Security Administration recently announced that beginning June 10, two-factor authentication will be required for all account holders logging into the “My Social Security” portal.

To comply with this new rule, account holders will be required to provide their username and password, and either their cell phone number or email address as the second identification method. After providing their cell phone or email address, the account holder will be sent a time-sensitive passcode to authenticate his or her identity.

This is the Social Security Administration’s second attempt at implementing two-factor authentication. In 2014, an Obama administration executive order mandated improved security for consumers regarding financial transactions, and remediation for victims of identity theft. Based on this executive order, in July 2016, the Social Security Administration announced the requirement of two-factor authentication for the account holder portal through the transmission of one-time passcodes via SMS text messages to the account holder’s cell phone. This method was widely criticized because many of the account holders were senior citizens who did not have access to a cell phone and therefore lacked the ability to use two-factor authentication for their account. Continue Reading

Deeper Dive: Implementing Basic Security Measures Can Stop Some Network Intrusions and Reduce the Damage From Others

Data-Incident-ReportIn BakerHostetler’s 2017 Data Security Incident Response Report, we analyzed 104 network intrusion attacks that we helped our clients respond to last year. Such incidents typically occur when criminals find a weakness in a company’s internet-facing network, penetrate the network, conduct reconnaissance to find valuable data and export the data before they can be detected and stopped. Our clients were required to notify potentially affected customers or patients in 62 percent of the network intrusion attacks. Forensic investigation costs for the attacks averaged $93,322 and ranged as high as $750,000.

Basic data security measures can make it more difficult for many criminals to succeed with these attacks. Companies should consider taking the following steps:

  • Implement multifactor authentication to remotely access any part of the company’s network or data.
  • Disable remote desktop protocol on internet-facing systems.
  • Segregate subnetworks that contain valuable data from other parts of the network, and require users who need to access such data to use multifactor authentication or one-time passwords to do so.
  • Implement and monitor a software patch management system that requires critical patches to be installed promptly.
  • Require users to use complex passwords and to change them at least every 90 days.
  • Remove administrative rights from normal users and limit the number of accounts with administrative privileges.
  • Implement a web proxy that can block access to untrusted websites.
  • Utilize threat intelligence and endpoint protection tools that use reputational searches and behavioral patterns.
  • Deploy an intrusion detection and prevention system (IDPS) that aggregates logs to a SIEM tool that sends real-time alerts.
  • Hire qualified staff or engage a vendor to monitor SIEM and endpoint protection alerts.
  • Ensure that all internet-facing and core infrastructure systems, as well as systems that store or have access to sensitive data, have logging enabled.
  • Retain the logs for at least a year but preferably longer.
  • Do not allow employees to access personal email accounts from the company’s network.
  • Use security firms to conduct periodic, credentialed vulnerability scans; to help correct vulnerabilities discovered; and to conduct periodic penetration tests on internet-facing applications that contain sensitive data or provide access to internal networks.

Continue Reading

Deeper Dive: Incorporating Incident Response Into Disaster Recovery Plans

Data-Incident-ReportIncident response and disaster recovery are both essential components of a comprehensive written information security program. However, too often these plans are implemented in a vacuum, without considering the potential synergies and improvements that can be gained when such plans are developed, deployed and tested together.

Incident response and disaster recovery tend to have the same goals, i.e., to provide a game plan that outlines how the organization will respond to and recover from an event. The key difference is often the type of events. Incident response tends to focus on events that impact computer systems and personal information, such as malware or network intrusion. On the other hand, disaster recovery tends to focus on larger, enterprise-wide events, such as earthquakes, hurricanes and terrorism. The fallacy is thinking these categories are mutually exclusive. Consider the impact of ransomware, which according to BakerHostetler’s 2017 Date Security Incident Response Report, is one of the leading causes of security incidents. A ransomware infection has the same shutdown potential as an earthquake or flood, and the response is sometimes the same, i.e., switch to emergency operation mode, restore from backups, etc. But a disaster recovery plan that doesn’t factor in the malicious nature of ransomware may result in critical backups encrypted or deleted by the malware. Similarly, incident response plans that do not consider the far-reaching impact of ransomware may not consider recovery response times, employee messaging and alternative communication methods typically covered in a disaster recovery plan. The solution is to develop both of these plans in tandem.  Continue Reading

Deeper Dive: Security Incident Notification Under the New EU General Data Protection Regulation (GDPR)

Data-Incident-ReportAs noted in the 2017 BakerHostetler Data Security Incident Response Report, the enactment of the EU General Data Protection Regulation (GDPR) represents the most significant change in European data protection law in more than 20 years. Coming into effect on May 25, 2018, the GDPR focuses on a number of core data protection principles and includes provisions relating to fair, lawful, and transparent data processing; data minimization and purpose limitation; data integrity and accuracy; specific data retention periods; increased data security; and accountability associated with the practices of data controllers and processors.

Among the key operational impacts of the GDPR is a new “personal data breach” notification obligation, the first EU-wide requirement to notify supervisory authorities and affected individuals of security incidents. Organizations doing business in the U.S. that are familiar with federal and state security breach notification requirements likely already have the mechanisms in place to comply with this aspect of the GDPR. That said, the GDPR’s approach has a couple of twists, which we discuss further below.  Continue Reading

Babies and Baby-making, or Not… Privacy and Security Lessons for the Internet of Things

What do babies, sex toys and wireless head phones have in common? Apparently, the privacy concerns of the Federal Trade Commission (FTC), state AGs and legislatures, class action plaintiffs, and consumer advocacy groups, at least when it comes to the Internet of Things (IoT). The IoT refers to consumer devices that are connected, directly or indirectly, to the internet or other internet-connected devices.

Today cars, household appliances, so-called wearables like Fitbits, smart TVs, home command centers like Nest, Alexa and Google Home, and even sex toys and toothbrushes are collecting consumer data, often of a sensitive nature, and transmitting it over Wi-Fi, Bluetooth and the internet. The same privacy and data security issues that apply to computers and mobile phones apply to the IoT. Given the potentially sensitive nature of the data involved, the first generation of lawsuits and regulatory actions has involved babies, abortion, movie-viewing at home and vibrators. But these cases are not outliers, and there are lessons to be learned for all companies considering a foray into the IoT. And with the public notoriety these cases are generating has come the interest of the California legislature, which is considering legislation that would, among other things, codify data security obligations and require point-of-sale privacy disclosures and express consent to data collection. Continue Reading

Deeper Dive: Be Prepared for Regulatory Investigations in the Wake of a Security Incident

Data-Incident-ReportYour company had a data security event. After an investigation, it was determined that notifications were required, and the incident was made public as a result. Notification letters were mailed and regulators were notified, all in accordance with the law. Your company also enhanced security measures and took other remedial action, so there is nothing more to do – it’s all over, right? Not quite – there is a good likelihood your organization may be subject to a regulatory investigation as a result of the incident.

In 2016, we assisted clients in over 450 data security incidents. Among the trends revealed by our analysis of these incidents, we found that regulators, including state attorneys general, continue to make inquiries in the wake of data security events. In fact, in the incidents we handled, attorneys general made inquiries 29 percent of the time after notifications were made. This is up from 26 percent the prior year. Continue Reading