FBI chief calls for private sector to help battle cybercrime

Posted on Updated on

As the FBI has been expanding and retooling its approach to cyber investigations, Director James Comey stresses need for CISOs to engage with the bureau.

By Kenneth Corbin, Freelance Writer, CIO | MAR 9, 2017 6:21 AM PT

Cybercriminal courtesy Thinkstock

CHESTNUT HILL, Mass. — FBI Director James Comey has tough words for private sector firms that won’t engage with federal law enforcement authorities on cybersecurity, an area where the bureau has been dramatically expanding its investigation and prosecution efforts.

In a keynote address at a cybersecurity conference at Boston College, Comey lamented that most incidents of intrusion and attacks against U.S. businesses go unreported. But when a victim does report a breach to the FBI, such as the damaging attack against Sony in 2014 that was attributed to North Korea, agents will have a much easier time investigating and helping businesses mitigate the damage if they are already somewhat familiar with the target’s systems.

FBI chief calls for private sector to help battle cybercrime

As the FBI has been expanding and retooling its approach to cyber investigations, Director James Comey stresses need for CISOs to engage with the bureau.Comey

Sony had taken the time to get to know us,” Comey said, describing a rapid response to that incident where agents with a baseline familiarity with Sony’s systems could hit the ground running.

“If you are the chief information security officer [CISO] of a private enterprise, and you don’t know someone at every single FBI office where you have a significant facility, you’re not doing your job. Know that you’re pushing on an open door,” Comey said. “We’re not looking to know your private information, but we need to know you in a way so we can help you in a difficult circumstance.”

Comey described a multi-pronged initiative underway at the FBI to crack down on cybercrimes that involves recruiting and hiring more cyber experts, improving engagement with outside partners — including the private sector — and rethinking the bureau’s traditional approach to working cases. The bureaus is also working to bolster deterrence both through hardening systems that might be targeted and winning convictions in more criminal cases.

[ Related: FBI’s top 10 most wanted cybercriminals ]

Comey also indicated that he intends to serve out the remaining 6 1/2 years of his term, despite speculation that he might step down amid tensions with the White House.

He did not address his reported request for the Justice Department to issue a statement refuting President Trump’s assertion that his campaign had been wiretapped by former President Obama, nor the unfolding probe into Russian hacking of political targets during the election. Comey participated in a brief question-and-answer session with audience members following his keynote address, but did not take questions from reporters.

A spectrum of threats, an ‘evil layer cake’

He did offer that nation-states comprise the most dangerous enemies in the “stack” of cyber adversaries, followed by multi-national hacking syndicates, insider threats, hacktivists and terrorists, the least menacing element of what Comey calls “an evil layer cake.”

“The reason I put them at the bottom of the stack is that terrorists are adept at using the internet to communicate, to recruit, to proselytize, but they have not yet turned to using the internet as a tool of destruction in the way that logic tells us certainly will come in the future,” Comey said.

Regardless of what type of actor initiates the attack, the FBI is looking at cyber events in a fundamentally different way than conventional crimes that have a clear physical location. If a pedophile is under investigation for crimes in San Francisco, say, the San Francisco field office of the FBI would handle the case. Not so with cyber. Comey said that the bureau is assigning those cases, where the perpetrators could be up the street or halfway around the world, to the field offices that best demonstrate “the chops” to handle specific cyber investigations. So even if a bank in New York was the victim of a cyberattack, the field office in Little Rock, Ark., potentially could take the lead on the case, with support from other offices that might need to conduct investigative work on the physical premises.

“Whichever field office has demonstrated the best ability on that, we’re going to give it to that field office,” Comey said. “This has a not-unintended consequence of creating competition within the FBI.”

Private sector has edge for hiring top cyber talent, money

In addition to reorienting the bureau’s internal approach, Comey said that the FBI is trying to step up its recruiting efforts to bring in the next wave of cyber experts, though he acknowledges that competing with private-sector for top talent is a perennial challenge.

“Here’s the challenge we face: we cannot compete with you on dough,” Comey said. “The pitch we make to people is come be part of this mission. Come be part of something that is really hard, that is really stressful, that does not pay a lot of money, that does not offer you a lot of sleep. How awesome does that sound? The good news is there’s a whole lot of people — young people — who want to be part of that kind of mission, who want to be part of doing good for a living.”

But the difficulties in winning over converts to the bureau’s mission are also tied up in a deeper problem, the same perception of the government as an adversary — or at least something to be avoided — that has clouded relations with some in the private sector.

[ Related: FBI v. Apple: One year later, it hasn’t settled much ]

Comey wants to dispel the notion of the FBI as “the man,” in the Big Brother sense.

“We have to get better at working with the private sector,” he said, decrying firms that are subject to a ransomware attack who opt to pay the ransom and enlist a security consultant to help clean up the mess without alerting law-enforcement authorities.

“That is a terrible place to be,” he said. “It is a great thing to hire the excellent private-sector companies that are available to do attribution and remediation, but if the information is not shared with us, we will all be sorry. Because you’re kidding yourself if you think I’ll just remediate this thing and it will go away, because it will never go away.”

Paying ransoms, he argues, only emboldens the criminals, and keeping details of the breach in-house hinders law-enforcement authorities from tracking down the perpetrators.

Plea to tech companies to resist outfitting products with unbreakable, default encryption

Comey put in another plug for tech companies to resist the impulse to outfit their products with unbreakable, default encryption, recalling the highly publicized showdown between the FBI and Apple, while calling for all parties in the debate to resist the urge to resort to “bumper-stickering” the other side and rejecting the suggestion of an inherent tradeoff between privacy and security as a false choice.

“It is short-sighted to conclude that our interests are not aligned in this,” he said. “We all value privacy. We all value security. We should never have to sacrifice one for the other.”

Can Americans Catch a Phish? 1 in 4 Take the Bait

Posted on Updated on

December 16, 2015

Phishing email scams attempt to lure people in by mimicking real emails from big companies so perpetrators can do things like install malware on your computer, access your bank account or even steal your identity. So how savvy are we when it comes to differentiating the real from the fake? To find out, we partnered with our friends at NBC’s TODAY show to create a quiz that tests your phishing email smarts.

So far, over 20,000 Americans have taken the quiz, developed from real emails that ESET security researchers collected and analyzed. First, if you haven’t already, take the quiz yourself—then read on (no peeking!) to see how you compare. (Note: The quiz works best in Chrome, Firefox or Safari browsers.)

Can you catch the phish?

You’ve got a bunch of emails that look like they’re from companies you’ve done business with. Can you tell which ones are phishes?

Take the Quiz!

What do the results reveal?

Fully 25% of people cannot consistently identify phishing emails (they missed correctly identifying one or more phish or non-phish). The question most often answered incorrectly was this Target email—it was not a phish, but 61% thought it was.


However, cybercriminals often do spin up phishing schemes to take advantage of vulnerable people and brands in crisis, as happened after the Anthem hack in early 2015, so it’s good to remain vigilant.

The phishing emails that fooled people most often were the Amazon and FedEx emails. One in five people were taken in by this:


Upon scrutiny, you can discern several clues. Amazon’s logo appears squished, and there are several grammatical errors at the end—unlikely in a real email from the world’s biggest retailer.

With this FedEx email, 22% of people were tricked.


The tell? Asking you to download an attachment—especially if it does not seem to match the content in the email—is suspicious. Downloading an attachment like this can deliver malware to your computer, often without you even knowing you have been infected.

Here is the breakdown from each email question, so you can see how you compare:

  • Southwest: 89% correctly identified this as a phish
  • Amazon: 79% correctly identified this as a phish
  • Google: 53% correctly identified this as NOT a phish
  • Apple: 87% correctly identified this as NOT a phish
  • FedEx: 78% correctly identified this as a phish
  • PayPal: 96% correctly identified this as a phish
  • Gap: 68% correctly identified this as NOT a phish
  • Target: 39% correctly identified this as NOT a phish

 So what does this all mean?

[…]Research indicates that phishing scams are still a major way that cybercriminals take advantage of people and businesses. It’s important for us to constantly educate the public, for businesses to educate employees, and for parents to educate kids… and kids to educate parents and grandparents!

The data show that one in four people still get things wrong, and once is all it takes. The basic lesson here is to always exercise caution and promote safe Internet practices.

ITG Client Companies’ Email Is Secure

Posted on

You can improve productivity and eliminate the hassles of in-house servers

ITG offers Secure Hosted Exchange, an email system that gives companies control of their email without the complications and expense of managing their own servers.
And, with SecureTide™ built right into the system, companies have peace of mind knowing they are getting the best spam and virus protection in the business.


  •     Easy, Web-based Access
  •     New Email Archiving Capabilities
  •     Unlimited Mailbox Storage
  •     Embedded Premium Spam and Virus Protection
  •     Optimized Performance
  •     Outlook 2016 or 2013 for PC or Outlook 2016 for Mac

For more information on Secure Hosted Exchange, visit our website, www.itgcorporporation.com, or contact us at 518.479.3881 or info@itgcorporation.com

Gmail hack: Even tech-savvy users fooled by sophisticated phishing technique

Posted on

By, Serina Sandhu, January 17, 2017

Even tech-savvy Gmail users are falling victim to hackers who steal their login credentials, according to a security expert, who notes that increasingly sophisticated phishing techniques are being employed.

How does it work?

The hacker will first send you an email, which includes an attachment, according to Mark Maunder, the CEO of WordPress security plugin, Wordfence.

When you click on the attachment to preview it, a new tab opens to what looks like a Gmail login page. However it isn’t genuine. If you enter your email and password, hackers will have stolen your credentials and have full access to all of your emails.

But why would I open the email from a random person in the first place?

Because the hackers have devised the email to look like it comes from one of your contacts, someone who is likely to have already been hacked by them.

The email will contain a subject line and the attachment from the contact may look familiar – they may use a subject line that your contact has used before – and rename the attachment to something plausible.

Once the hackers gain access to your emails, they will look for future targets they can send the phishing emails to.

Won’t I know something fishy is going on when I’m asked to login again?

Not necessarily, because the hackers have been very sophisticated when creating the phishing technique.

When you open the attachment and a new tab pops open, the URL will look something like:


That’s not a far cry from what it is meant to look like on the legitimate Gmail login page:


And the login box, where you enter your email and password, looks like the real one.

How long has this phishing technique been going on for?

It’s been gaining popularity over the last year.

Surely if you’re tech savvy, you’re safe?

Sadly not. Even “experienced technical users” have become victim to the hacks, says Mr. Maunder.

So how do I stay safe?

There are some checks you can do before typing in your login details:

First, check the URL to see if it begins with: data:text.

Second, if you widen out the bar, you will see there is a lot of blank space which may not be visible at first. After the blank space is the file that actually opens in a new tab, informs Mr. Maunder.

Also check to see if the URL has been verified. Depending on your internet browser, the https:// might be in green, and there may be a padlock symbol before it.

You can also enable a two-factor authentication for logging in to your Gmail. So on top of the username and password, there would be an extra layer of security that will require an extra piece of information.

What if my account has already been hacked?

It would be best to change your password straightaway. Also you can check your login history to find logins from unknown sources.

Mr. Maunder also recommends using a security researcher who can check if your email has been part of data leaks, but adds: “There is no sure way to check if your account has been compromised.”

When I contacted Google for a comment, they pointed to Prevent & report phishing attacks page.

Google’s statement:

“We advise people to be careful anytime you receive a message from a site asking for personal information. If you get this type of message, don’t provide the information requested without confirming that the site is legitimate. If possible, open the site in another window instead of clicking the link in your email. You can report suspicious messages directly to us. Google will never send unsolicited messages asking for your password or other personal information.”

House Passes Long-Sought Email Privacy Bill

Posted on

Courtesy of:

Krebs on Security, February 7, 2017

In-depth security news and investigation

On Monday of last week, The U.S. House of Representatives approved a bill that would update the nation’s email surveillance laws so that federal investigators are required to obtain a court-ordered warrant for access to older stored emails. Under the current law, U.S. authorities can legally obtain stored emails older than 180 days using only a subpoena issued by a prosecutor or FBI agent without the approval of a judge.

The House passed by a voice vote The Email Privacy Act (HR 387). The bill amends the Electronic Communications Privacy Act (ECPA), a 1986 statute that was originally designed to protect Americans from Big Brother and from government overreach. Unfortunately, the law is now so outdated that it actually provides legal cover for the very sort of overreach it was designed to prevent.

Online messaging was something of a novelty when lawmakers were crafting ECPA, which gave email moving over the network essentially the same protection as a phone call or postal letter. In short, it required the government to obtain a court-approved warrant to gain access to that information.

But the U.S. Justice Department wanted different treatment for stored electronic communications. Congress struck a compromise, decreeing that after 180 days email would no longer be protected by the warrant standard and instead would be available to the government with an administrative subpoena and without requiring the approval of a judge.

HR 387’s sponsor Kevin Yoder (R-Kan.) explained in a speech on the House floor Monday that back when the bill was passed, hardly anybody stored their personal correspondence “in the cloud.” He said the thinking at the time was that “if an individual was leaving an email on a third-party server it was akin to that person leaving their paper mail in a garbage can at the end of their driveway.”

“Thus, that individual had no reasonable expectation of privacy in regards to that email under the Fourth Amendment,” Yoder said.

Lee Tien, a senior staff attorney with the Electronic Frontier Foundation (EFF), said a simple subpoena also can get law enforcement the following information about communications records (in addition to the content of emails stored at a service provider for more than 180 days):



-local and long distance telephone connection records, or records of session times and durations;

-length of service (including start date) and types of service utilized;

-telephone or instrument number or other subscriber number or identity, including any temporarily assigned network address; and

-means and source of payment for such service (including any credit card or bank account number), of a subscriber to or customer of such service when the governmental entity uses an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena.

The Email Privacy Act does not force investigators to jump through any additional hoops for accessing so-called “metadata” messaging information about stored communications, such as the Internet address or email address of a message sender. Under ECPA, the “transactional” data associated with communications — such as dialing information showing what numbers you are calling — was treated as less sensitive. ECPA allows the government to use something less than a warrant to obtain this routing and signaling information.

The rules are slightly different in California, thanks to the passage of CalECPA, a law that went into effect in 2016. CalECPA not only requires California government entities to obtain a search warrant before obtaining or accessing electronic information, it also requires a warrant for metadata.

Activists who’ve championed ECPA reform for years are cheering the House vote, but some are concerned that the bill may once again get hung up in the Senate. Last year, the House passed the bill in an unanimous 419-0 vote, but the measure stalled in the upper chambers of the Senate.

The EFF’s Tien said he’s worried that the bill heading to the Senate may not have the support of the Trump administration, which could hinder its chances in a Republican-controlled chamber.

“The Senate is a very different story, and it was a different story last year when Democrats had more votes,” Tien said.

Whether the bill even gets considered by the Senate at all is bound to be an issue again this year.

“I feel a little wounded because it’s been a hard fight,” Tien said. “It hasn’t been an easy fight to get this far.”

The U.S. government is not in the habit of publishing data about subpoenas it has requested and received, but several companies that are frequently on the receiving end of such requests do release aggregate numbers. For example, Apple, Facebook, Google, Microsoft and Twitter all publish transparency reports. They’re worth a read.

For a primer on protecting your communications from prying eyes and some tools to help preserve your privacy, check out the EFF’s Surveillance Self-Defense guide.

Protect Your Phone from Secret Spyware

Posted on

Reprinted from ITG’s January issue of Tech News

By Kim Komando, © 2017 Tulsa World syndicated under contract with NewsEdge.

For millions of Americans, the smartphone has become one of the most important tools in their lives. Your phone tracks your movements, absorbs emails and text messages and notifies you of every birthday and appointment. Every second, information floods your smartphone. Unless you switch them off, your apps are working round the clock, obeying your every setting and preference.

All day long your phone is churning private data through its circuitry, and if criminals can break into your phone, they can steal all kinds of things, from banking details to compromising photos and video. These thieves don’t have to steal your actual phone. They may not even be located in the same country.

How do they do it? Spyware, which is kind of like a computer virus, except instead of messing up your hard drive, it enables strangers to snoop on you. Skilled hackers can install spyware on your phone without you even realizing it.

Once it’s on your phone, spyware can record everything you do, from sending text messages to shooting video of your family reunion. Hackers may break into private accounts, commandeer email and even blackmail their victims.

Keep in mind, “spyware” is a vague and multi-faceted term, and it’s not always malevolent. Some parents install a kind of spyware on their kids’ smartphones in order to keep track of their activities. Managers sometimes keep tabs on their employees by watching what they do on their company computers. I don’t endorse this behavior, and I think there are much healthier ways of watching kids and employees, but this kind of spyware isn’t intended to ruin your life.

Don’t click strange links. The easiest way to avoid contracting spyware is this: Don’t click strange links. If you receive an email from a suspicious stranger, don’t open it. If you receive an email or text from someone you do know but the message seems peculiar, contact your friend by phone or social media to see whether the message was intended.

This might sound obvious, but sometimes our curiosity gets the better of us. When a link appears, some of us struggle to avoid clicking it, just because we want to know where it leads. Other times, an authentic-looking email is actually a phishing scam in disguise. If you’re the least bit doubtful, don’t click.

Lock your phone. Some types of phones are more susceptible to spyware than others. (More about this below). But owners can dramatically reduce their chances of infection by locking their phones. A simple PIN will deter most hackers.

Also avoid lending your phone to strangers. Yes, some people honestly forget their chargers at home and urgently need to call their spouses. But a clever con artist only needs your unlocked phone for a minute to cause a lot of damage. In this case, being a Good Samaritan is risky business.

Androids and spyware. The bad news is this: Android phones are particularly vulnerable to spyware. It’s simple to install a spying app on any Android gadget, but only once you get past the lock screen.

To protect yourself, make sure you have the lock screen turned on and no one knows the PIN, password or pattern. You can make it even harder by blocking the installation of third-party apps. To do this, go to Settings; Security and uncheck the Unknown Sources option. It won’t stop a really knowledgeable snoop, but it could stump less-savvy ones.

iPhones and spyware. Apple users can get pretty smarmy about their products. If you own an iPhone, you probably already know that your phone is far safer from malware than Android gadgets. A recent “Forbes” study showed that nearly 97 percent of all known malware threats only affect Android devices.

That’s good news for Mac addicts, but it can also make owners overconfident. Last August, Apple had to release an extremely critical iOS update to patch a security threat. Before the update, an attacker could take over and fully control an iPhone remotely just by clicking the right link.

Investigators learned that this kind of attack was called Trident, and the spyware was called Pegasus. The latest iOS was partly designed to prevent these exploits from damaging your iPhone. This is just one reason you should keep your iPhone up to date.

To get the latest version of iOS, go to Settings; General; Software Update. Your device will then automatically check for the latest version of the Apple operating system.

Secondhand smartphones. Beware the secondhand smartphone. Sometimes they’re handy, because a jail-broken phone is cheap and disposable and may work with many service providers. But they may also come with spyware already installed.

Buying a secondhand phone is a common practice, especially if you’re traveling in a foreign country or you’re between contracts and just need something for the short-term. If you have any suspicions about your phone, your best tactic is to reset factory settings. It’s inconvenient, but it might save you a lot of heartache down the line.

Ransomware is Real. Is Your Business Safe? ITG Can be Your Dedicated Crisis Management Team.

Posted on Updated on

ITG has a solution that will provide client companies with the security to recover from a ransomware attack.

Reprinted from ITG’s January issue of Tech News

ITG provides an enterprise-grade File Sync & Share (FSS) solution built for the needs of today’s business users. It provides the security, mobility and control your organization needs to feel confident when accessing, sharing and/or collaborating with files and data among team members, both internal and external to the organization. Most importantly, our solution provides you the opportunity to restore your files to the most recent good version if your business is faced with an actual ransomware attack, which could take place at any time and with no notice.

With ITG as your service provider, you can reap the benefits of a proven FSS solution built on three pillars of unprecedented strength:

Mobility & Accessibility
Fully exploit the power of your smart devices, transforming tablets and smartphones into reliable alternatives to carrying a laptop. You will have anywhere, anytime access to the most up-to-minute business content which empowers good decisions.

Business Collaboration
Our FSS solution is flexible and open and designed for business of all sizes, where control and management of cloud services is now critical to business operations:

  • You can provide secure access for employees, clients and other third party resources to work together on projects.
  • Take collaboration to a whole new level with real-time access and editing capabilities.

Enterprise Grade Security
Critical business content needs to be secure at all times.

  • ITG’s FSS solution  is an enterprise-grade cloud-based service that has 99.9% uptime with stringent levels of security certifications including HIPAA, SSAE-16 and SOC1 Type II compliance.
  • We adhere to all local regulations for data.

If you have been hit by ransomware, here is what to do:
In the event a computer is infected with a ransomware trojan such as CryptoLocker, we recommend you immediately disconnect the affected computer(s) from your network and attempt to remove the malware from the affected computer(s). The safest remediation may be to re-format the affected computer to ensure all remnants of the CryptoLocker trojan has been removed.

If you currently use ITG’s FSS solution and your workplace files and folders were affected by CryptoLocker, our data-retention and versioning control will allow you to revert your projects, folder, and files to a previous time before they became infected.

For more information on how to protect your business against the real threat of Ransomware, contact ITG to schedule a demo today!

Visit our website, www.itgcorporporation.com, or contact us at 518.479.3881 or info@itgcorporation.com.

Ransomware: A cyber threat every organization must fight

Image Posted on Updated on

Use These Five Backup and Recovery Best Practices to Protect Against Ransomware

Reprinted from ITG’s January issue of Tech News

Analysts: Robert Rhame, Roberta J. Witty; June 8, 2016ransomware-protections-compressed

Ransomware is on the rise, and its perpetrators are effectively evading countermeasures. I&O and business continuity management leaders should plan for the inevitable, limited or widespread, ransomware incident.

 Key Challenges

  • Incumbent antivirus prevention techniques cannot be relied upon to detect and stop all ransomware.
  • A single infected client can encrypt all file shares they have access to, potentially including cloud storage locations.
  • Once files are encrypted, organizations have two choices: restore from a backup or pay up.
  • Ransomware is generating huge revenue for criminals and it should be expected that these attacks will intensify in volume and sophistication.


  1. Ensure that your organization has a single dedicated crisis management team.
  2. Implement an enterprise endpoint backup product to protect user data on laptops and workstations.
  3. Build a list of storage locations that users can connect to that are inherently vulnerable, such as file shares.
  4. Evaluate the potential business impact of data being encrypted due to a ransomware attack, and adjust recovery point objectives (RPOs) to more frequently back up these computer systems.
  5. Align with the information security, IT disaster recovery and network teams to develop a unified incident response that focuses on resiliency, not only prevention.


Users are only a click away from a drive-by download of malware from a compromised web page, or [the] launch of a trojan attachment from a ransomware spam campaign. The rapid-release nature of the malware underground means that antivirus vendors are playing a game of catch-up. The ransomware authors only have to be successful in bypassing defenses once, and they change their tactics constantly in order to do so. Organizations must assume accidents will happen, and that their data will be held for ransom.

Ransomware is a form of malware where files are encrypted and then a bitcoin ransom is demanded in return for the decryption key. There are two types of attack mechanisms for ransomware:

  1. In the more common scenario, an end user is duped into clicking an attachment or visits the wrong web page resulting in his/her laptop or workstation and all connected file shares being encrypted.
  2. The less common scenario to date is a targeted approach where hackers get inside the organization and then use encryption of data as a tool to force payment.

So far, most ransomware authors prefer to cash out, so they immediately and prominently inform the victim that files have been encrypted. Some might use threats or scare tactics—such as setting a deadline after which the data will be permanently lost —encouraging a sense of urgency and keeping the victim off balance. Some ransomware may even use tactics to try to avoid detection long enough that backup retention expires before demanding a ransom.

Your first impulse might be to increase backup retention, but, on reflection, it is hard to imagine having to restore a backup that is older than 90 or 120 days. Instead of making these kinds of blanket changes, it is important for organizations to first understand what type of data storage is typically affected by a ransomware attack.

Typical Data Storage Affected

In most cases, the initial ransomware attack occurs on a user’s laptop or workstation. Therefore, locally stored data in files and folders, file shares, cloud storage via gateways, as well as any mapped network drives, is inherently vulnerable.

Data Affected Because of Replication

Enterprise file synchronization and sharing (EFSS) in and of itself is not vulnerable since an agent handles the communication with the on-site or in-the-cloud synch and share server. In this case, there is no mount point for the ransomware to traverse; however, the replication mechanism will replicate changes made locally as part of the functionality, thereby replicating the encrypted files (and, possibly in the future, also malware) to the shared directories. EFSS typically has versioning capabilities, but not bulk restore. A laptop restored using endpoint backup will replicate the last good versions as a new file change, but there may be scenarios where cleaning up the versions to a known clean state will be desired.

Not Vulnerable Today

SharePoint or any web application where end users’ access is through an authenticated web browser session is not vulnerable to a ransomware attack yet. As the countermeasures evolve, ransomware attackers might begin including a remote access trojan (RAT) in the malware in order to manually remote control the infected host and overcome limitations of an automated attack. A similar tactic was used with banking trojans when countermeasures began to reduce effectiveness of the automated approach. This is a very manual process for the attackers, requires a connection to the infected host and does not scale.

Follow the five backup and recovery best practices documented in this research to ensure that you are as protected as possible from ransomware attacks.


Step 1: Form a Single Crisis Management Team

An effective response to the ransomware threat must be a holistic and multilevel one — reducing the likelihood of a successful attack to the bare minimum, while simultaneously ensuring the ability to recover from an unprevented attack. IT operations and IT disaster recovery (IT DR) must work with their counterparts in information security to develop an integrated response and recovery approach, including a framework for responding to all new threats and a continuously updated risk assessment of the IT infrastructure vulnerable to a ransomware attack.

Step 2: Implement Endpoint Backup

Without a backup, years of locally stored files and folders on a laptop/workstation would be lost; that is, unless the organization wants to pay to release them, fueling the ransomware economy. Even without ransomware, complications and costs from potential disclosure resulting from loss, theft and hard drive crashes can quickly help build a compelling case for deploying laptop and workstation backup. Therefore, implementing endpoint backup solutions will ensure you have a safe copy of your data that can be restored once faced with the threat.

Depending on the endpoint backup product’s capabilities, backup schedules can be configured to run at intervals of several times an hour, several times a day, or during idle laptop/workstation cycles. The decision must be made as to what timeframe is an acceptable loss for the organization based on recovery requirements.

Endpoint backup can provide two key functions:

  1. Laptop or workstation restore — after the ransomware infection has been remediated, all files up to the last backup can be restored.
  2. EFSS upstream replication — once the restore is completed, the administrator can reconnect the user to his/her synch and share application. The restored files will synchronize from the local EFSS folder to the user’s directories, thereby replacing the encrypted files.

Endpoint backup solutions can be configured to back up mapped drives (such as home folders or file shares) to accelerate returning a single employee back to production, but they do not replace a centralized solution in the case of an overall storage failure or wider infection.

Justification for the investment in endpoint backup can be calculated using the following metrics: productivity loss per employee for all involved; aalaries of each employee involved; time involved to recreate content; and the number of estimated ransomware incidents, accidental deletions, hard drive crashes or laptop losses/thefts.

Refer to “How to Address Three Key Challenges When Considering Endpoint Backup” to learn more about this cost calculation algorithm.

Step 3: Identify Network Storage Locations and Servers Vulnerable to Ransomware Encryption

  1. Enumerate Obviously Vulnerable Storage Locations

The most important task is to revisit RPOs for potentially vulnerable storage locations. Following the laptop or workstation infection, the ransomware traverses all mount points configured in Windows Explorer in an attempt to encrypt everything it finds. A first assessment can be done by talking to the Active Directory and/or PC deployment group to find out what the standard Group Policy Mapped Drives are for each new laptop or workstation image. This task provides an inventory of servers for further investigation and audit for overly permissive inherited permissions.

  1. Don’t Forget the Not-So-Obvious Vulnerable Storage Locations

A single mapped drive could cause unexpected servers to be affected. It is common for database and application administrators to map drives to work with full system privileges at the file system level in order to perform installs, maintenance, upgrades or troubleshooting of the software/applications that they are working on. If an administrator has a drive mapped “persistently” (the box “reconnect at logon” is checked) and his/her workstation gets infected, then data on any mapped drive will also be encrypted. If cross-zone drive mapping is allowed, you must communicate to all privileged users that they should not use persistent mapping, and then disconnect these drives rather than leaving them open for their entire user session.

Step 4: Develop Appropriate RPOs and Backup Cadences for Network Storage and Servers

The next step is to re-examine your organization’s RPOs for appropriateness to the business function. It is likely that file shares are only backed up nightly; therefore, if they are actively used as an ad hoc collaboration system, then a loss could hurt the organization worse than expected because of the greater potential for losing new and modified data. There are two steps to this task:

  1. First, determine how much data loss the organization will accept. While never a comfortable exercise, the reality is that the greater your loss avoidance risk position, the more likely a solution will require more resources.
  2. Second, set the RPOs for each server deemed to be at greater risk to ransomware, and according to organizational requirements based on a data loss time frame that is acceptable to the organization.

The primary goal is to leverage newer backup methodologies to achieve more frequent recovery points. This may mean acquiring new technology, or simply fully deploying capabilities of the existing storage and backup solutions already in place. The goal here is backing up more often.

If available, leverage fast-scan capabilities to back up only changed files or changed block tracking for storage arrays and/or virtual machines (VMs) in order to schedule more frequent backups. This will allow for more frequent backups while requiring fewer resources, thus offering greater protection.

It is advisable to implement less predictable backup times with at least one RPO during the day, when new infections are most likely to occur. Rudimentary time-based encryption/decryption cycles have been observed in some ransomware attacks, most likely to masquerade the ransomware’s presence for as long as possible.

For selected workloads, tactically implement new technologies that can step backward to recovery points, such as continuous data protection (CDP), hyperconverged integrated systems (HCIS), hypervisor-based replication products, or DR replication that includes change journaling.

There have been a few reports that perpetrators are encrypting backed-up data before triggering the ransomware attack to encrypt production data. The result of this added step in the attack process could mean that the most current backups won’t be of value, and restore will have to be done from older or offline versions.

As an overall defense, Gartner’s best practice for backup is to have at least two copies of your backed-up data geographically dispersed to mitigate against a broad range of natural and man-made disasters. Ideally, at least one copy of the backed-up data is offline and off-site to reduce the impact of accidental or malicious destruction.

Step 5: Create Reporting Notifications for Change Volume Anomalies

For future ransomware attacks, there might not be a ransom demand immediately; therefore, it is imperative that the activity be noticed quickly. Combined with running select backups during the day, reporting on storage anomalies can help identify that an attack has occurred or is actively underway. Implementing such reports includes three tasks:

  1. Create a report in your enterprise backup application that will trigger an alert when a high number of changes occurring on servers results in a sudden and marked increase in storage.
  2. Create reports based on capacity thresholds for devices that use deduplication, such as backup target appliances and HCIS, since unexpected encryption will result in 100% change rate and a large increase in storage consumption.
  3. Examine the reporting capabilities available in your endpoint backup application and EFSS, and implement a storage anomaly report.

Additional research contribution and review by Pushan Rinnen and Dave Russell.

Yahoo data breach: What you can do

Posted on



Last night, Yahoo announced that yet another data breach has happened involving more than one billion of its user accounts.

As breaches seem to be happening more and more these days we can be forgiven for allowing data breach news to fall on deaf ears but we need to get this in perspective …

This data breach supposedly happened in 2013 and according to Internet Live Stats, the internet users worldwide amounted to just over 2.7 billion. Yahoo states that over one billion user accounts were compromised, that’s over a third of the total internet users at the time.

For perspective, just imagine as you’re walking down the street every third person you see has had their details stolen and are now accessible on the internet.

So what can you do about the breach? NOTHING! Sorry, but it’s true, there is nothing you can do about that particular data breach but you can try and limit any further damage as a result of your data going missing.

Whenever headlines like this make the news normally the first thing you read is “change your passwords”. It’s becoming the “go to” statement but it’s a very valid point and one that should be your default first move for any account that’s involved in a data breach.


When your data is stolen, purchased, hacked or traded, your details may be used to gain access to other accounts or logins. Changing those compromised passwords and any other account that may be using the same passwords could limit access for the cybercriminals.

You also need to think about any secret questions and answers that were used, if you’re not already. Be overcautious about emails or communications arriving out of the blue, especially any that require you to validate details or hand over further information (and always take a few minutes to make separate enquiries before giving up more private data).

Now might also be a good time to get a password manager, if you’re not already doing this. There are many options – both free and paid for – that allow you to generate unique passwords for every site you visit, as well as store all your existing ones and evaluate your current passwords to see how they good they are.

Lastly, consider two-factor or two-step verification for accounts that allow it. A really good site to see if your service uses or allows 2FA is Two Factor Auth, which offers you an extra level of protection above your username and password. It’s very easy to use and will stop others accessing your details without your permission.

ITG’s End-Point Management provides BI solutions to move your company into 2017

Posted on

When an organization grows, so do its IT assets, expanding beyond a couple of servers, workstations, and network devices, otherwise known as endpoints. What once only required simple IT management — putting PC names, printers, network subnets, antivirus definition dates, and installed applications into a few spreadsheets — soon becomes overwhelming. Your organization needs a solution that automatically tracks all of its endpoints.

ITG has an endpoint management solution that will provide you with intelligent solutions allowing you to define business-specific server requirements, help you meet security compliance regulations and manage mobile devices. Let us help you leverage all that endpoint management can provide in analyzing data to move your company soundly forward into the new year.

Visit our website, www.itgcorporporation.com, or contact us at 518.479.3881 or info@itgcorporation.com