Tuesday 3rd June 2014

The National Crime Agency is warning users they have 'two weeks' to protect themselves against a powerful cyber-attack (read the full article here):

Two pieces of malware software known as Gameover Zeus and CryptoLocker are at the centre of the alert.

The Challenge :

The malware typically infects computers via attachments or links in emails. If a user clicks on an attachment or a link, the malware silently monitors activity with the intent of capturing private information, including banking details.

The emails can look very genuine and could appear to come from your bank, building society, or official government departments and may purport to carry invoices or voice messages.

These emails are actually generated by computers of other unsuspecting victims who in turn, and without intention, create more victims.

The US CERT has issued an alert (TA14-150A) giving a description of the threat and behaviour of this malware.  The alert also contains a link to useful technical analysis of the malware and its Command and Control activity - click here to read the full alert.

We want to help both internet users and businesses be aware of this and provide some pointers on how to take action to protect themselves.

Here are our 10 steps to addressing the problem:

1 - User Awareness

Beware unexpected email, in particular mail that claims to come from high street banks, building societies and government departments.

Do not click on any links or open attachments unless you are 100% sure they are authentic.  Genuine banks, building societies or government organisations will never send out emails requesting credentials or send attachments.

If in doubt forward the email to your support manager or designated security contact.  You can also report incidents via the UK's Action Fraud website by clicking here.

2 - Check technology settings

Ensure that all Windows updates are complete and regular updates set up.

If you think a computer has been compromised, disconnect it from the internet (wired or wireless) and seek guidance from IT. If home based, disconnect from the web and conduct an anti-virus scan.

If your organization employs Proofpoint technologies make sure you have enabled Phishing Protection. Click here to find out more

Don't save passwords online anywhere, and ensure that all data is backed up. 

You can visit Getsafeonline herefor more protection measure tips.

In the next two weeks, we advise:

3 - Enable the advanced features on your Intrusion Detection Software - click here to find out more.

4 - Check Firewall rules and explore the capabilities of Next Generation Firewalls by clicking here.

5 - Enable or deploy non-signature based malware detection (Lastline) - click here to find out more about Lastline.

6 - Review and update your response policies and processes.  Look at your incident response plan; review your back up strategy; familiarize yourself with your disaster recovery plan and business continuity plan.

A good starting point for guidance is the '10 steps to Cyber Security' published by CESG in conjunction with BiS, CPNI and the Cabinet Office, which can be found here.

7 - For removal of the problem on corporate networks; isolate affected ports for remediation using Network Access Control - click here to find out more.

Also you may wish to look into:

Blocking the problem at its source with DNS protection, Intelligence on the Command and Control (C&C) domains and Botnets has been gathered. This information enables enterprise DDI solutions to 'blackhole' traffic to these known malicious domains. Whilst this will not stop the initial infection, it will prevent any additional payloads and protects against loss of information. For VitalQIP users, see here.

For Infoblox users, find out more about our 30 day free DNS Firewall trial here.

Increasingly malware is using DNS services as a channel for C&C to avoid detection. What was part of core network services is now the front line in the battle against malicious network activity - you can find out more here.

8 - Leverage your Security Incident and Event Monitoring (SIEM) correlation reporting with a threat intelligence feed to monitor and analyse your network and systems to identify unusual patterns for potential breaches. For further information on threat intelligence correlation click here.

9 - Consider outsourcing 24/7 monitoring and management of your security solutions and SIEM alerting. For more information on Accumuli's Managed Services click here.

10 - Call us if you have any further concerns or queries on +44 (0)1256 303 700

distributed by