Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.
Session 1: You Can take the sting out of ransomware.
Presentor: Michael Corby CGI Technologies, CISSP (apparently one of the creators of the CISSP cert and a founding member of (ISC)2 )
Points of interest:
"Stop Wagging your finger", start solving the problem - "decriminalize behaviors"
This was something that was extremely relevant and unfortunately too true in many institutions/businesses. The point here was that many of our users are more fearful of reporting an incident, than of the incident itself (the I'll get fired if I report this mentality). It is more than important to give every user the tools and motivation so that they will feel it is better to report a security incident than to hide one. You risk company assets (such as the network) if employees fear what will happen if they report a problem. Telling them that visiting a malware site is a "fire-able" offense, will not help when someone gets malware on their computer and ignores it for fear of being fired.
If updates/upgrades are not going to happen soon, then it is time to change the way you are spending your money. Lost time due to malware IS lost money. Not investing in the proper upgrades and updates will bankrupt a business. If there is a policy in place that must vet the update before it is rolled out, why is that policy there and is it worht being hit by wannacry ransomware because you were still testing the update? I bring this up as an example, because that is exactly what happened at my institution. The change procedure did not allow user initiated upgrades and the upgrade that would have protected desktops from getting the wannacry ransomware was never rolled out because it hadn't been properly vetted yet. Needless to say the day after the outbreak the update was rolled out to all devices. The moral is to put maintenance and testing in the project plan to begin with.
Ransomware is Like rain
The point was made that ransomware is like rain. There are three possible solutions to not getting wet, STOP the rain, Go somewhere else, Use an umbrella. Of the three, the most cost effective and the one most likely to succeed, is the last choice. This amounts to protecting yourself by putting appropriate measures in place (such as backups) so that when you get "wet", or hit by ransomware, you will have a way to recover.
Assuming you have followed the advice above. Your recovery process should be as follows. First and foremost, take immediate action by disconnecting/isolating the infected device. There should be a response procedure that includes a dedicated response team. The next steps are a little fuzzier, because they depend on what direction you wish to take. You may wish to contact law enforcement either before going any further (in case they wish to perform forensics on the system), or once you are back up and running - depending on the expense of downtime and whether you can substitute the infected box for another one.
Either once the law enforcement agency has given you the go ahead to restore, or if you have another device to restore to, restore from a clean backup. Whatever you do DO NOT pay the ransom, for a number of reasons. Primarily, you are not guaranteed that you will get your data decrypted, you are dealing with extortionists. The FBI suggest not paying the ransom. If you do pay the ransom and do get a working decryption key, you do not know that there is not a backdoor on your system that can be used to extort money from you again. If you do contact law enforcement, know that you may lose control of the situation. They will most likely confiscate your physical device. This may cause loss of any of your data on that device.
Some preventative measures that can help
I might add the original of the cartoon in the beginning of this article was used by this presenter.
Takeaway: I thought this was an excellent presentation especially the ransomware=rain comparison.
Session 2 – All locked up and nowhere to go – Kaspersky
I didn’t take notes on this one for 2 reasons –
The white paper by the same name is an excellent start on this topic
Session 3 – Cryptography (ASIA)
RSA based Electro-optical secure cryptosysytem
Takeaway: Not only is cryptography changing in leaps and bounds, it can be really cool as well!
Session 4 – How to teach your organization to think stgrategically about security
I thought this session was going to be different, but boring different – I was wrong. The speaker was from the Gartner group. She was excellent. She spoke at length about the various types of problem solving that is creative and helps us “think out of the box” so to speak.
She used this graphic in her introduction slide:
The types are the Socratic Method, The Debate Method and using Blooms Taxonomy.
Debate method: Formulate an hypothesis, hear opposing views, rebut opposing views, repeat …
I found it interesting that she was basically encouraging leaders to lead by being nurturers not bosses. Many institutions have an atmosphere where the head of a group is a boss and does not encourage his/her team to make those strategic planning decisions using such methods but rather hands down what will be and commands. The speaker also encouraged businesses to adopt the policy of the 5/7 whys. In this case, when one is told “We don’t do it that way.” The response is always “Why?” This process is repeated many times until the person who originally was so adamant begins to question why they are so.
Takeaway: There are leaders and there are Bosses. The leaders help their teams think about solutions and then make decisions, the bosses make decisions and tell their teams to carry them out.
And that was just the first day of a 2 day conference (the second day was not nearly as good).