Ivanti Blog: Posts by

Why We’re Embracing Password 3.0…And You Should Too

Thu, 01 Apr 2021 14:00:00 Z

Password 1.0 was your cat’s name and your birth year and you used it across every endpoint for a decade. We see you, Sprinkles1979.

Password 2.0 was SSO and MFA and WTF because literally everyone used Facebook for authentication. We all saw how well that went.

It’s time for Password 3.0

We’ve always operated at the leading edge of innovation, and this is no exception. While the industry gets bogged down in sending texts to confirm authorization, we’re moving forward.

To be precise, we’re moving back to move forward.

Passwords are back.

And we’re going to give you what you’ve always wanted:

When you forget your password, we’ll tell you which letter it started with, whether or not it’s capitalized, and whether this is the version that requires a special character.

We know you have different versions for different websites and it’s SO frustrating when you can’t remember which one you used, and then you have to start all over again.

We call it the Authentication Framework, or AF for short.

So instead of “Your password is incorrect,” you’ll see exactly what you need to do to get it right without locking yourself out.

Because when we’re locked out, we can’t do what we do best.

The new Authentication Framework launches today. Join us on social to tell us you’re ready to LOVE passwords with hashtag #PasswordsForever.

….or maybe you could use the hashtag #AF. Not for Authentication Framework, but for April Fool’s.

Phew.

We’re sweating just TYPING the previous paragraphs. Can you imagine the chaos and hacking?!

It wouldn’t even be hacking. It would be gifting. You would be gifting your valuable information to anyone who was even mildly curious.

Plus, you’d still have to deal with remembering, protecting and resetting passwords and jumping through complex authentication hoops.

Of course, Facebook SSO – and a lot of SSO and MFA solutions – leave a lot to be desired. We’re not settling. At Ivanti, we are delivering a truly passwordless future to ensure that the right people have access to the right information at the right time (and no one else does).

Our zero trust framework elevates passwordless authentication with zero sign-on and FIDO2 for more secure access with fewer hoops. This framework automatically validates every user, device, app, network and threats before greenlighting access — all without requiring a password.

The goal: #killthepassword.

Learn more about the passwordless future now.

Sorry, Sprinkles. We’ll find another way to remember you.

Statement on Qualys Data Breach

Fri, 05 Mar 2021 23:03:20 Z

This week Ivanti became aware of a breach impacting Qualys customers. At this time, we are not aware of any impact to Ivanti’s customers or systems due to the Qualys data breach. A previously disclosed vulnerability in Accellion’s File Transfer Appliance has been identified as the vector for the Qualys data breach. We do not use Accellion’s File Transfer Appliance anywhere within Ivanti’s operations. While we do leverage some of Qualys’ capabilities in our FedRAMP environments, there is no indication that the Qualys data breach has impacted our FedRAMP operations or that there was any exposure of client data. We have escalated our monitoring of FedRAMP platforms to ensure the security of all our customers’ data and operations.

Should you have further questions or concerns on this matter, please contact your sales representative. We will continue to monitor and communicate any updates that may affect our customers.

Official Statement on SolarWinds and FireEye Security Incidents

Wed, 16 Dec 2020 21:26:05 Z

Ivanti SolarWinds Security Advisory

At this time Ivanti, including the recently acquired MobileIron and Pulse Secure, has no known negative impact, compromise, or breach from recent SolarWinds nor FireEye incidents.

Beginning December 13^th, Ivanti’s Information Technology and Security Teams have been actively engaged in ensuring that any SolarWinds products are either shut down as recommended by US Department of Homeland Security, or not impacted by these recent critical attacks. Teams continue to monitor environments for Indicators of Compromise (IOCs) and remain abreast of new developments via several intelligence sources. As additional information becomes known we continue to update our alerts and monitoring, including checking historic logs with any updated IOCs.

For more information regarding Ivanti’s Security and Compliance programs, see https://www.ivanti.com/resources/security-compliance.

Regards,

Ivanti Information Security Team

Threat Thursday: Haunted by Breaches

Thu, 24 Oct 2019 22:19:52 Z

October is National Cybersecurity Awareness Month, a global initiative to promote better security hygiene and raise awareness on the growing problem that is cyber threats. We at Ivanti are proud to support this mission with dedicated IT security events and content.

Ivanti, along with our partners, held the first-ever Cybersecurity Virtual Event on October 23. Click the link to view seven on-demand sessions from Forrester, CrowdStrike, Morphisec, Kenna Security, Lynx and Ivanti. These are free insights designed to help you better your security posture, understand your level of risk, and work more efficiently.

I was happy to participate in a panel with fellow CISOs from Sirius Computer Systems and LifeScan, along with the CEO of Secuvant. We shared our knowledge on the current state of IT security, what the future will hold for global IT teams, and the areas you should start investing in to prepare for the next wave of cyberattacks.

Now onto the real meat of this post. Let’s start with the breaches and threats we're tracking this October.

A Hotel Breach that Could Haunt You

I couldn’t make it through this post without dropping a Halloween-related pun. But, I might not be too far off. Best Western and other hotels are dealing with the aftermath of a data breach affecting guests at some of their properties.

According to siliconangle.com, hackers exposed a database containing names, DOBs, addresses, phone numbers and more, owned by Best Western International Inc. Among the victims are high ranking U.S. military officials. Researchers point to misconfigured security settings and a complete lack of data security related to the cloud-hosted database.

Gamers Beware

Remember Collection #1 and Collection #2? These two data dumps made headlines early in 2019. The mastermind behind those breaches is claiming responsibility for hacking into more than 200 million Zynga accounts belonging to Android and iOS users.

This again appears to be the work of Gnosticplayers, the same hacker who, according to ZDnet, is shopping the personal data of 932 million users, from more than 30 companies.

Now, Forbes.com reports that Gnosticplayers claims to have accessed the Words With Friends database, stealing names, email addresses, login IDs, hashed (SHA1 with salt) passwords, reset tokens, phone numbers, account IDs and Facebook IDs.

The breach affects those who registered accounts before September 3, 2019. Forbes reports that players of Draw Something and OMGPOP may also be victims of this breach.

Breaches and Brand Loyalty

So how likely are you to keep playing Words With Friends or stay at a Best Western International property? The data says these breaches don’t really mean much to the long-term financial health of the organizations who fall victim to these attacks.

The Ping Identity 2019 Consumer Survey: Trust and Accountability in the Era of Breaches and Data Misuse, paints this picture:

81% of respondents say they would stop engaging with a brand online after a data breach
63% expect companies to protect their data
27% say a data breach would deter them from using that brand’s products

Ok, pretty standard stuff. But according to statistics published in the Harvard Business Review, major retailers and consumer organizations don’t feel the fallout.

Take the Home Depot data breach for example: 65 million credit and debit accounts breached. Home Depot stock slipped slightly after the news, but investors saw earnings increase by 21% in Q3 of 2014.

Target’s 2013 data breach hit right around the holidays. Their stock dipped by 10%, but then went on to experience the highest percentage regain in five years.

While we aren’t thrilled when these companies are hacked, or are careless with our data, consumers apparently aren’t phased enough to take their dollars elsewhere.

My Way or the Huawei

In another case of users going to great lengths to get what they want, it appears that owners of Huawei’s new handset are giving up access to their devices to a random Chinese website just so they can download some popular Google apps.

American companies are currently prohibited from doing business with Huawei – all part of a continued trade war between the White House and the Chinese Government. That means that apps usually preloaded on Android phones aren’t on newer Huawei devices.

According to an article on Ars Technica, some Huawei Mate 30 Pro users are utilizing workarounds to get apps like Play Store, Google Maps, Gmail, Chrome, YouTube and more. Some are even granting a Chinese website unrestricted remote access to their devices to a Chinese website in exchange for system-level permissions needed to install the apps. But little is known about the website in question, the owners of the site, or what their future plans might be with all these devices they now have an established backdoor into.

My Phone is Broken, So I Need a Day Off

Sticking with mobile trends, a new survey reveals just how big a problem mobile productivity issues are to the bottom line of your business.

The details are published in ComputerWorld. Here are a few stats:

37% of users who had mobile issues reported taking at least one day off due to the stress of not being able to do their job, up from 16% last year
63% of those surveyed said it took between 30-180 minutes to resolve their mobile issue
96% of IT workers surveyed say they have MDM/EMM tools in place
But only 2% of those say they have all the analytics needed to effectively manage those devices

Think about that. 180 minutes. Three hours of time wasted. With 51% of workers reporting one or more serious mobile issues monthly, that’s a lot of lost productivity.

Also, did you see the first point of that survey? Mobile issues are apparently so frustrating and stressful to workers, that they’re taking time off to recover. Wild!

All this adds up to employers. My takeaway is to step up your MDM/EMM and offer more support to users dealing with issues on their devices. You might save the company some serious time and money.

Be sure to register for our monthly Threat Thursday webinar series, where I and Director of Product Management for Security, Chris Goettl, go in-depth into the threats impacting global IT teams and offer our recommendations to stay protected.

6 Tips to Help Curb University Cyber Attacks

Wed, 02 Oct 2019 20:43:00 Z

This post originally appeared on the Ivanti UK blog.

Universities have become popular hacking targets, joining the ranks of other top targets like finance (Capital One, Equifax), retail (Target), manufacturing and transportation.

Hackers are demanding ransomware payments, crippling entire education computer operations and capturing extensive personal data, violating the privacy of students and staff.

The issue of education sector cyberattacks moved further up in the international consciousness recently when Louisiana Gov. John Bel Edwards declared a state of emergency in response to three school districts crippled by malware attacks, which shut down phone systems and locked data.

The motivation for these attacks range from ransoming the normal workflow of a university to selling hijacked student identities. Regardless of the motivation, like other public sectors, education is now, more than ever, on cybercriminals’ radar and will continue to be one of the popular targets.

Stepping Up Cyber Attack Defences

Just keeping up with the myriad attack versions and new threats coming every day burdens universities who are already struggling to keep pace with rapidly changing technology advancements, let alone cybercriminals. In crafting a more effective defence, educational institutions have a dual challenge: executing all the risk mitigation defences that any organisation must-have in today’s cyber environment and then layering the unique aspect of student populations with their own set of user expectations.

Here are practices that can help reduce risk yet maintain a productive user experience for students and staff alike.

1. Tighten up on administrative privileges.

Cybercriminals love penetrating networks in which administrator privileges are used everywhere. Effective malware and ransomware defence demand privileges are granted only to staff that truly require them to do their job.

A university, for example, can remove full admin rights and then selectively elevate just the privileges a user needs to do their job. Ideally, an educational institution would implement technology that not only centrally manages credentials and grants granular rights, but enables staff to self-serve access as needed, based on their work function.

2. Educate employees on constant vigilance.

Some of the most costly ransomware attacks are caused by simple acts of opening email or clicking on a website. Cybercriminals are adept at employing social engineering tools that look non-threatening and encourage students and/or staff to click through links in fraudulent emails. Even tech-savvy users can fall prey, no one is exempt from too quickly opening a potentially dangerous email.

Unfortunately, basic education will not suffice to fight cybercriminals. IT staff needs to put a continuing education program in place that accomplishes two objectives: keep staff and students up to date on new cyber attack trends and introduce new employees to the universities approach to fighting cyber attacks. In addition to education, all staff and students can take phishing tests, or drills in which they click on links and receive feedback as to whether they just clicked through to a potential malware occurrence.

3. Engage students to become part of the cyber defence team.

The current generation of students is the most mobile-device friendly ever. Whether using a phone, iPad or traditional laptop, worrying about the university’s security is rarely top of mind for them. Just as IT can help train and encourage staff to be more cyber-diligent, IT can work with teachers and administrators to help students understand data breaches can affect them personally and can cause great harm to their peers and their university.

Secondly, administrators are already using social media platforms like Facebook and Twitter to regularly communicate about university news and events. Reminders about tactics like pop-ups linking to dangerous websites, or opening texts that are not from recognised senders, can be posted for students. This gives universities two key communication channels for furthering threat prevention.

4. Stay current on all application updates.

Executing critical patches and updates is essential to prevent new attacks. It should be a top priority of IT staff and cover third party applications as well as operating systems. Microsoft regularly publishes patch updates. IT needs to flag the ones of critical nature and ensure they are accomplished.

5. Be diligent about third-party vendor risk.

If your vendors and sub-contractors have less than optimum security protocols in place, they expose the university itself, and the student population to considerable risk. Third-party risk assessments must be done for suppliers that have access to university and student data to make certain their operations meet the standards of good threat prevention.

6. Consider specific cyber insurance.

Educational organisations are increasingly adding cyber-attack coverage to their insurance policies, driven by the trend toward ransomware. Administrators and finance staff need to examine the costs of this type of coverage, weighing it against the cost of restoring operations from a system lockdown and/or privacy breach, and determine what is the appropriate level.

Keeping the issue of cyber-attacks in front of all parties – admin, IT, staff and students – is an essential step in helping to prevent costly disruption to university operations and strengthen defences against a data privacy breach.

Combining better engagement with improved security practices will help to minimise a universities threat landscape. Being aware of third-party suppliers’ approach to data security is an important part of a complete data protection strategy. Within the university’s infrastructure, consistent, up-to-date patching and tighter access controls are a relatively economical means of adding more layers of data protection, compared to the millions of dollars of potential recovery costs after an attack.

Threat Thursday: Breaches, Attacks, and Exploits

Thu, 26 Sep 2019 18:24:38 Z

If you’ve ever worn a hospital gown, endured an unwanted trip to the dentist, or made an unwise investment, then you’ll commiserate with this month’s Threat Thursday update.

What is Threat Thursday, you ask? The last Thursday of every month, my colleague Chris Goettl and I get together for 45 minutes of pure, unfiltered security chit-chat. We talk about active cyberattacks and data breaches, how to best defend yourself, security strategy, and more. It’s all lighthearted, loosely formatted, and a lot of fun.

But don’t get us wrong. We understand IT security is a serious business – that’s why we spend most of the time ensuring you have the right measures in place to stay protected and take plenty of time of to answer any questions you might have.

Here’s what we’ve got on tap for Thursday, September 26:

It’s Drafty Down There: Healthcare Exposures

In August, patient data had more exposure than a hospital gown. More than 700,000 records were leaked in 44 separate data breaches. It wasn’t a backdoor attack (sorry, another gown joke), instead threat actors successfully used phishing attacks to target vendors serving healthcare systems and healthcare systems directly.

Why healthcare? Medical records are among the most valuable PHI and PII available on the dark web. According to Experian, individual medical records can be worth up to $1,000 depending on the information they contain. In contrast, the average credit card record usually fetches anywhere from $1 - $10.

It’s About to Get Expensive

Recovering from these breaches is insanely expensive. According to figures from IBM and Ponemon, it costs providers $408 per medical record to recover from a data breach. That’s the highest among verticals and nearly double what it costs for organizations doing business in the financial industry – the next closest group on the list.

Furthermore, organizations can cost themselves more money with misplaced security initiatives. According to IBM and the Ponemon Institute, in their 2019 Cost of a Data Breach report, third-party breaches, compliance failures, and extensive cloud migration all add at least $300,000k on to the average cost of a data breach, which in the US is roughly $3.92 million.

Our Expert Security Recommendations

Chris and I suggest doing the following to combat these attacks:

Phishing training – or, if you’re already doing this, perhaps educating your users on how hackers are gaining access to these records
Vendor risk management – remember, these attacks normally begin at the vendor level
Privilege management – what level of access do you vendors and users have to your system?
Email security – we’ve seen a lot of these attacks in the form of an email that looks like it’s from a manager or a boss
Two-factor authentication – a second layer of defense is a must
Incident response planning – referencing the IBM/Ponemon chart, there’s a lot to be said about how this one initiative can offset the total cost of a data breach

Perhaps the one silver lining to these data breaches is the actual data from the fallout. Risk managers can now more accurately predict what an attack could cost their organization. Something to keep in mind considering that all organizations can expect to suffer a data breach once every ten years.

What’s Worse Than a Root Canal

What’s the best time to go to the dentist? Tooth-hurty. Ok, sorry about that, but I couldn’t resist. What’s worse than that joke? Perhaps a root canal. What’s worse is having the root canal AND learning that you’re the victim of a data breach.

We briefly touched on this in the last Threat Thursday, but we’re continuing to see ransomware attacks targeting dental service providers. This is boutique ransomware, too. Highly customized, not some simple kit you can buy on the dark net.

We know that at least 400 dentist offices nationwide were locked out of their systems and prompted to pay up or risk losing all their data. It’s pretty smart considering that individual attacks on dental offices would take a lot of work. So why not go after the same software used in hundreds of dental offices, on thousands of devices.

Here’s our advice:

Don’t pay the ransom – seriously, there’s no guarantee the threat actors are going to free your data
Backup and recovery
Patch vulnerabilities
Restrict admin privileges
Vendor risk management

What’s on Our Radar

There are some other newsmakers out there. Check out some of the stories we’re following as we head in October:

Microsoft urges Windows users to install emergency security patch – TechCrunch
World of Warcraft DDoS attacks – The Express
Fear of election hacking in 2020 – Reuters
Nearly every single Ecuadorian had their data hacked – Miami Herald

Never a slow day in security. Be sure to join us on this week’s Threat Thursday webinar and register for future live episodes.

Also, get more insights from me, Chris and our colleagues at Forrester, Crowdstrike, Kenna Security and Morphisec. Register for the FREE, Cybersecurity Virtual Event on October 23, 2019.

Threat Thursday: Ransomware in the Public Sector

Thu, 29 Aug 2019 17:10:04 Z

Welcome to our new Threat Thursday blog series! Once a month, my colleague, Director of Product Management Chris Goettl and I will share information about some of the largest security threats and recent attacks we’re seeing hit worldwide. This month, ransomware in the public sector is stealing the stage.

As I look out my office window, I see a construction crew ripping up the blacktop parking lot. Apparently, there are foundational issues which need to be addressed and the only solution is to rip it all out and start over. This may be a very apt metaphor for what is happening in cybersecurity over the past several weeks. It seems criminals have identified a new set of targets, which represent some of society’s core institutions. I’m referring specifically to the recent flurry of ransomware attacks on federal, state, local and education government entities.

Louisiana State of Emergency

School’s out…forever? That’s what it may have seemed like when outbound communications cutoff in four Louisiana school districts, causing the governor to declare a state of emergency and call out the National Guard. This is the first time in Louisiana’s history that a cyber-attack is being treated like a natural disaster. If you are interested in learning more about this attack, watch my webinar that is available on demand here.

23 local Texas Government Agencies Suffer Ransomware Attack

Somebody messed with Texas and it may take a while to recover. Twenty-three local government agencies were hit in a coordinated ransomware attack and all systems were taken offline. According to a source from ZDNet, the attack came from the well-known Sodinokibi (REvil) ransomware strain. I’ll be discussing this attack more in detail in an upcoming webinar.

While these two notable attacks seem a bit suspicious, it’s even more revealing when you look at a list of other attacks on state and local government in the past year, curated mostly by MSSP Alert:

August 19, 2019: 22 local Texas government agencies suffer ransomware attack,
July 25, 2019: State of Louisiana declares State of Emergency
July 25, 2019: City Power, the electric utility for Johannesburg, South Africa, discloses ransomware attack.
June 26, 2019: Lake City, Florida agrees to pay ransomware.
June 20, 2019: Riviera Beach, Florida, discloses ransomware attack and payment.
May 7, 2019: City of Baltimore hit with ransomware attack.
April 2019: Cleveland Hopkins International Airport suffered a ransomware attack.
April 2019: Augusta, Maine, suffered a highly targeted malware attack that froze the city’s entire network and forced the city center to close.
April 2019: Hackers stole roughly $498,000 from the city of Tallahassee.
March 2019: Albany, New York, suffered a ransomware attack.
March 2019: Jackson County, Georgia officials paid cybercriminals $400,000 after a cyberattack shut down the county’s computer systems.
March 2018: Atlanta, Georgia suffered a major ransomware attack.
February 2018: Colorado Department of Transportation (CDOT) employee computers temporarily were shut down due to a SamSam ransomware virus cyberattack.

What’s particularly interesting to me, is what these new attacks have in common:

Higher ransoms

These aren’t opportunistic attacks from years gone by. Criminals are demanding higher ransoms of these government entities. They are targeting victims specifically, striking with greater precision and timing, and demanding large sums as ransom. The Louisiana school district attack is a great example. The timing of that attack (mid-August) was designed to inflict the most panic as it occurred just weeks before schools open for the fall.

Ransoms being paid

While not the case in Louisiana, a few government groups around the country have paid ransoms, some in excess of $500,000, to get their files back. The restoration rate is about 25% among those who pay ransoms. Often, these ransoms are funded by cyber insurance.

What does this mean?

By paying ransoms, government entities are guaranteeing that more criminals will attack government groups. In July, the US Conference of Mayors unanimously adopted a resolution to not pay ransoms associated with cyber-attacks. The resolution reads, “Paying ransomware attackers encourages continued attacks on other government systems, as perpetrators financially benefit.”

As you can imagine, it’s very tempting to “just pay the ransom” -- organizations hope to restore operations in a matter of hours, rather than days or weeks. The challenge with ransomware is that even with file backups, it still takes a very long time to complete all restorations. The massive restoration work is also a reason why government entities might call in the National Guard. Troops from the National Guard are usually part-time. On the cyber defense side, these troops are often security engineers or analysts in the private sector, with great skills that help with ransomware cleanup and file restoration.

What else is there?

Ransomware is highly customizable. Nation states can build specific ransomware as a method to infect and shut down enemies. We saw this with the Not Petya attack in 2018 against Ukraine. There is discussion that ransomware attacks could be used to disrupt free and fair elections by infecting voter ballot systems. A nation’s ability to withstand ransomware attacks must be considered a national defense initiative. If we are seeing state, local and education entities that are vulnerable to ransomware attacks, those might be the metaphorical cracks in the blacktop that indicate foundational issues deep below the surface.

Here are a few other major ransomware attacks we’ve seen this month:

Ransomware attack demands $1M from Grays Harbor
- The cyberattack infected the computer systems with ransomware nearly two months ago, when an employee clicked on a bad link in a phishing email. The attack also happened when Grays Harbor IT staff was limited – on the weekend. Grays Harbor does have cyber insurance with a $1 million cap, and officials have not determined whether the missing records are permanently gone.
Fortnite Players Hit with Ransomware
- The ransomware threatens to delete Fortnite players files on their computers unless they pay the hijackers in cryptocurrency. The ransomware, Syrk, is disguised as a software that can help players cheat at Fortnite.

But ransomware isn’t the only type of security threat in play this month. Here are a few other breaches and attacks you may also have seen in the news:

Capital One Data Breach
- The personal information of more than 100 million individuals in the United States and approximately 6 million in Canada was compromised. Paige A. Thompson, 33, a former software engineer, stole the data by using scanning software that allowed her to identify customers who had misconfigured their firewalls. She also used stolen computer power to mine cryptocurrency (cryptojacking). Capital One has confirmed that 140,000 social security numbers and 80,0000 bank account numbers were obtained in the breach.
MoviePass exposed thousands of customer card numbers
- MoviePass has exposed thousands of customer card numbers and personal credit cards because a critical server was not protected with a password. The breach was discovered by Mossab Hussein, a security researcher at SpiderSilk, a cybersecurity firm in Dubai.
Major new security flaw in Bluetooth
- The vulnerability allows an attacker to interfere when two devices try to connect, essentially letting a hacker to “break” Bluetooth security. The exploit has been named KNOB – Key Negotiation of Bluetooth – since it can occur when two devices are “negotiating” a secure connection. The best thing to do here is to patch! Make sure your software and firmware are up to date, as that will protect you from hacks.
Fortinet Zero Day
- Not surprising, but hackers are now exploiting vulnerabilities that were made public earlier this year. Attacks have targeted VP products like Fortinet’s FortiGate, Fortinet released a patch to fix this vulnerability back in May, but if users didn’t take advantage, they could be at risk.

Disclaimer: Due to the length of time where breaches go undiscovered (often months or years), even after forensic analysis, approximately 55% of organizations are never able to definitively uncover the cause of a breach. These assumptions are based in part on similar incidents in other organizations and industry best practices for preventing these types of attacks. Ivanti assumes no liability or responsibility for any errors or omissions in the content of this webinar [or blog posting]. The information contained herein is provided on an “as is” basis with no guarantees of accuracy, completeness, timeliness or usefulness and without any warranties or conditions of any kind, express or implied.

Cyber Attacks Cause Statewide Emergency in Louisiana: Ivanti CISO Phil Richards Responds

Fri, 26 Jul 2019 22:01:33 Z

As the state of Louisiana grapples with the fallout from a coordinated cyber attack against three school districts, we're given an opportunity to review practices to prepare for, prevent, and mitigate this type of cyber attack.

Louisiana Governor John Edwards said: “The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since.”

The cyber attacks targeted schools in Morehouse, Ouachita, and Sabine parishes. Details of the type of attacks have not been made public.

Governor Edwards declared a statewide emergency in order to access additional staff and resources from the Louisiana National Guard, Louisiana State Police, and the State’s Office of Technology Services. This is the first time in Louisiana’s history that a cyber attack is being treated like a natural disaster.

For state governments, IT infrastructure has become so important that the National Governor’s Association now advises states to develop response plans that place cyber attacks on the same level of urgency as natural disasters or acts of terrorism.

So, let’s take a look at how to identify, prepare for, and respond to cyber attacks.

What can we do to prepare for and prevent cyber attacks?

1. Patching

For most organizations, patching should be the first line of defense against cyber attacks. Ensuring that operating systems and third-party applications are up to date will limit or even prevent cyber attacks. Special effort should be made to ensure that all critical patches and updates for applications such as Adobe Flash, Java, Web browsers, and Microsoft applications are kept current.

Patches should be prioritized based on criticality and policy and applied so that they don’t disrupt users or operations.

Many organizations fear that comprehensive, timely, and consistent patching is too complex, or that it may break critical systems. However, using the latest patch management tools to scan for missing patches and deploy them to workstations or servers is a straightforward task in even the most complicated environments.

2. User Education on Phishing/Spam Emails

Most ransomware is spread using phishing or spam emails. As an example, users in the US House of Representatives fell victim to a ransomware campaign reportedly designed to trick users into opening an attachment sent to their Yahoo Mail accounts.

Training users to be savvy email consumers and careful web clickers is an important part of combating cyber crime. Criminals use many professional marketing and social engineering tools to improve their abilities, to trick users into opening fraudulent emails, and to increase their chances of success. It is likely that even the most educated user will be tricked. Education isn’t enough. Users need to receive periodic drills of phishing email campaigns that provide immediate feedback when they click on a link. When users see themselves getting “caught” is when they begin to change their behavior.

3. Privilege Management

Minimizing privileges is an important tactic to mitigate the damage caused by many types of malware, including ransomware. For example, the Petya ransomware requires administrator privileges to run, and will do nothing if the user does not grant those privileges. Removing administrator rights is easy, but balancing privileged access, user productivity, and enterprise security is not.

Effective access control protects organizations against malware and ransomware. Access control that focuses primarily or exclusively on privileged user access rights will likely prove less than effective. Generalized access control can be highly beneficial for protecting files located in on shared drives. Users have legitimate needs to access and modify files on shared drives. After all, those files are document files created by legitimate users. As a result of this generalized access, a ransomware attack that successfully infects the system of a user with legitimate access rights can encrypt and hold hostage all the files on all connected, shared drives and folders.

Check out Ivanti's Security Solutions

In short, the recommendations of patching, user education, and privilege management are critical practices to implement when preparing for and preventing attacks. Doing these things across a large organization may be somewhat trickier than the words imply. For example, patching a phone system means that phones might not be available, vendors may not support patched components, and products might fail. When implementing patch management, end-user training and/or privilege management programs, the use of best-in-class software solutions may be needed to make these implementations practical and comprehensive.

Ivanti has some great tools to help in the areas of patch and privilege management, and we will discuss these tools and how they address these problems in a follow-up post.

Why Asset Management Is the Most Important Security Control

Tue, 09 Apr 2019 17:45:32 Z

The first five controls in the CIS Top 20 identify two controls relating to asset management. Numbers one and two talk about managing hardware and software assets. The question comes up pretty frequently: Why would managing assets be the single most important thing a company can do to improve security? It seems counterintuitive, like perhaps antivirus software or strong passwords would be more important.

Well, first off, it's important to remember that this list is based on the experience and opinion of industry experts. That means it is opinion-based, so their conclusions might not be yours, but there is a strong case to be made for asset management being the most important security control you can implement at your workplace. To help explain this, I want to share an experience.

The Necessity of ITAM

When I was working as CISO for a financial services company, we were being interviewed by the FFIEC (think bank examiners). They started the discussion with a simple question: “Are you patching your servers and workstations?”

I was able to answer that with a single word: “Yes.”

Their next question took several hours to fully answer. They asked, “How do you know?”

The meaning and depth of that question dawned on me over the next few hours, and prompted even more questions:

How do I know that I am patching all the servers and workstations?
How do I know I haven’t missed any laptops that move around?
How do I know that I am patching all the software products on these systems?
How do I know I’m capturing the virtual systems that are coming up and going down several times during the week?
How am I capturing software and hardware assets in the cloud?

In order to answer these questions, I needed an accurate inventory of my software and hardware assets. Not only that, but because these assets move, change, and get deleted frequently, I needed to have a process for collecting new information in the environment. Long gone are the days when I could ask purchasing for a list of servers, workstations, and software products in order to track my inventory.

Components of Effective ITAM

Effective asset management today requires multiple components.

Discovery

The first is a discovery process. Discovery is the act of collecting new software and hardware in your environment in real-time. This requires you to be actively monitoring the environment for the addition of new assets through a variety of techniques, from network to business application intelligence. Several asset discovery modules perform a ping scan to discover new assets.

While this is a good step, in today’s network, this will often not yield the true asset inventory by itself. Many servers and workstation configurations do not respond to ping, so if that is the only way your asset management system is discovering new systems, it might not be adequate or accurate. Modern network-based asset discovery includes multiple active and passive scan and discovery modules including ping, tcp syn scans, arp, dhcp, wifi and other techniques that will hep discover the most bashful systems on your network.

Inventory

After discovery comes inventory. This can be more challenging than it seems at first. Systems move around or they might change network configuration, software is added and removed, and management responsibility changes. All this needs to be accounted for, and the change process needs to be as automated as possible. Managing a dynamic software, hardware, and virtualized asset inventory requires automation, a great storage design and workflow that maps to your organization’s requirements. Without these components, the best asset inventory in the world will quickly become stagnant and useless.

Managing Software Assets

Managing software assets can be even more challenging than managing hardware assets. Long gone are the days when your company ran exclusively on Microsoft operating systems and applications.

Most environments are a hodge-podge of operating systems from Microsoft, Apple and various flavors of Linux, with applications from dozens of vendors, open source, and a huge variety of license configurations. Licenses might be managed by several different groups and departments, as well as some being centrally managed. Legacy systems might have older software that cannot be upgraded. Some software is free, so there is no financial record of it. You need a way to coral all these different licenses and automatically capture what new software appears on the endpoints, and accurately interpret the license terms so you know if the company is in or out of compliance.

How Ivanti Can Help

If this all sounds like a daunting task, that’s because it is! It is also the linchpin of all other security components in your environment. You cannot know about the effectiveness of patching, log management, risk management, antivirus, license violations and physical theft without these inventories. Fortunately, Ivanti offers software that takes on these very tall hurdles.

At Ivanti, the powerful combination of Ivanti Service Manager (ISM), Asset Manager, and Ivanti License Optimizer (ILO) can put a very effective process around the exercise of inventory, discovery, storage, management and workflow of your hardware and software assets. Talk to a sales professional today about how Ivanti can help make short work of the most important component of your security framework!

"Are We Secure?" Critical Insights From Ivanti CISO Phil Richards

Wed, 03 Oct 2018 21:30:47 Z

The question “Are we secure?” strikes fear and dread into the heart of every CISO, whose initial gut reaction is to respond, “Well, that’s a complicated question.” The reason it’s complicated is because security is never really “done.”

Unlike many other professions, a Security Officer doesn’t really know what “done” is. If you talk to a baker and ask, “Is the cake done?”, the answer is fairly straightforward—either the cake is ready to ship out or it isn’t.

For software developers, the answer is a little more complicated, because you have to define what “done” means, but there can also be a bar or level that defines “done.” For security, even if you define or establish a bar that indicates security is “done,” that bar continues to move because the bad guys are always coming up with new ways to get in—which must be responded to. For most security officers, “done” borders on a false sense of safety, which is dangerous.

How Do You Respond?

So, with all that, how do you respond to the executive who asks, “Are we secure?” without appearing like you’ve never thought about it?

Most senior executives are aware that security is a process and adherence to a set of standards. Many executives are also aware that these standards change over time, with constant adjusting, addressing issues, and chasing down incidents. Because of that, most times it’s okay to respond with something more complex than a yes or no answer.

When I’m asked such a question, I like to speak to the improvements. For me, the big three indicators of a security program’s overall health boil down to risk management, incident management, and vulnerability management.

Risk Management:

Has the organization adequately identified the key cyber-security risks?
Is the organization actively managing these risks?
Is there an active pipeline of risk mitigation plans/activities that will be completed over the next 6 to 18 months to improve the overall risk management profile?

For me, these questions—when answered in the affirmative—define a risk program that’s under control.

Incident Management:

Do we have an incident response (IR) team that includes all major departments within the organization?
Do we have an incident response plan that is understood and works?
Does the IR team practice incident response?
Does the IR team have experience handling real-world incidents? Can that team be trusted if/when a major incident occurs?

These are the key indicators of an effective incident response program that can enable action when the time comes.

Vulnerability Management:

Do we have an accurate hardware and software inventory?
Do we perform vulnerability scans/assessments across our server and workstation domains?
Do we actively patch servers and workstations?
Do we actively adjust configurations to account for drift?
Do we have service-level requirements for addressing vulnerability scan deficiencies?

These are the keys to a functional vulnerability management program.

Progression, Not Perfection

You’ll note that these programs do not indicate perfection within the organization. Rather, they indicate that the organization is on a trajectory of continuous improvement. There is and always will be risk, but these metrics focus on how the organization is oriented. To the question, “Are we secure?” these metrics also permit you to say, “We are better than we’ve been before and we have the right processes in place so that we will continue to improve over time,” which I think is a much more satisfying response.

Ivanti offers proven endpoint security solutions that provide the foundational, layered protection from malware and other threats global experts agree create the highest barriers to real-world attacks. Invest some time to learn more about them. You can also request a free demo.

Phil Richards is Ivanti’s Chief Security Officer, with 20 years of hands-on experience as CSO, senior program manager, director of release engineering, and director of architecture. He graduated from Brigham Young University in Information Management and holds an MBA in Finance from the University of Utah.

Global Ransomware Attack Based on a Petya Variant Threatens Repeat of WannaCry

Tue, 27 Jun 2017 17:17:09 Z

UPDATE: June 27, 2017 — Chris Goettl

Petya Ransomware Attack: What Should Companies Be Doing Right Now?

Several critical vulnerabilities with known exploits or proof-of-concept code should be the focus of everyone’s attention. The SMB exploits (EternalBlue and its siblings) resolved in Microsoft’s March Patch Tuesday update are just the start. Reportedly these are the same vulnerabilities the latest Petya variant uses. And we shouldn’t rely on a kill switch to save the day.

In addition, two more updates for known vulnerabilities, released on June Patch Tuesday, warrant attention.

CVE-2017-8543 – A vulnerability in Windows Search could allow an attacker to take complete control of the system. It could also be exploited over the network without authentication through SMB. It was flagged as “Exploited” when Microsoft released the update on June Patch Tuesday.

CVE-2017-8464 – A vulnerability in Microsoft Windows could allow remote code execution if an LNK file is processed. An attacker could craft a shortcut icon that provides the same rights as the local user. It’s a perfect USB drop scenario.

Microsoft went a step further, given recent attacks, and released updates for XP, Vista, and 2003 – The updates go as far back as MS08-067, which plugged the vulnerability Conficker used to infect more than 15 million machines back in 2008.

Make sure you have the latest cumulative Security updates for Windows 7 and Server 2008 R2 up through Windows 10 and Server 2016 in place. This covers the Eternal family of vulnerabilities and the two latest known exploited vulnerabilities. Any of the cumulative updates from March through June will suffice for the EternalBlue exploit, but June provides the best coverage including news exploited vulnerabilities.

Windows 7\Server 2008 R2
March: KB4012215
April: KB4015549
May: KB4019264
June: KB4022719

Windows Server 2012
March: KB4012217
April: KB4015551
May: KB4019216
June: KB4022724
Windows 8.1\Server 2012 R2
March: KB4012216
April: KB4015550
May: KB4019215
June: KB4022726
Windows 10\Server 2016
March: KB4012606 (1507), KB4013198 (1511), KB4013429 (1607)
April: KB4015221 (1507), KB4015219 (1511), KB4015217 (1607), KB4015583 (1703)
May: KB4019474 (1507), KB4019473 (1511), KB4019472 (1607), KB4016871 (1703)
June: KB4022727 (1507), KB4022714 (1511), KB4022715 (1607), KB4022725 (1703)

If you are using the Security Only bundle instead of the Monthly Cumulative Rollup, you need the Security Only bundle from March to resolve the original SMBv1 vulnerabilities. You also need the June Security Only bundle to resolve the two latest exploits, including the new SMB vulnerability. By OS you should have the following KBs applied:

Windows 7\Server 2008 R2
March: KB4012212
June: KB4022722

Windows Server 2012
March: KB4012214
June: KB4022718

Windows 8.1\Server 2012 R2
March: KB4012213
June: KB4022717

For those of you still running Windows XP, Vista, 8, or Server 2003, we recommend you have all the Bulletins and KBs described in the document in place on your systems. All are publicly downloadable, even those released after end of life for each operating system.

Finally, if you haven’t yet, here are some additional security controls you should implement to defend against attacks like this:

Application control – Whitelisting can help you defend against untrusted payloads and is one of the most effective security measures to defend against ransomware. Patching plugs the holes attackers use to get onto a system, but in the case of zero days and fileless attacks, whitelisting can block the payload trying to execute (in this case, the ransomware and propagation to other systems).

Threat protection – Antivirus (AV) can’t be considered a first line of defense. In most cases, the latest attack could hit several systems before AV catches up to defend against it. Attacks like WannaCry and Petya can spread so quickly that AV can’t stop them before the damage is done. That said, though? AV is still a necessary layer of defense that can limit propagation and stop attacks in their tracks.

HIPS (host intrusion prevention system) – While often more difficult to tune, making them harder to implement, HIPS or IPS systems are a great line of defense against attacks such as this. The SMB exploits follow reference implementations a HIPS system could identify, report on, and shut down before the attack hits the system.

User education\training – With WannaCry and Petya, exploiting SMB was likely not the first entry point into environments. It was more likely user-targeted attacks (phishing, drive-by downloads, watering hole attacks, etc.), or possibly systems attackers already controlled using CnC infections they put in place earlier. From there the malware used the SMB vulnerabilities to spread rapidly. Any one entry point is enough, if you have not patched those vulnerabilities, so user awareness is important.

Backup and restore – With ransomware so commonplace, it’s even more important to have backup software at critical endpoints. With WannaCry, and so far with Petya, the number of ransoms paid was very small. Having a recent backup allows companies to re-provision and restore user data quickly to get back up and running.

Provisioning – Having a Unified Endpoint Management (UEM) solution seems like an operational issue: it enables the team to manage systems in a heterogenous environment. But there are Response capabilities in that UEM platform that are essential to combat cyber threats today. Any credible security practitioner will say that paying the ransom is a bad idea, and that having good backups and re-provisioning the system and restoring the data is the more efficient way to recover from a ransomware attack.

UPDATE: June 27, 2017 — CISO Phil Richards

Petwrap, Based on Petya Variant

New ransomware is attacking global computing systems worldwide as of June 26, 2017. The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016. The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration, and leaked by the Shadow Brokers hacker group in April 2017.

This malware appears to have been targeted to Ukraine infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers. Since the initial infection it has spread to other markets, and beyond the Ukraine borders. The actual malware is ransomware, requesting a ransom equivalent to $300 USD in bitcoins.

The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record. The EternalBlue component enables it to proliferate through an organization that doesn’t have the correct patches or antivirus/antimalware software. This is a great example of two malware components coming together to generate more pernicious and resilient malware.

Ransomware: Should You Pay the Ransom?

Wed, 17 May 2017 01:28:57 Z

Security professionals dread the day when they get the call that ransomware has infiltrated their network and has already started encrypting files, drives and network shares. After the initial shock has worn off and the ransomware is no longer encrypting new files, the decision quickly turns to whether to pay the ransom in order to (maybe) recover the files.

Related: Breaking: WannaCry Ransomware Exploding Across the Globe

Noticeably absent from this article is the actual answer to that question. That is because there are lots of issues and questions that go into this decision. I want to highlight some of the issues you will face and help work through the answers.

1. Can you live without the files?

Files encrypted by ransomware are locked and cannot be viewed or accessed by anyone in the organization. It is important to catalog the extent of the loss. Files can be grouped based on how critical they are to the organization.

2. Do you have backups, and if so, how recent?

The existence of backups for encrypted files gives you options. You might have the ability to recover encrypted files through your own backups. The existence of backup varies by company and by type of system that has been compromised.

3. Recovery

If you have backups of the encrypted files, how quickly can you recover from backup? Companies have varying strategies for backup/storage and retrieval. Recovery can take multiple days. When that happens, paying the ransom may be a viable alternative to restore files more quickly.

4. Do you have an obligation to outside parties?

File availability requirements may impact your decision-making. If you need to have files available quickly, that may tilt the balance in favor of paying the ransom for the possibility of recovering them quickly. Obligations may be to customers, suppliers, regulatory organizations, legal entities and many others.

5. Is it possible to decrypt the files without paying the ransom?

Some ransomware is not well written. If you are lucky enough to have become infected with a weaker variant of encryption, it is possible to use a recovery pack. A good resource for identifying and remediating some types of ransomware can be found in this list of decryptor tools.

6. Assess the likelihood of getting the encryption key after paying the ransom

Not all ransomware organizations are trustworthy (big surprise). Some will take your money and not provide you with the decryption keys.

On May 20, 2016, Kansas Heart Hospital paid a ransomware organization an undisclosed amount, only to have the organization extort them for a second time for additional money. The hospital refused to pay the second ransom, stating: “The policy of the Kansas Heart Hospital in conjunction with our consultants, felt no longer was this a wise maneuver or strategy.”

7. Other risk factors

You need to consider reputation, regulatory and financial risk when deciding whether to pay or not pay the extortionists. Make sure you’re considering all angles.

The recommendation from the FBI and several non-government organizations is to never pay a ransom. Some reasons to not pay the ransom include:

There is a possibility that you will not get the files recovered after you pay.
It encourages bad actors to continue developing ransomware.
You fuel a perception that you are weak by giving in to the bandits.
You fuel a perception that you are inept if you don’t know how to prevent/resolve security breaches.

In the real world there are other issues that need to be evaluated when deciding to pay the bad guys.

Locked files are critical to your business or represent a significant investment.
Operations are compromised because of the locked files.
There is no backup, so the files would be lost forever.
Restoration of the files will take a significant amount of time and will impact business.
Need to divulge lost files to customers.
Regulatory consequences for the lost files.

So while it is easy to say, “Never pay the ransom,” sometimes there are practical considerations that need to be evaluated. Clearly, this is a situation that is best avoided altogether.

Ivanti ensures your user environment is stable and secure, helping you to reduce risk and extend protection and control.

Why We Partner (Hint: So You Can Benefit)

Wed, 22 Feb 2017 18:20:25 Z

Endpoint protection has evolved substantially over the past few years. At one time an endpoint protection platform was defined as antivirus software and a centralized console for keeping AV rules and definitions up to date. Now, even the oldest antivirus companies recognize that traditional antivirus systems are not very effective at protecting endpoints. The industry has evolved to incorporate many other aspects of endpoint protection.

That said, Gartner still takes a particularly narrow view of endpoint protection, defining the landscape as anti-malware, personal firewall, and port and device control. That stands in opposition to the definition of malware defense the Center for Internet Security provides (abbreviated below):

Critical Security Control (CSC) 8: Malware Defenses

8.1. Automated continuous monitoring
8.2. Centralized infrastructure
8.3. Limit use of external media
8.4. Enable anti-exploitation features
8.5. Enable behavior-based malware detection
8.6. Enable DNS query logging

Currently, Ivanti outsources 8.1 and 8.5 in the above malware defenses list to trusted partners Invincea and Kaspersky Lab. Both provide traditional signature-based antivirus defense and newer behavior-based and adaptive anti-malware technologies—a combo that offers extensive protection traditional AV software can’t hope to replicate. And we couple these solutions with a rich, robust, and thorough endpoint protection solution that exceeds the capabilities of any other solution in the industry.

Gartner’s narrow view of malware defense limits what providers develop for their customers (so they can check those boxes Gartner defines and qualify for inclusion). We have chosen to integrate more capabilities and augment with partner technology to provide complete coverage.

One of the potential outcomes of meeting Gartner’s narrow definition of endpoint protection is to undervalue innovation in the category. At Ivanti, we have chosen not to do that.