Invasion of the Cryptominers

That's it, we're done! The 2018 malware awareness module is on its way to subscribers, infecting customers with ... our passion for the topic.

There are 28 different types of awareness and training material, in three parallel streams as always:

Stream A: security awareness materials for staff/all employees
1.      Train-the-trainer guide on malware	MS Word document   4 pages	START HERE!  Creative ideas to boost your security awareness program
2.      Awareness seminar on malware	MS PowerPoint presentation   15 slides with speaker notes	Outlines today’s malware threats, plus pragmatic advice on how to reduce the risk
3.      Awareness posters on malware	3 high-resolution JPG images	Eye-catching images
4.      Awareness briefing on malware 2018	8 pages + cover	Written to accompany the seminar, or to circulate on its own merits
5.      Malware hit parade	1 page	Outlines 5 types of malware and 5 notable malware incidents
6.      Malware scam busters	6 x 2 pages each	Double-sided leaflets covering computer viruses, cryptominers, spyware, APTs, bank Trojans & ransomware, with news
7.      Ransomware advisory	1 page	What to do it your computer/device is being held to ransom
8.      Computer virus leaflet	2 pages	Simple double-sided informative leaflet
9.      Case study on malware	2 pages	Draws on a genuine malware incident, reported in the news
10.  Wordsearch puzzle on malware	with solution	The grid hides well over 100 malware terms: how many can you find?
11.  FAQ on malware	1 page	A simple one-side Q&A format
12.  Awareness challenge on malware	1 page	A creative, fun challenge to get people thinking and interacting on malware
13.  Awareness survey on malware	1 page	Measure awareness and gather feedback
14.  Awareness test on malware	1 page	Are your awareness materials and activities getting the key points across?
15.  Hyperlinked information security glossary	316 pages (!)	New terms include false flag, Coinhive, cryptominer, cryptojacking, Hiddad, Kedi and Xafecopy; malware entries are shown in red throughout the glossary
Stream B: security awareness materials for managers
16.  Diagrams for malware	20  MS Visio drawings (!)	Visual representations of various aspects of the malware threat
17.  Management seminar on malware	18 slides with speaker notes	Discusses the evolving malware threat
18.  Board agenda on malware	1 page	Get senior management talking about the strategic aspects of malware
19.  Elevator pitch on malware	1 page, ~80 words	If you had a fleeting chance to discuss malware with management, what would you say?  This document is a prompt
20.  Model policy on malware	5 pages	Generic policy template, needs customization to suit your requirements
21.  Exec briefing on malware	1 page	Looks as the strategic, governance and management aspects
22.  Management briefing on malware	3 pages + cover	Quite succinct, explains cryptomining malware and other topical concerns
23.  Job description for a malware analyst	1 page	Outlines this specialist rôle and the skills/competences typically required
24.  Management briefing on malware metric	5 pages	A discussion paper suggesting several ways to measure malware risks and controls
Stream C: security awareness materials for professionals
25.  Newsletter on malware	4 pages	Uses recent news clippings and topical quotations for an update on malware
26.  Professional seminar on malware	19 slides with speaker notes	A slightly more technical take on malware
27.  Professional briefing on malware	4 pages + cover	A relatively short and sweet update this year, an overview for perspective
28.  Internal Controls Questionnaire on malware	9 pages	Evaluate the organization’s malware-related information risks and controls

I'm particularly pleased with the poster image above, designed to accompany the staff seminar:

Malware The Movie Part XIV:

Invasion of the Cryptominers

While the surface was strangely calm,

far underground the crypt took shape

I had in mind those lurid cult classics such as Invasion of the Bodysnatchers, Friday the Thirteenth or the sinister Hammer horrors with Christopher Lee & co. Our graphics wizz married the concept of a horror movie poster with an image representing digital currency and Bitcoin, bringing it bang up to date. Nice work!  

It's "part XIV" because there are (at least!) 13 other recognized types or families of malware already, conveniently averaging about one per year that we've been churning out the 'malawareness' content. 

I wonder what horrors will feature in the module this time next year? Will it creep you out if I suggest that, whatever it might turn out to be, it is probably already in the wild, right now?

Don't forget to check under the keyboard tonight, and keep a firm grip on the mouse.  Sleep tight.

The bigger picture

The awareness module now nearing completion discusses the cryptomining malware that has come to prominence since the materials were last updated a year ago.  

It is hard to get terribly worked up about the theft of CPU cycles and joules while we're still battling ransomware, spyware and APTs ... but scratch a little deeper to discover that crypominers are more symptom than cause, the tip of a very chilly iceberg.

Q: How do systems get infected with cryptominers?  

A: Through the usual malware infection mechanisms i.e. security vulnerabilities in the IT systems and the people who use them.

Q: How do the crooks benefit?

A: Victims generate money for them, plainly ... but they also expose themselves and their systems to further compromise and exploitation.  Ahhhh.

There are shades of the 'fraud recovery' frauds which trick the victims of 419 advance fee frauds into also spending out for mythical 'compensation' and 'lawyers fees'.  You'd have thought being suckered once was enough to put people on their guard but it seems not: victims have marked themselves out as vulnerable. "I'm down, kick me again".

I'll leave it there for today as we need to finish the module.  Maybe tomorrow I'll have time to blog about the similarities between today's Bitcoin boom and the pyramid or Ponzi schemes of yore.

Malware update 2019?

The 2018 malware update awareness module is a Work In Progress. We've all but completed the awareness materials for the general staff audience, and today we'll crack on through the management and professional streams.

Every year I wonder what we are going to say in the malware module, given that we've covered this topic so many times before. I worry that we might not find anything new to add, forcing us to re-hash the same old stuff in the hope of making it interesting enough to resonate with the audiences. 

Yet again I needn't have worried. The malware threat is constantly mutating, much like a biological virus in fact. As fast as we discover and get to grips with each form, novel attacks and new challenges arise. There's no shortage of new things to say.

Cryptomining malware emerged from its lair in the middle of last year. As it happens, it's one of the more benign forms that merely consumes resources, reduces performance and increases costs, as opposed to devastating and in some circumstances life-threatening forms ... and yet it is virulent (it spreads widely and rapidly) and weakens the host (aside from running the cryptomining software, what else might be going on in the background?).

Perhaps next March when we refresh the malware module yet again, we'll pick up on the biological similarities by bringing up MRSA "superbugs" that have the healthcare and pharmaceutical industries and authorities worried. What will we do if/when our antivirus controls fail us? What is the cybersecurity equivalent of 'deep cleaning the ward' using bleach, with palliative care for patients whose infections we simply cannot treat? If it came down to it, how would we fully isolate and treat an organization whose malware infection seriously threatens the rest of us? Who has the ability, and the authority, to turn off life-support or flip the kill-switch?

It would be good to have kick-started the thinking and planning early, before we find ourselves wallowing around in brown stuff. Security awareness isn't purely about learning from the past, or even the present.

Either way, I'm confident that in a year's time there will be something new and pressing to raise!

Responsible disclosure

Today I've been scouring the web for news on cryptominer incidents to incorporate into next month's awareness materials on malware.

As well as the usual doom-n-gloom reports from assorted antivirus companies bigging-up the cryptominer threat, I came across an interesting letter from a US hospital, formally notifying patients about an incident.

The infection was identified back in September 2017, and eradicated within 4 days of detection.

Although the malware infection was a relatively benign cryptominer, the hospital sent a formal notification letter to patients at the end of January 2018 since the infected system held their medical data. 

Full marks to the hospital management for 'fessing up to the incident and publicly disclosing it, and for apparently handling the incident in a professional and reasonably efficient manner (although arguably 4 months is an age in Internet time).

They have offered free credit monitoring services, more appropriate in case of identity fraud ... which is a possibility if the malware gained privileged access to the system. I wonder, though, whether this letter was simply part of their pre-prepared generic response to a cyber-incident, perhaps a defensive move prompted by their lawyers just in case personal/medical information was disclosed inappropriately.

Anyway, there we go: a relevant little news clip to share and explain through the awareness program, for people to discuss and contemplate. We can use it in the awareness slide decks, briefing papers and maybe as a case study. There are aspects of interest to the general staff audience, to management, and to the professionals/specialists, so we get three times the value from one story. Cool!

Awareness in small doses

Last month I blogged about consciously adopting a different style of awareness writing, with succinct tips-n-tricks supplementing, perhaps even replacing, conventional descriptive paragraphs.

At the risk of becoming recursive, one of the tips included in March's malware awareness module will be for customers to solicit tips from their colleagues who have suffered malware incidents recently.  

The idea is for the security awareness people to:

• Find out what happened, to whom, when and how;
• Speak, discreetly, to the people involved or implicated in the incidents;
• Explore the consequences, both for the business and for them personally;
• Tease out the tips - lessons worth sharing with others;
• Share them.

Such an approach would work extremely well in some organizational cultures, but in others people can be reluctant to admit to and open up about their issues. Although it is feasible to draw out and express the key learning points anonymously, without identifying those directly involved, the process loses a lot of its awareness impact.

Think about it: if someone stands up before an audience, admits to failings that caused or failed to prevent a malware incident, and is clearly affected by the whole episode, isn't that a powerful, moving message in itself, regardless of the content?

So, taking my own medicine, the Hinson tip cut-to-the-chase version of this blog piece is:

Find out about malware incidents from those involved,
and share the lessons as part of your awareness program. 

While it's not the full story, that is hopefully just enough to catch your eye and stick in your memory.

The I part of CIA

Integrity is a universal requirement, especially if you interpret the term widely to include aspects such as:

• Completeness of information;
• Accuracy of information;
• Veracity, authenticity and assurance levels in general e.g. testing and measuring to determine how complete and accurate a data set is, or is not (an important control, often neglected);
• Timeliness (or currency or ‘up-to-date-ness’) of information (with the implication of controls to handle identifying and dealing appropriately with outdated info – a control missing from ISO/IEC 27001 Annex A, I think);
• Database integrity plus aspects such as contextual appropriateness plus internal and external consistency (and, again, a raft of associated controls at all levels of the system, not just Codd’s rules within the DBMS);
• Honesty, justified credibility, trust, trustworthiness, ‘true grit’, resilience, dependability and so forth, particularly in the humans and systems performing critical activities (another wide-ranging issue with several related controls);
• Responsibility and accountability, including custodianship, delegation, expectations, obligations, commitments and all that …
• … leading into ethics, professional standards of good conduct, ‘rules’, compliance and more.

The full breadth of meanings and the implications of “integrity” are the key reason I believe it deserves its place at information risk and security’s high table, along with confidentiality and availability. However, for some people in the field (perhaps a greater proportion of non-native English speakers?), it evidently has a much more restricted meaning, hence the reason for the note to this definition of information security:

"3.28

information security

preservation of confidentiality (3.10), integrity (3.36) and availability (3.7) of information

Note 1 to entry: In addition, other properties, such as authenticity (3.6), accountability, non-repudiation (3.48), and reliability (3.55) can also be involved."

[ISO/IEC 27000:2018]  

Those additional properties, and more, are to me all part of “integrity” (plus availability in the case of “reliability”).

By the way, Donn Parker has argued for years (decades!) that the CIA triad is deficient. Aside from the vagueness of “integrity” which is at least partially addressed by that note, Donn points out that there are other, materially different properties or requirements or features of information that are also an integral part of the domain, such as ownership and control – and I must say I think he’s got a point. A significant part of privacy, for example, is the concept that we data subjects own and hence have a right to control or choose how our personal information is used, disclosed, stored, maintained and disposed of, regardless of who actually has possession of it at any moment, and regardless of the fact that we may have chosen to disclose it to them, or failed to prevent them accessing it (e.g. by standing naked at a window!). That, for me, goes beyond CIA, although some would say it falls under responsibility, accountability and trust which is part of integrity, and of course there is a confidentiality angle. Regardless of the official/academic definitions, it’s an intriguing perspective.