[BreachExchange] Nayana ransom payment a wake-up call for cyber hygiene

[Audrey McNeil]

http://www.computerweekly.com/blog/Eyes-on-APAC/Naraya-
ransom-payment-a-wake-up-call-for-cyber-hygiene

When one is confronted by a criminal or terrorist demanding a ransom in
exchange for a loved one who has been held hostage, the general rule of
thumb is not to pay up and go to the police.

That’s the sensible thing to do, lest you create more incentives for
kidnappings and inadvertently finance terrorist and criminal groups. Why
then, should individuals and organisations who have been hit by ransomware
pay the perpetrators behind those attacks?

Yet, Nayana – a South Korean web hosting company – did just that, dishing
out $1m worth of bitcoin to restore the websites and data of its customers
that had been held ransom by the Erebus ransomware.

Sure, the business damage (think customer lawsuits) to Nayana of not doing
would have been huge, but so would the damage caused by the negative press
on the company’s poor cyber hygiene that opened the doors for hackers. Even
if the customers got their data back, will they still continue hosting
their websites with the company?

Nayana’s website was believed to be powered by older versions of Apache and
the Linux kernel with known vulnerabilities that were possibly exploited by
Erebus.

Why weren’t the vulnerabilities patched? Was Nayana using a community
version of a Linux distro or an enterprise version supported by a vendor?
These are questions that every organisation like Nayana needs to ask
itself, not just in the aftermath of a cyber-attack but also in making
technology decisions.

Cases like Nayana serve as a timely reminder – and a wake-up call for that
matter – on the importance of maintaining a good security posture, like how
you would exercise some common sense when you’re in a seedy neighbourhood.

In the digital world, things will only get worse with the proliferation of
internet of things (IoT) devices.

Many IoT devices are susceptible to ransomware and it is likely that
attacks targeting these devices will happen more frequently, says Mark
Hearn, director of IoT security at Irdeto.

“When you throw in the potential target of connected cars, where
high-profile hacks of a number of vehicles have been reported (impacting
manufacturers like Tesla, Mitsubishi and others), it’s clear that action is
imperative.

“Payment of these ransoms will only serve to encourage the attackers. Not
only should companies avoid paying, they must take cyber security more
seriously. Many of these attacks, including the WannaCry ransomware attacks
that wreaked so much havoc last month, could have easily been avoided if
organisations implemented a defence in-depth approach to cyber security.

“This approach involves many layers of security being implemented
throughout the infrastructure, rather than simply protecting systems from
the outside-in, in addition to a security in-depth strategy for endpoint
devices, incorporating run-time integrity verification of the device,” he
says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170623/edaf272d/attachment.html>