Australian organisations suffer ransomware because they make basic mistakes

Decade-old attack vectors still work. Fundamental cybersecurity lessons aren't being learned. That has to change.

It's a surprising answer, and scary. We know that ransomware attacks are on the rise, "by an order of magnitude" in the last 12 months, according to Scott Brown, senior tech with CERT Australia (CERT-AU). So what's the most common attack vector?

"Number one is still macros in [Microsoft] Word and Excel documents attached to emails," Brown told the Australian Cyber Security Centre (ACSC) Conference in Canberra on Wednesday.

"Just in the last month, and I'm sure most of you have seen this, there has been a bit of a change up to ZIPs and RARs that include JavaScript, and they kick it off that way. We do seem some being dropped by exploit kits. I guess I would argue over here [in Australia] we don't seem to see the same percentage of exploit kit stuff that some of the other countries see."

In Canada, roughly 50 percent of the ransomware is delivered via an exploit kit, Brown said, but in Australia around 95 percent still arrives via email. And the volume of those emails has "skyrocketed" in the last two or three months.

Now CERT-AU deals primarily with large or more critical organisations, not every nickel and dime small business -- but still, Australia, what the actual?

Pwned. By MS Office macros. Arriving by email. In 2016.

Set aside for the moment my own biased view, which wonders why anyone is even using that quaint technology at all. What kind of self-respecting email anti-malware system wouldn't be flagging and quarantining macro-laden documents coming from outside the organisation? Such technology has existed for more than a decade, and it's free.

The same goes for ZIP and RAR files. Back in 2011, Alex Kirk from Sourcefire's Vulnerability Research Team (VRT) showed that 11 percent of RAR files contained malware.

"I've always told friends, 'don't ever touch a RAR file, it's just full of malware'," he told this writer at the time.

Not much has changed in ransomware, Brown said. Sure, there's a few more variants, and a lot more volume, but the defences are the same.

Brown even showed the same defend-against-malware slide as last year: restrict the file types that are allowed in through your gateways; restrict admin privileges; and set up application whitelisting, not just for EXEs, but also for DLLs, scripts, and macros.

Oh, and keep current backups of everything, and test that they work, so if you do get hit with ransomware you can just wipe the infected machines and start again.

Ransomware wasn't the only indicator that organisations haven't been learning their lessons.

When it comes to targeted intrusions investigated by CERT-AU, the attackers had been in the victim's network for "something between six and 12 months. That's been true for every targeted incident we've worked to date," Brown said.

That figure is consistent with the global figures that have been reported in Verizon's annual Data Breach Investigations Report (DBIR) every year it's been produced. Intruders are detected in weeks to months, not hours to days.

Investigations have always been made more difficult because most organisations don't keep logs going back that far. But investigations are even more difficult when email is outsourced to cloud providers, where organisations may not even have access to any logs that do exist.

Of course the same problems exist elsewhere on the planet.

Marty Edwards, director of the US Department of Homeland Security's Industrial Control Systems CERT (ICS-CERT), showed a slide listing the lessons learned from the more general data breaches investigated by US-CERT.

Those lessons were: lack of network segmentation; general user accounts being targeted instead of admins; lack of two-factor authentication; lack of logging and netflow capture; poor server discipline, that is, not hardened, or running unnecessary applications, or outdated operating systems; and poor workforce education.

"Sound familiar?", the slide said.

Quite.

When it comes to ICS security, well, that's running 10 years behind general information security, Edwards said. And medical device security is running 10 years behind that.

I won't list any more of the "familiar" messages I've seen at the conference so far. The real message is clear.

Organisations are still not learning their basic cybersecurity lessons. That must change.