Webinar presenter Stacey Wright answered a number of your questions after her presentation, 101 Introduction to How Cybercrime and Cyber Defenses Actually Work? Here are some of her responses.
Audience Question: When an organization which been compromised has a company come in to help remediate the compromise, how sure are they really that afterward, one hundred percent of the attacker's presence has been removed?
Stacey Wright: It's difficult to know one hundred percent. What I strongly recommend is making sure that the organization you bring in is an expert in doing this. There are a lot of companies out there who are very good at remediating a compromise and you want to make sure that the company you're dealing with has that level of expertise. There's always a possibility that there's a new technique that nobody has ever seen or heard of that could leave the attackers in your system, though it's rare. Deal with a company that does this full-time.
Audience Question: Is it possible to create a computer vulnerability if opening a word document if you don't open any macros? Are there ways to prevent creating that vulnerability like copying and pasting to a different document?
Stacey: To copy and paste into another document, you're going to have to open the document in the first place. And just changing the name, doing a 'file save as…' is not going to rid of vulnerability. There are ways to put vulnerabilities is Office documents that don't involve macros, they are not used as common , but they do exist.
If you're worried about an office document or pdf file, I suggest opening that with your IT department on a secure system that is not connected to your network, so that if something goes wrong it can be checked and fixed easily.
If you're in an IT department, there's usually sandboxes. Sandbox is an area where you can play with stuff like this and double check for malware.
We also run a service called the malicious code analysis program that lets you upload a file and check for malware. You can submit it to MCAP to do that – that's for MS-ISAC members.
Audience Question: What do I do if I click on something and something begins loading on something on my system? How do I avoid becoming a victim of malware, or is it too late at that point?
Stacey: Your system is compromised. Most of the time this is happening in the background and you won't see it happening. My best advice is to immediately pull your computer off the network. Pull the cable off, turn off wi-fi, shut it down, so you won't infect the rest of the network. Then you can work on bringing it back up in safe mode, so it won't connect to anything else and the malware will stay local to your computer.
This is also why when talking about backups, IT doesn't want you to save anything to your desktop of local file shares, instead to the network so it can be backed-up and recovered if something goes wrong.
Audience Question: Can ISAC be joined if outside the US?
Stacey: Some ISACs can, the MS-ISAC is specific to state, local, tribal and territorial governments. That means in the US or one of the territories. There are quite a few ISACs out there like the Aviation and the Automobile ISAC – they are an international ISAC. There is also a push-forward to create ISAOs – Information Sharing Analysis Organization – some of these are sector-based and allowing international members to join.
Audience Question: Has anyone done personality testing on these hackers?
Stacey: There are efforts to do personality testing, there are even behavioral science efforts to try and figure out what type of people write the malware and track it down like they do with serial killers. I personally don't know the result, but it is a growing field.
Audience Question: If I'm a manager or an executive and I have the responsibility for the cybersecurity of my organization, but I am not a technical person, what are the most important things I should be doing to understand my role more, the field more, and how to support the team better?
Stacey: I would offer attending webinars like this. Ask questions. IT guys may not be good at explaining things in non-technical terms, but I worked with a lot of people from a lot of different organizations who find that if they just keep on asking question and paying attention, they've already learned so much just by being around and listening to those conversations, going in Wikipedia, looking up terms that they don't know. There are a couple of resources, there are paid classes, that I can provide you with if you'll email me.
Audience Question: Is there a software that we can run on a computer that will identify all these types of vulnerabilities?
Stacey: Most of them involve something called vulnerability assessment or pen-testing. These are not typically software programs but you're hiring a company or a person to do the activity. The DHS offers a couple of them for free, they are a little bit harder to get into because they are free, so there are long waiting lists for them. Some of these are the Cyber Resilience Review and CSET.
Audience Question: Should agencies' key executives become more aware of spear-phishing? How do we help our key leaders become more aware and help them stay safe?
Stacey: I see Nation-States – China and Russia, target key leaders because they have access to lots of information. Key leaders are targets. The BEC scam, an email from an executive leader to issue this wire transfer or send employee tax information, is much more likely to be followed that an email from a random other person. The best technique I have seen is showing them case studies where it has gone horribly wrong, where an executive account has been used and it resulted in millions of dollars wire-transferred out of the country.
Audience Question: I would imagine that anytime an agency has an executive or PR person in front of the media whenever there's a controversy or incident, I would imagine that those would also be heightened situations for the IT department to become more sensitive and aware and try to protect those individuals from spear-phishing, is this correct?
Stacey: Yes. Especially if the incident leads to track a hacktivists' attention. Those are more likely to result in spear-phishing. Heightened awareness from anyone within the organization can help.
Audience Question: We run drills for mass casualty events like mall-shootings. How should an agency practice for a cyber-attack? What does that look like?
Stacey: Through tabletop exercises, there are a lot out there. You can participate in them along with other agencies and organizations. The goal is to talk through an incident and how you would respond. Just like any exercise that you would do, but they are cyber-scenarios. One we've published is when you have an active shooter incident and the shooter is also targeting your computer equipment. It's not just a malware issue but a physical problem which can be long-term catastrophic.
Audience Question: If you're saying that the employees are vulnerable to keylogging at work when they might be going through a particularly nasty divorce or dispute. What additional steps should we do as an agency or first line manager to help protect our staff?
Stacey: Talk to your staff, let them know what a keylogger looks like physically. Make sure that person has anti-virus products on their phone, tablets, computers, all their devices. Let IT know that they need to be more proactive when phishing emails come through targeting this person. Give that person extra training on how to recognize things that may contain malware.
Click Here to View a Recording of Stacey Wright's webinar, "101 Introduction to How Cybercrime and Cyber Defenses Actually Work?"