Aphelion Ltd

Aphelion Ltd

Aphelion Blog

Website URL: http://www.aphelion-group.com

How to Guard Your Company Against Cryptojacking and Ransomware Featured

How to Guard Your Company Against Cryptojacking and Ransomware

Published in Security

The bull market for bitcoin is catching a lot of attention. Most notably among hackers. This is why the cost of a ransomware attack was expected to grow 1500 percent between 2015 and 2017 to a predicted $5 billion. Some expect costs to rise to $11.5 billion in 2019.

Others saw a drop in ransomware toward the end of 2017, as cryptojacking continued to grow in popularity; hackers are stealing CPU bandwidth through compromised websites or malware.

One locks down your systems, the other slows them down. Both feed hackers’ appetite for cryptocurrency. Here’s how to stop them.

Companies are stocking up on cyrptocurrencies to pay off hackers

How to Guard Your Company Against Cryptojacking and Ransomware

The ransomware epidemic has gotten so bad that companies are proactively buying bitcoin just in case they have to pay up to get their systems back.

A recent Qualtrics survey of 510 IT decision-makers found that 53 percent had purchased cryptocurrency like bitcoin as a precaution against ransomware attacks. More than half (51 percent) said their organization had stockpiled $100,000 or more in cryptocurrency, with 12 percent purchasing $1,000,000 or more.

The average ransom payment is $1,077, but the cost can quickly skyrocket when multiplied by the number of locked machines. Nearly 73 percent of the respondents work at organizations with more than 1,000 employees. You do the math.

When Hancock Health Hospital’s systems were held ransom in January, one hospital executive noted that “the amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients.”

Hancock Health was forced to pay up since its backups were compromised, but paying the ransom also seemed like the best choice. The cost was competitive compared to the effort required to get systems back up and running on its own. That made it a lucrative payday for hackers and a tough decision for the organization.

Do this so you don’t have to stock up on cryptocurrency

While not recommended, ultimately, paying a ransom is an executive and board decision. But instead of purchasing cryptocurrency in advance, efforts should focus on prevention.

Don’t ignore the basics:

  • Back up your critical data at an interval that makes sense. For some businesses, backing up once a day is fine. Others might need to back up every hour.
  • Segment your backups from the rest of your network so they aren’t infected along with other devices. Hancock Health learned this the hard way.
  • Use tools to spot ransomware, like file-integrity monitoring services or security information and event management (SIEM) services.
  • Educate your employees on how to spot and report phishing emails before they click any suspicious links.
  • Test your disaster recovery plan and process to make sure it will hold up under a real-world attack.

If you take steps ahead of time to prevent and quickly mitigate ransomware, there’s no reason to stockpile cryptocurrency.

But you do have to watch out for the newest scheme, which has grown more prevalent in the last year: cryptojacking.

What is cryptojacking?

Cryptojacking is secretly hijacking processing power to mine cryptocurrencies.

It can be done through compromised websites or through malware that can spread across a network and create a botnet dedicated to mining. It’s a more subtle and lucrative way to steal than locking down an organization’s devices.

Adylkuzz, a cousin to the ransomware WannaCry, spread quietly last spring, and could have produced more than a million dollars for its creators.

Last fall, a bit of Javascript on Showtime’s website tapped visitors’ computers to mine the cryptocurrency Monero. Reports say that up to 60 percent of visitors’ CPU capacity was conscripted into the mining operation.

Now more than 4,200 government websites around the world are said to be compromised and mining Monero. The attacks are stealing processing power from prominent companies too.

Large botnets, once feared for their ability to level massive DDoS attacks, are now raking in cash. The Smominru botnet, for example, has infected 520,000 machines and has already mined $2.3 million in Monero.

How to guard against cryptojacking

While cryptojacking may seem less impactful than ransomware which completely shuts companies out of their systems, it does take resources away from systems critical for business.

Guarding against cryptojacking, like guarding against ransomware, comes down to the basics:

  • Install security patches.
  • Set strong passwords, and don’t reuse them.
  • Train employees in security awareness.
  • Harden systems.
  • Set strong egress filtering to block outbound connections to command and control servers, and monitor for those connections to alert on attacks.
  • Segment networks to protect against propagation of malware.
  • Maintain clean backups for quick and easy restoration.

As long as there’s money to be made, criminals will do their best to exploit every vulnerability. With bitcoin and other cryptocurrencies so highly valued, this will be an attack we’ll see for a while. Prepare accordingly.

Cryptocurrencies and criminals

It’s pretty obvious why criminals like cryptocurrencies. They can be used anonymously, they’re increasingly easy to use, and they’re surging in value – what’s not to like?

Your organization is often what’s standing between criminals and the payments they seek. With a focus on cybersecurity basics, you can avoid becoming the next victim and funding further exploits.

Learn more about how to make your business more resilient against cyberthreats.

Share this story
GDPR Featured

How Will GDPR Affect Your Business?

Published in Business

The General Data Protection Regulation (GDPR) is likely to impact smaller companies as a recent study shows that 82%1 of SMEs are unaware of the new legislation and will potentially be hit with large fines when it starts being enforced next year.

The GDPR will replace all the existing data protection laws across Europe and shape the way in which companies handle, protect and profit from data. All businesses and not-for-profit organizations that process personal data concerning employees, customers or prospects who are in the EU and/or are EU citizens fall within its scope, wherever in the world the company is based and even if the data is processed outside the EU.

In other words, European data protection law will now apply worldwide, and businesses have until 25 May 2018 to prepare. IT Consultants from Aphelion's Availability Services can help you make a smooth transition into GDPR compliance. With Aphelion at your side, you can reduce potential risks with a comprehensive GDPR approach and avoid fines, which can equal as much as 2-4 percent of your global revenue.

So what exactly is the GDPR?

Through the GDPR, the EU recognises:

  1. The right to private life as a universal human right and
  2. The right to have one’s personal data safeguarded as a distinct, stand-alone universal human right.

It is by attaching rights to an individual’s data separately to the right attached to an individual, that the EU can demand EU-grade data protection standards on businesses in other countries. The onus is on businesses to determine if they are in scope. Consider three simple questions:

  1. Is your organization based in the EU?
  2. Does your organization handle data concerning EU-based individuals?
  3. Does your organization do any kind of business with organizations to which 1 or 2 apply?

If you answered yes to any of the three questions, it is most likely that your organization is in scope of the GDPR. Unless you are confident your existing data handling procedures are already compliant with the regulation, this means action needs to be taken now to prepare for the May 2018 deadline.

There has been a lot of noise in the IT press about swingeing fines and GDPR is frequently portrayed as the new corporate bogeyman. It has to be said these fears are not without foundation: a two-tier sanctions regime will apply and breaches of the law could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs2.

However, scaremongering is not a constructive approach. The good news is that correct implementation of the GDPR will not only ensure compliance and mitigate the risk of fines but, more importantly, will give compliant businesses a competitive advantage. That’s why Aphelion advocates that organizations consider GDPR a central plank of business strategy that has high visibility with the Board.

Our Resilience consultants have drawn up a 12-step plan to guide you through the process.

  1. Brief senior management
    Ensure the board is aware of the changes to data protection law and how this affects the business.
  2. Kick-off a GDPR programme
    This should be led by C-level executives (or heads of department in smaller organizations) and include the CEO, CIO, CSO and CCO or whoever is responsible for Compliance. The importance of having IT and Legal people speaking the same language and briefing the Executive cannot be stressed enough.
  3. Consider whether your organization needs to appoint a DPO
    The GDPR requires public authorities and other organizations whose core activities require regular and systematic monitoring of data subjects on a large scale, or that process a large scale of special categories of data to appoint a Data Protection Officer (DPO) who will guide the implementation of GDPR requirements and monitor compliance. The DPO should be the head of the data privacy governance structure, liaise with the supervisory authority (Data Protection Office) and report directly to leadership. The ideal candidate will be IT conversant, and have good business acumen whilst also being proficient on all GDPR matters. Recruiting a DPO may prove time-consuming, so we advise customers to make this a priority.
  4. Update data governance policies and procedures to ensure they reflect the GDPR requirements.
  5. Analyse the GDPR and understand the legal implications for your business
    Identify the risks associated with your business model and address them by means of adequate data governance. Where appropriate, streamline processes. Pay attention to processes that use personal data for profiling. Marketing, HR and Sales will probably need to adjust their ways of working to ensure compliance.
  6. Review your Record Management Strategy
    Identify where personal data is being collected or acquired, the purpose for which it is being processed, and whether this data is shared with any other organization. If this information is not currently available, a detailed investigation will be required so that all personal data and its flow within the organization is accurately mapped.
  7. Run an awareness campaign in your company
    Unless your business is a one-man band, you need to ensure that all personnel are aware and engaged in the quest for GDPR compliance.
  8. Challenge the basis under which personal data is stored, collected and processed
    Review the more prescriptive GDPR definition of consent and determine if a new request for consent is necessary.
  9. Implement any necessary technical adjustments to ensure GDPR data rights are fulfilled
    These are the right to be informed, to rectification, to erasure, to restrict processing, to object and rights in relation to automated decision-making and profiling and the new right to data portability.
  10. Review the current mechanisms for international data transfers
    Be aware that the adequacy of Privacy Shield (which replaced Safe Harbour) is currently a subject of concern.
  11. Examine your supply chain
    Ensure your efforts to comply are not undermined by engaging in business with non-compliant providers or business partners.
  12. Embed privacy in your operation
    This is the only sustainable way to ensure compliance on an ongoing basis. GDPR is here and will be for the foreseeable future, even after Brexit.

Aphelion can support you on your GDPR journey

Our consultants can help you initiate a GDPR compliance programme, develop the business case and establish a plan of action to gain competitive advantage by achieving cyber resiliency and regulatory compliance. To find out more, please contact us.

1 Survey of 821 IT and business professionals responsible for data privacy across the US, Canada, Asia Pacific (Australia, Hong Kong, Singapore, India), UK, Germany, Sweden, Belgium, The Netherlands, France, Italy, Spain and Poland conducted by Dimensional Research on behalf of Dell

2 UK firms could face £122bn in data breach fines in 2018

Share this story

Phone in the Right Hand? You're a Hacker!

Published in Security

Phone in the Right Hand? You're a Hacker!

Hackers are finding it too easy to circumvent traditional cyber defences, forcing businesses to rethink their security strategies. Many firms are now harnessing big data and adopting cutting edge verification checks. In fact, some can even identify you by how quickly you type your computer keys, or how you hold your mobile phone.

In these days of regular space travel, nanotechnology and quantum computers it is easy to believe we live in an age plucked from the pages of a science-fiction novel. But there are some aspects of this shiny, computer-powered era that look more feudal than futuristic.

Consider the way many organisations protect themselves and their staff from cyber-attacks.

Many approach cyber-security like a medieval king would have tackled domestic security - by building a castle to protect themselves, says Dr Robert Blumofe, a senior manager at cloud services firm Akamai.


The high walls, moat and drawbridge are the security tools, anti-virus and firewalls they use to repel the barbarians at the gates trying to breach their cyber defences.

"But now," Dr Blumofe says, "that castle metaphor is really starting to break down."

Outer defences

The first issue is mobility. Digital fortifications worked well when all staff sat at desks, used desktop computers and were concentrated in a few buildings. But now many work from home, airports or coffee shops and use their laptops, tablets and phones on the go, to work at all times of day.

The second problem, Dr Blumofe says, is that many firms wrongly assume that those in inside their castle walls can be trusted and are "safe".

This leaves many firms dangerously exposed, agrees John Maynard, European head of cyber-security for Cisco. "Typically once attackers have penetrated a trusted network they find it is easy to move laterally and easy to get to the crown jewels. That's because all the defences point outward. Once on the inside there is usually little to stop attackers going where they want to."

Tumbling walls

In a bid to get beyond this outdated thinking many organisations have torn down the old castle walls in favour of a model known as the "Beyond Corp" approach.

China map

Image copyright Reuters Image caption - China was implicated in the Aurora attacks on Google and lots of other big companies

It was pioneered by Google in response to a series of cyber-attacks in 2009 called Aurora orchestrated by China-backed hackers. The attackers went after Google as well as Adobe, Yahoo, Morgan Stanley, Dow Chemical and many other large firms.

According to Mr Maynard, Beyond Corp assumes every device or person trying to connect to a network is hostile until they are proven otherwise. It obtains this proof by analysing external devices, how they are being used and what information they are submitting.

This encompasses obvious stuff such as login names and passwords, as well as where someone logs in from; but it also relies on far more subtle indicators. It can be how quickly do you type the keys, are you holding the device in your right or left hand. How an individual uses a device acts as a second layer of identity and a different kind of fingerprint.

Gathering, storing and analysing all that data on those individual quirks of usage was the type of big data problem only a tech-savvy company such as Google could tackle at the time of the Aurora attacks. However, as familiarity with big data sets has spread, many more big firms are adopting the Beyond Corp approach when organising their digital defences.

One big advantage is that Beyond Corp turns a firm's network into an active element of defence, says Mr Maynard from Cisco. "In the castle and moat approach the network was passive... But beyond Corp involves continuous monitoring where you are constantly using the network as a sensor or a way to get telemetry about what's going on."

The analysis done when users join a network makes it much easier to spot when attackers are trying to get access. That's because the authentication step will flag any anomalies meaning security staff will find out quickly that something suspicious is going on. Anything other than normal login behaviour will stand out.

Faster detection

It can also mean a "significant reduction" in time to detect threats, says Mr Maynard. "The industry average is about 100 days to spot threats. With Beyond Corp you should be down to hours not days."

In addition, Beyond Corp can "limit the blast radius" if a breach does happen. This is because it usually involves dividing up a company's internal network so users only get access to applications they are approved to use. The mass of data gathered on users, their devices and the way they act once they have connected may appear bewildering to many companies. However, advances in automation are increasingly helping them keep a handle on the millions of events that now occur on their systems.

In summary, If you are expecting to secure your estate by having humans watch TV screens you are probably going to be too late to spot it. Human reactions are always going to be much slower than automation.

News Source: BBC

Share this story

What’s the Bigger Business Risk: Cyber security threats or Cyclones?

Published in Business Continuity

What could potentially cause more damage to your business? A cyclone or a cyber attack?

If you said the latter, you’re in good company.

Even after the costliest hurricane season of all time in the U.S., 74 percent of business leaders we surveyed said they consider a data breach, hack or cyber attack a greater business risk than a natural disaster.

Now the Global Risks Report 2018 from the World Economic Forum (WEF) shows those concerns are far from unfounded. In the new report, among the “Global Risks of Highest Concern for Doing Business,” cyber attacks rank at number 8, while extreme weather events and natural catastrophes come in at 18 and 19, respectively.

While the report found extreme weather events and natural disasters to be both more likely and more impactful than cyber attacks, that all three rank among the most likely and most destructive events should be a warning for any business still failing to take action.

If you’re not prepared, an inevitable disaster could take your organization offline for hours or days, which can sometimes damage a business or brand beyond recovery.

When business risk becomes real danger

Both natural disasters and cyber security threats can hobble businesses.

What’s the Bigger Business Risk: Cyber security threats or Cyclones?

The Global Risks Report 2018 from the World Economic Forum (WEF) notes that cyber attacks against businesses have almost doubled
in five years, while citing attacks like WannaCry and NotPetya as examples of both the scale of attacks and the hundreds of millions
of dollars a bad email can cost businesses.

When Hurricane Irma swept across Florida, hundreds of businesses, from amusement parks to cruises, had to shut down operations and cancel plans. The estimated cost of property damage and lost economic output was estimated at $83 billion. Tropical Storm Harvey, which crippled Houston for weeks, was even costlier, with some estimates of the impact as high as $190 billion.

When Disney World announced it would be closing for two days during Hurricane Irma, some estimates put its losses at $90 million, not counting any damage from the storm. Six of the largest airlines lost $550 million due to closings and cancellations.

Cyber attacks are often as disruptive and expensive as natural disasters. Some estimates predicted the cost of ransomware attacks alone in 2017 would exceed $5 billion.

The NotPetya ransomware attack shut down a number of businesses, and Merck was one of the hardest hit. It left production suspended and employees unable to work, costing the company $300 million in the third quarter of 2017. It was on track to lose another $300 million in Q4.

Several years ago, the company Code Spaces, which had been in business for seven years, folded in just 10 days after a devastating ransom attack.

Unfortunately, the WEF predicts cyber attacks and extreme weather events will only get worse.

What the WEF report says is on the horizon

The report notes that cyber attacks against businesses have almost doubled in five years, while citing attacks like WannaCry and NotPetya as examples of both the scale of attacks and the hundreds of millions of dollars falling prey to a ransomware attack can cost businesses.

With the internet of things expected to hit 20.4 billion devices in 2020, up from 8.7 billion last year, hackers have more targets, the WEF report notes, and attacks are only expected to become more common, more damaging, and more expensive and quickly becoming the face of the 21st century disaster.

At the same time, the 2017 hurricane season contributed to extreme weather events that the WEF says continue a trend toward increasingly expensive recoveries. From wind and wildfires to floods and mudslides, these patterns will only grow more frequent in coming years, the WEF suggests.

Are you prepared?

In our survey of business leaders, we asked them to rank their confidence that they could overcome any disaster, with 1 being most confident. Only 10 percent said they were a 1, 2, or 3. A third of respondents placed themselves at the bottom of the scale, at 8, 9, and 10, the least confident.

The responses do show progress, however. Some 31 percent of respondents are now reconsidering their existing disaster recovery plans after the 2017 hurricane season, and 26 percent will likely implement a new plan.

Still, 40 percent said they had no plans to change how they plan for disaster recovery.

Share this story
A security breach can cost your organization more than money. Learn how to avoid them through implementing business resilience best practices. Featured

The True Cost of Security Breaches

Published in Security

What does a security breach or malicious hacker attack actually cost? For organizations that lack a fully resilient infrastructure, the true costs can include operational interruptions, loss of customer trust, lawsuits and compliance regulation fines. 

Consider the costs an organization can expect to incur from ransomware. 

In March 2018, Atlanta’s city government was hit with a ransomware attack, in which criminals demanded roughly $51,000 in bitcoin to restore the city’s systems. Atlanta didn’t pay. 

The True Costs of Security BreachesConsequently, according to Engadget, more than one-third of the city’s necessary programs went offline or were disabled in part. Worse, Atlanta’s city attorney office lost six of its 77 computers and 10 years of documents. The Atlanta police department lost its dash cam recordings. Initially, the cost of recovering from the attack was an estimated $2 million—but that soon increased by another $9.5 million.  

Here are some examples of the hidden costs a security incident may bring, with tips on how to avoid them through business resilience best practices.  

Hidden security breach costs 

Emergency assistance from consulting firms. After a breach or attack for which you’re unprepared, you may need an outside consulting firm to help you bounce back. For instance, the city of Atlanta spent $600,000 with Ernst & Young for incident response consulting.  

Technology and security upgrades. A successful attack means the exposure of weak links in your security—which you’ll need to repair going forward. Equifax, which in September 2017 experienced what’s probably the costliest data breach in history, was forced to upgrade its technology and security infrastructures. Its ongoing IT and data security costs related to the breach were $45.7 million in the first quarter of 2018 alone. 

For lessons learned from the Equifax breach, see our blog post “The Equifax Breach: No More Excuses.” 

Legal fees. Your organization may be vulnerable to class-action lawsuits or other legal action stemming from data privacy leaks. Following its 2015 breach, Anthem was liable for more than $33 million in attorney fees and expenses, according to Big Law Business. That’s in addition to pay outs to class-action plaintiffs, which in Anthem’s case included $7,500 each for 29 individuals and $5,000 each for 76 plaintiffs.  

Insurance deductibles. Insurance against losses from cyberattacks and breaches is a growing market. But like most insurance policies, organizations may have to pay a deductible. Equifax’s deductible was $7.5 million 

Crisis communications and PR. After an attack is discovered, organizations should get the word out in a timely manner, which may mean engaging a crisis communications PR firm. Atlanta spent $50,000 hiring such a firm after its ransomware attack.   

Regulatory compliance penalties or fees. With new data privacy regulations such as Europe’s GDPR, organizations can face stiff penalties if personal data isn’t adequately protected. Infringement fines can go up to 20 million euros 

See “What Does the GDPR Mean for Your Business?” for more information.  

Damage to reputation and brand. This side effect of a data breach can be difficult to predict or estimate. But here’s one example: In February 2017, Verizon reduced its offer to acquire Yahoo by $350 million after Yahoo had disclosed two significant data breaches.  

But that’s not all. Other hidden costs may include:  

  • Notifying customers via email, letters, phone calls 
  • Increase in calls to help desk and customer support  
  • Cost of business disruption and revenue losses from downtime 
  • Loss of customers and inability to acquire new ones 

4 tips for avoiding attacks and breaches 

  1. Cover the basics. Egress filtering. Keeping security updated. Deploying Multi-Factor Authentication (MFA). Encouraging users to take passwords seriously. These are all basic security practices your organization should implement to help prevent breaches.
  1. Continually educate users about cyber security risks. Many cyber attacks and data breaches start with phishing emails that fool someone inside the organization into clicking a link they shouldn’t click.

Phishing messages are by design made to look authentic, slip by spam filters and appear to come from people the victim ‘knows’ due to spoofing. Social media accounts can also be used as a tool to tailor phishing messages specifically to the targeted employee, making it even harder to be identified by the naked eye. The most effective way to counter these type of attacks is to educate users and frequently test their awareness.  

  1. Make incident response plans part of your resilience program. The quicker you can identify and respond to an attack, the more likely your organization can recover and stop an attacker from accessing sensitive data. A cross functional team of employees spanning IT security, legal, corporate communications, sales and human resources should be trained in what to do, in accordance with your incident response procedures.
  1. Segment each division of your network. In addition to training employees about how to respond after an incident, you should also segment each division of your network. This way, if you experience a cyber-attack, you just need to identify the origin of the attack and shut off that single segment isolating it from the rest of the company. This minimizes the amount of sensitive data stolen and allows you to recover quickly and to continue with normal operations.

Network segmentation can be used to protect sensitive data and effectively thwart a cyber-attack. For example, a client of ours prepared their network by segmenting each division and trained their employees on the incident response procedures in the event of an attack. When the company experienced a cyber-attack it was able to quickly identify the origin of attack, shut off that single segment from the rest of the company, and recover quickly to continue operating as normal. Having a well-thought-out incident response plan that employees know how to execute properly is critical to business continuity.

Most recently, enterprises are increasingly leveraging micro-segmentation to create secure zones in data centers and cloud deployments for isolating and protecting workloads, as well as containers to isolate virtual machines to reduce the attack surface.  

In addition, you can improve resiliency via snapshots of files and storage, which will help you roll back to a predetermined Recovery Point Objective (RPO)—minimizing your exposure to data loss and its associated costs.  

For additional tips on avoiding cyber-attacks and protecting your organization against data breaches, consider reading these resources:  

Data breach responses: 4 ways the most resilient businesses handle hacks  

Do you know which of these cyber-attacks isn’t real?  

 6 Steps to Make Customers Less Vulnerable to Ransomware 

Share this story
Subscribe to this RSS feed