Integrity Blog

Detecting Malware on your systems.

Detecting malware is becoming more difficult. The 2016 Verizon Data Breach Investigation Report (DBIR) details how difficult it is for anti-malware tools to keep up with advances in malware evasion techniques. As such, it can be expected that systems within your environment will succumb to malware. The following tips will help you identify if a system has been infected even if your anti-malware tools fail to detect an infection.

1. Check the following Windows registry keys for unknown executables.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Typically these will be completely random names such as IFAZZS.EXE or 9G8XRT43.BAT. They may also be close to the spellings of valid system files with one or two extra characters such as serverr.exe

You can also use the Startup Tab in the Windows Task Manager for a quick view, however, this will only show applications set to run under the currently logged in user account. A startup event can also be suppressed from showing in Task Manager, so viewing the registry keys is the most effective method.

2. Review the system services for unknown services

Currently registered services are each listed as sub-keys of the following Windows Registry key.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

Any keys that are unfamiliar or appear to be random should be investigated to determine if they are legitimate or malicious.

3. Review system event logs

Windows Event ID 7036 and 7040 will list any services that attempt to start. Details such as the command line used to execute the service, usernames and source workstation may be included in these or other events from the Service Control Manager. This information can pinpoint the source of malware including when the source workstation is an IP address that is not on the local network.

Finally, should you find files, URLs or other information you believe points to malware, you can use www.virustotal.com to check the hash, URL or IP for use in malware. You can also search the database for service, file or user names, IP addresses, mutex information and other details found during malware analysis.

Fighting malware is no easy task. Hopefully you’ll find this list of detection techniques useful in identifying a system that may have been compromised by malware.

Protecting small business from cyber attacks.

You’re a small business owner. You’ve got plenty on your mind and lots to accomplish. Business is good though. The client base is growing, more employees are joining the team – 18 employees now including yourself, and you’re adding new products. You accept payment cards through a point of sale (POS) system, so compliance with the PCI Data Security Standards occasionally crosses your mind.

Your business is a prime candidate for a cyber attack!

But why? Aren’t cyber criminals targeting the medium and large businesses? Unfortunately, recent statistics have indicated that attacks against small business are rising. Symantec Corporation recently reported that 43% of attacks reported in 2015 were targeted at small businesses, and attacks against small businesses have been trending upwards over the past four years. This trend is due to several factors. Cyber criminals like to take the path of least resistance, and small businesses generally have less resources and skilled information security staff on hand to implement and maintain a sound information security program that considers various administrative, technical, and physical security measures. Bottom line: small businesses are generally softer targets.

So what can you do to make yourself a harder target? There are many proactive steps you can take, including, but not limited to, the following:

  • Consider information security risks as a business issue, not an information technology issue, and evaluate those risks regularly
  • Implement well-designed information security and privacy policies
  • Train your employees on acceptable use of the businesses information technologies, and also train them to recognize indicators of attacks and how to report those indicators
  • Have an Incident Response Plan ready in case an incident occurs
  • Ensure system security updates and patches are applied. Unpatched systems are a causal factor in many data breaches.

Small businesses still process, store, and transmit sensitive information – in the above scenario, payment card information, customer information, and employee information – and this information is worth money to cyber criminals. Payment card information is selling on the Dark Web for ~ $6-12 per record (as compared to protected health information, which is fetching upwards of $50 per record).

But what would it cost you to remediate the effects of a data breach involving your business? The Ponemon Institute reports that the average remediation costs, across all industries, is $154 per record. Assuming that the average breach is 28,070 records, one can see how remediation costs could add up quickly. Also consider the impacts on business reputation, potential litigation, and loss of customers if a breach involving your business were to occur.

Have you heard the latest news about NIST, PCI DSS 3.2, Ransomware, and Verizon 2016 DBIR?

You’ve heard it before, perhaps in passing, perhaps as part of an audit… You need to pay more attention to rising cyber threats. Get involved in information sharing groups. Spend more time determining what could be potential risks to your organization. In addition, ensure you stay atop regulatory and industry requirements.

O.K. … Easier said than done. Even as a cybersecurity professional, this humble blog writer can find it a challenge to find time to read the latest security news and stay knowledgeable about changes to regulatory and industry requirements.

So, for this posting, I thought it would be refreshing to look at some of the latest news.

Have you heard…

National Institute Standards and Technology

The National Institute of Standards and Technology (NIST) has started the process to revise one of our favorite references, the NIST Special Publication (SP) 800-53 (revision 4) “controls catalogue.” According to multiple sources, SP 800-53 revision 5 will provide more focus on continuous monitoring and anomaly detection.

PCI DSS

On 28 April, the PCI Security Standards Council released version 3.2 of the PCI Data Security Standard. Version 3.1 will expire on 31 October 2016. Included in this new version are multiple clarifications and expanded requirements. For example, the requirement for multi-factor authentication is being expanded to address personnel with non-console administrative access to the cardholder data environment. For more about version 3.2, see the press release at:

PCI DSS 3.1 Press Release
Verizon 2016 Data Breach Investigation Report

The Verizon 2016 Data Breach Investigations Report has been released. The report presents some sobering statistics, such as 63% of confirmed data breaches involve weak, default, or stolen passwords. To access the report, visit:

Verizon 2016 DBIR
Ransomware

Ransomware continues to increase as a threat to organizations, primarily spread by criminal organizations using exploit kits. It’s easy money. CryptoLocker, CryptoWall, Locky, and TeslaCrypt are some of the ransomware names we’ve been introduced to over the past couple years. Now, CryptXXX is gaining steam. Of note, Kaspersky Lab has published a utility that supposedly will recover files lost to CryptXXX infections. Nonetheless, it’s best to try to avoid ransomware all together. Keep patches up to date, continue training employees about phishing and other social engineering tactics, and ensure you are routinely backing-up critical data.

Get our blog posts delivered to your inbox: