Combating Ransomware Attacks: The Reasons for Their Rise and the Ways We Can Prevent Them

As has been widely reported, a new wave of cyberattacks has hit Europe, possibly a reprise of the widespread ransomware assault in May that affected 150 countries.

Ransomware, typically delivered via malicious email or infected third-party websites, is a family of malware that either blocks access to a PC, server, or mobile device or encrypts all the data stored on that machine. Similar to a kidnapping or hijacking with a ransom demanded in return for release, the perpetrator of a ransomware attack takes possession of valuable data or files belonging to individuals or businesses and then demands payment in the form of electronic currency called “Bitcoin” for their return.

According to a report earlier this year by NBC News writer Herb Weisbaum, citing the FBI, ransomware payments for 2016 are expected to hit a billion dollars compared to the $24 million paid in 2015. And that figure is expected to rise, with more victims and more money lost. Why the dramatic rise?

  1. Easier access to technology. Criminals have increased access to sophisticated technology to conduct these attacks. Even highly sophisticated tools developed by NSA and other similar advanced tools are now in the hands of criminals. Also, criminals are making continuous improvements to such technology, and have banded together to turn this type of crime into an organized business.
  2. Increased profitability. The business of ransomware has become highly profitable. Therefore, highly talented programmers are choosing to make this their profession— and they are making a lot of money in this way.
  3. Organizations are lagging in innovation. Arguably, the most important reason is that individuals and organizations are not paying attention to continuous improvement or innovation in the technology they use or the protection systems they have in place. Without innovation, such individuals become sitting ducks. Without innovation, regardless of how good your technology is, hackers will eventually get in. Because the probability of a higher payout with organizations is greater, criminals are targeting organizations at a higher rate. However, everyday computer users are also being targeted.

Shegoftah Nasreen Queen (SNQ), Bangla Service, Voice of America, recently interviewed Dr. Mansur Hasib, program chair, Cybersecurity Technology, The Graduate School at the University of Maryland University College, to learn more about the reasons for the rise and solutions for combating this pervasive cyber threat. Read the full interview.

The Internet of Things Is Changing the Way We Live—Should We Be Worried?

The Internet of Things (IoT) is on the rise, and so are the threats associated with the interconnectedness of our devices. Eighty four percent of organizations that have adopted IoT report experiencing at least one IoT-related security breach—and 93 percent of executives expect IoT security breaches to occur in the future—according to a February 2017 Aruba Networks study. Malware, spyware, and human error are the most common problems the study also reported.

It’s widely accepted that the number of IoT security breaches will only grow in the near future. To quote a 2016 Forrester Research report: “When smart thermostats alone exceed one million devices, it’s not hard to imagine a vulnerability that can easily exceed the scale of other common web vulnerabilities, especially if multiple IoT solutions include the same open source component.”

IoT affects everyone, not just large corporations with industrial equipment. From smart thermostats to smart refrigerators, dishwashers, and washers and dryers, we’re all part of the landscape and vulnerable to threats.

What are we to make of the proliferation of the IoT and how concerned should we be?

For answers, read the white paper by Balakrishnan Dasarathy, UMUC collegiate professor and program chair for information assurance, The Graduate School.

UMUC’s Award-Winning Cyber Team Takes Second and Third Place Honors in Day-Long Capture the Flag Competition

UMUC Cyber Padawans

The UMUC Cyber Padawans continue their winning ways by taking second and third place honors in a day-long Capture the Flag competition held at Top Golf Loudoun in Ashburn, Virginia on April 1.

The day-long, 16-team event, was sponsored by The Hackerground, a provider of penetration testing tools, and White Hat Academy, a training organization that focuses on PPC, digital marketing and SEO. It was a professional, “Jeopardy”-style competition, open to students and those working in the field. Question categories covered web application exploits, binaries and reverse engineering, password cracking, cryptography, and wireless.

Members of UMUC’s Cyber Padawans teams included: UMUC alumni Daniel Coyne, Matt Matchen, and Jake Truhlar; full-time student Abel Rezene; part-time students Casey Sampson and Josh Nelbach; and faculty member Nischit Vaidya.

The University of Maryland University College cyber security competition team is a powerful force in cyber challenges around the world. The team includes students, alumni and faculty, with members studying in a variety of cyber security and IT programs at UMUC.

To learn more about the Padawans and their accomplishments, visit the team website.

UMUC’s Mansur Hasib Gets Serious About Cyber Education

MansurMansur Hasib, program chair for Cybersecurity Technology, University of Maryland University College (UMUC) Graduate School, and a well-known thought leader in health care technology and cybersecurity, recently won the Cybersecurity Association of Maryland’s (CAMI) People’s Choice Award for lifetime achievement.

Before a sold-out crowd of 250 attendees at the American Visionary Art Museum in Baltimore on March 22, CAMI presented 13 awards to Maryland companies, organizations and individuals judged to have outstanding cybersecurity products, services or programs, or to have made a substantial contribution to Maryland’s cybersecurity industry.

Hasib, who holds a doctorate in cybersecurity and is a former chief information officer with 30 years of public and private sector experience in health care, biotechnology, education, and energy, has always maintained that cybersecurity has three core elements — people, policy and technology. People make the decisions on what technology to use and how to support it. People determine the strategy, they configure the technology, and they use it. Leadership is critical because we need to engage people toward a business purpose and a mission.

Hasib recently spoke to HealthManagement.org and shared his thoughts on cybersecurity governance and offered his insights into how critical cybersecurity education is to Health Information Technology students.

Read the full interview.

Bridging the Gap for Women in Cybersecurity : Five Questions for Loyce Pailen, Director of the University of Maryland University College Center for Security Studies

Women hold 56 percent of all professional jobs in the U.S. workforce, but only 25 percent of IT jobs, according to the National Center for Women and Information Technology. And among women in IT, only 11 percent work in information security, reports the Women’s Society of Cyberjutsu (WSC).

Earlier this month, on March 8, we celebrated International Women’s Day, so there is no better time to explore why this deficit exists and, perhaps, offer some solutions to help expand the pipeline of women in the cybersecurity field.

LoyceUMUC’s Cyber Connections caught up with Dr. Loyce Pailen, director of the Center for Security Studies and a cybersecurity pioneer with more than 35 years of wide-ranging experience in software development, project management, telecommunications, risk management, and network and systems security and administration. She shares her thoughts on the future of women in cybersecurity.

CC: For starters, what keeps you up at night in the cybersecurity space? What should we be focusing on?

LP: During the 2016 presidential election, there was considerable discussion regarding cybersecurity issues that related to email servers, election hacking and nation-state cyber intrusions. As a cyber-professional, I was concerned that the media and politicians tossed around cybersecurity-related stories, terminologies and notions to a general populace that did not understand cybersecurity concepts well enough to make sense of what they were hearing and make intelligent decisions.

For those girls and women inclined toward technology, do not let any imaginary barrier stop you from entering the field. For those women in non-technical fields, embrace cybersecurity and make your positions more valuable to your organization or agency.

Nonetheless, this dilemma was a call-to-action for my second issue of concern, the dearth of skilled individuals to fill current and future cybersecurity workforce needs. Experts say that more than 300,000 jobs exist today—jobs that are vacant because, nationwide, we do not have people with the cybersecurity skills to fill them.

For the future, that number of openings will increase exponentially. For example, results of the eighth Global Information Security Workforce Study (GISWS) indicated that the projected workforce shortage would reach 1.8 million professionals by 2022 (ISC2). And forget about minimum wage jobs. Even at entry level, these are high-paying cybersecurity positions in the public and private sectors.

My concern is that we are not raising our children with the cybersecurity awareness and education required for the digital age in which we live. My call to action was to author a series of fun, illustrated children’s books on cybersecurity so that youngsters—and those who like to read to them—can grow familiar with cyber terms, technologies and careers. Just think where we would be today with cybersecurity workforce needs if Harry Potter were a cybersecurity person!

CC: Tell us a little bit about your career path, as a woman in the field, and the hurdles you’ve overcome?

LP: I’ve been out of the public and private sector for several years now, so some of the hurdles that I experienced in my career path to information technology and cybersecurity have faded. Only recently, I did reflect on the obstacles as I watched the movie “Hidden Figures” about African-American women at NASA entering the field of data processing.

It recalled the days of punched cards, Fortran programming, large mainframes, and the discrimination in the male-dominated field of information technology, and once again it became familiar. But the issues were never insurmountable. Dwelling on those problems tends to stifle one’s growth and productivity.

CC: What do you think canand shouldbe done to expand the cybersecurity pipeline for women and minorities?

LP: My entire career, both in information technology and in software development for a large media company’s circulation systems, has been male-dominated. My current concern after more than 30 years in the cybersecurity industry, it’s disheartening to see, is that the field’s male domination is still the same, and many of the issues that existed early on still occur.

The gender and racial imbalance was evident to me in workshop sessions I attended at a recent 2017 Black Women in Computing (BWIC) Conference at Howard University, where continuing racial concerns in the technology and cybersecurity fields dominated the conversations of up-and-coming female computer scientists.

I recently witnessed an amusing incident at the 2017 RSA Conference in San Francisco that underscored the male domination of cybersecurity. Possibly the largest conference in the cybersecurity arena with 40,000 attendees, the male domination was so overwhelming that the lines to the men’s restroom stretched down long hallways and, for once, women experienced no lines at all. I found this a refreshing turnaround from the traditional.

In its own way, the lines illustrated the male domination of the cyber field. More realistically though, I believe a quick analysis of each conference-speaker’s gender would also accentuate the imbalance.

CC: So, why do you think we are we still at this juncture?

LP: Unfortunately, outside of the fact that we have not done well educating our youth, I am not sure why, because it seems that when society wants to instill something in children’s minds and produce positive habits, we find a way.

Likewise, in the 1980s my daughter was influenced by the major campaigns directed at schoolchildren to “never smoke” or to “stop smoking.” She became part of a generation that never adopted the cigarette habit and that convinced their parents to stop smoking. I was a target of her campaign and it worked.

Connected with this behavior modification concept, the “CSI Effect” from the popular television show “CSI: Crime Scene Investigation” proved to have a profound impact on careers related to forensics science. So, why can’t we lobby for and create TV shows and campaigns that would be just as effective to support existing STEM, WIT, WIC, BWIC and other such efforts?

Rather than merely being consumers of tech products, we need to instill interest in their underlying technologies. And we need to fire-up the interest in cybersecurity for girls and other minorities.

CC: What advice and encouragement would you offer women entering the cybersecurity field?

LP: My advice for anyone entering the cybersecurity field is simply to embrace the multi-disciplinary and global nature of the careers in this arena. Of course, there is a need for highly technical workers who understand concepts like secure software development, secure systems, networking and cloud computing, access control, incident handling and cyber defense.

However, cybersecurity is part of everyone’s job nowadays. Individuals in the fields of human resources, accounting and finance, law, health care, marketing, management and the like all have an obligation to understand the impact of cybersecurity on their careers.

For those girls and women inclined toward technology, do not let any imaginary barrier stop you from entering the field. For those women in non-technical fields, embrace cybersecurity and make your positions more valuable to your organization or agency. I encourage them to seek education, training and certification opportunities to “bolt-on” cybersecurity knowledge and learning that will enhance their current careers.

African Americans Need to Be Better Represented in Cybersecurity

According to a Forbes blog post from April 2016, African Americans are underrepresented in the Cybersecurity field. Data from the United States Department of Labor, which publishes the Bureau of Labor Statistics (BLS), show us that “black or African-American people make up only 3% of the information security analysts in the U.S.”

The need for cybersecurity professionals continues to increase at a rapid pace. Professionals from diverse backgrounds are vital to meeting the needs of the nation. Attracting African Americans to the science, technology, engineering, and mathematics career fields has been a challenge for decades and this holds true for cybersecurity as well.

As an African American female who obtained a Bachelor of Science in Electrical Engineering more than 30 years ago, I am acutely aware of the absence of this population in these fields.

Addressing this challenge is not simple or easy. What can be done to increase the number of African Americans entering this field? Targeted efforts must be put in place at all levels of government, the private sector, and non-profits. Both public and private K-12 schools must incorporate cybersecurity learning into the core fabric of the institution. We must start early in the education process.

In the President’s 2017 fiscal budget, $19 billion dollars was allocated for cybersecurity (Cybersecurity National Action Plan, 2016). A portion of these funds should be used to specifically target bringing African Americans into the cybersecurity field.

As we wrap up Black History Month, I would like to propose the following call to action:

Let no group be left behind because the security of our nation depends upon us all!

Dr. Emma Garrison-AlexanderSubmitted by Dr. Emma Garrison-Alexander, Vice Dean, Cyber Security & Information Assurance.

 

Kick Off the New Year with Five Tips to Make Password Management Easier

Passwords have become a necessary nuisance in today’s digital age. We use passwords thousands of times a month—to log in to computers, email and social media accounts, and numerous other systems. The biggest headache is remembering which password corresponds to what system or device.

Passwords need a combination of upper- and lower-case letters, symbols, numbers and sometimes your left leg just to achieve the “strong” value on the password meter. That’s a lot to recall. So, rather than relying on memory, often we use the same password for multiple sites or save passwords in a convenient place, such as a sticky note under the keyboard, on our mobile devices, or in a computer file.

The challenge is that we need passwords to protect the systems we use from malicious individuals—or even just curious children. Either way, using the same password for every login location is bound to cause a problem in the event someone gains access to it.

To minimize the password-management headache, consider these five ways to help make the process easier.

1. Password Storage: We tend to store passwords on paper or on our devices, which leaves usernames and passwords vulnerable. As we learned with the iCloud hack in 2014 in which photos stolen from the accounts of celebrities were leaked to the Internet—no system is hack proof.

Your passwords and accounts have monetary value. Right now, anyone can go to certain places on the internet and buy Netflix, Hulu, Facebook and credit card account information, all for less than $30, according to Symantec, a provider of internet security products.

So how do we protect ourselves? First, let’s consider what not to do. Don’t use generic passwords, such as “Password,” that would be easy for anyone to guess. Doing so will most likely lead to a compromise of your accounts.

Using your browser’s password-save options is a convenient way to store and retrieve your information if you are confident that you have created strong passwords that would be difficult for others to detect.

Instead, you could use a password manager. Though they have their own list of vulnerabilities, password managers allow users to secure their accounts with minimal effort. Most will create complex and lengthy passwords for you and will save your information for all the accounts that you have.

For information about the pros and cons of the most popular account managers, see the SANS Institute’s Whitepaper about password management.

2. Password Complexity: It seems that systems are never satisfied with what we enter. Although most of us create passwords based on names, places, or dates, doing simple things like changing an “O” to a zero, or substituting a special character for a letter can make a password more difficult to crack, as the following example illustrates.

passwordimage1

Betterbuys.com has a great tool that will let you see how long it will take a computer to crack your password based on current standard computer processing speeds. Give it a try.

3: Switching Passwords: For convenience, we often use the same password for all login locations. We all do it, including me once upon a time. The problem is that if one of your accounts, say Netflix, is compromised, that could lead to someone accessing another account—your email, or online banking account, perhaps.

That’s why it is important to have a different password for each of your accounts. To help with password creation, develop a strong password “core” then, for each account, add something to it that represents what the account is for. For example, if your core password is P@ssw0rD, you could add the letters FB—P@ssw0rDFB—to designate your Facebook account.

4: Length vs. Complexity: There has always been an argument about which is better—a complex password or a long password. The answer is both.

passwordimage1

A seven-character password with just numbers will take seconds or less to break. Combining symbols and numbers in that password might take the malicious invader a minute more to work through. So, password complexity is important, but the following example from betterbuys.com shows why password length is important as well.

5. Password Selection: Splashdata and others release an annual list of the most commonly used and, therefore, most hackable passwords. For the better part of the new millennium, the following five have remained at the top of the list—123456, password, 12345678, qwerty and 12345; in fact, these were the five most commonly used passwords found among more than two million leaked passwords during 2015, according to a January 2016 Computerworld article.

View the top-25 list of the world’s worst passwords from tech and entertainment news source BGR.com. If you’re using any of them, you’re putting yourself at risk.

So how do you create a strong, complex password that is easy for you to remember but hard for others to guess?

The best way I have found is to use a quote that has substance and personal meaning, and then combine it with numbers—ones that will help you remember your password but aren’t personally associated with you or someone close to you, such as a birthdate.

For instance, whenever I ask my wife if she needs help with something she loves to quote me a line from Disney’s Hercules: “I am a big, tough girl. I tie my own sandals and everything.”

It’s easy to remember and to turn into a password. The quote has 13 words. If you take the first letter of each word you get “IAABTGITMOSAE.” Already, that is gibberish.

Now, if you take some of those letters, such as a couple of the “A’s” and replace them with a symbol, such as @, you get stronger gibberish—“I@abtgItmos@e.”

Finally, add some numbers.

Here’s my thought process for selecting one. Like lots of mothers with multiple children, my mom does a “roll call” when trying to get our attention by reciting the list of my siblings names until she calls the right one. She does this almost 90 percent of the time. But just ask her when the Battle of Hastings was and she will immediately tell you, “1066!”

Now I have a number. Let’s add it to our password: “I@abtg1066Itmos@e.” Now we have a 17-character password that uses upper- and lower-case letters, a set of numbers, and symbols.

The bottom line is this: Passwords are here to stay until someone comes up with an alternative that is affordable.

Good passwords—those that are at least 10 characters long and combine letters, numbers and symbols for complexity—will make you less likely to be compromised.

Use separate passwords for different accounts. And it might be worthwhile to add a tag to your password to designate the type of account it’s attached to—FB for Facebook account, for example.

Crafting a strong, secure password is great, but you still must remember it. If this is a hard task, then use a password manager application. It is important to protect yourself in cyberspace as much as you can, and passwords are your first line of defense.

References:

Netflix Malware—Netflix malware and phishing campaigns help build emerging black market
Gibson Research Corporation—How Big Is Your Haystack?
Betterbuys.com—Estimating Password-Cracking Times
Wired—7 Password Experts on How to Lock Down Your Online Security
Krebs on Security—Password Do’s and Don’ts

About the Author

img_2476-1Garrett Boyd is a student at UMUC studying cybersecurity, and is part of the award-winning UMUC Cyber Padawans. He has been working in IT and cybersecurity for almost 10 years in the United States Marine Corps.