Windows systems at Maastricht University were infected with a ransomware

A new ransomware attack made the headlines, Maastricht University (UM) confirmed that the malware encrypted all its Windows systems on December 23.

Maastricht University (UM) announced ransomware infected almost all of its Windows systems on Monday, December 23.
Maastricht University is an excellent university attempted by over 18,000 students, roughly 4,400 employees, and 70,000 alumni.
“Maastricht University (UM) has been hit by a serious cyber attack. Almost all Windows systems have been affected and it is particularly difficult to use e-mail services.” reads the notice published by the UM. “UM is currently working on a solution. Extra security measures have been taken to protect (scientific) data. UM is investigating if the cyber attackers have had access to this data.”
The UM is investigating the incident and is working to restore operations, it also reported the incident to law enforcement.
The university did not reveal details of the attack, it is not clear the family of ransomware that infected its systems.
It is unclear if the attackers have exfiltrated data from the systems before encrypting them.
In response to the attack, the UM has taken down its systems as a precautionary measure. '

“In order to work as safely as possible, UM has temporarily taken all of its systems offline.” reads an update published by the university. “Given the size and extent of the attack, it is not yet possible to indicate when that can be done exactly. For the same reason, it is not possible to state with absolute certainty, which systems have been affected and which have not. This requires additional investigation.”

Students and employees can contact the ICT Servicedesk via mail ( for any questions about the attack, alternatively, they can call 043 38 85 101 during office hours.

The KnowBe4 African Cybersecurity Awareness Report

Anna Collard, the Managing Director of KnowBe4 Africa, a specialist in cybersecurity awareness training, was in Mauritius to present The 2019 KnowBe4 African Cybersecurity Awareness Report with over 800 respondents across eight countries in Africa: South Africa, Kenya, Nigeria, Ghana, Egypt, Morocco, Mauritius and Botswana.
The survey revealed the pressing need to educate Africans to the different cyberattacks. The key finding of the report are as follows:
· 53% of Africans surveyed think that trusting emails from people they know is good enough
· 64% didn’t know what ransomware is, yet they believe they can easily identify a security threat
· 28% have fallen for a phishing email and 50% have had a malware infection
· 52% don’t know what multi-factor authentication is
“The results proved that respondents’ confidence was based on the little they knew about cyber-attacks and it is where the problem lies,” said Collard.
“Africans are not prepared for these threats, making them increasingly easy preys to cybercriminals.”
According to Business Insider SA, 525 million Africans were connected to the Internet in June 2019 – representing 40% of Africa’s total population. This number is expected to grow to a billion people by 2022. As connectivity improves, users are faced with increasing cyberattacks. In fact, Africa has been among the fastest growing regions in terms of cybercrime activities.
When it comes more specifically to Mauritius, Anna Collard said: “It is one of the best prepared countries compared to other African countries with a Government prioritising the ICT sector and a vision to transform Mauritius into a Smart island by 2030.
“Mauritius is one of only a handful of countries on the continent with a legal framework in place to combat cybercrime.”
The Global Security Index (GCI) shows that Mauritius is ranked among the top ten most committed countries globally and first in Africa.
In addition, the survey showed a slightly higher awareness from Mauritian respondents when compared to other countries. In fact, more than half of respondents in Botswana, Egypt, Kenya, Ghana, Morocco and Mauritius have enough security smarts to avoid clicking on links or opening attachments they don’t expect.
However, the top five cybercrimes, financial fraud, impersonation scams, business email compromise, extortion attacks and DDOS attacks on critical infrastructure are expected to rise in the coming years.
“What makes Africa different to the rest of the world is that cybercriminals are shifting their attention towards the continent and other emerging economies,” said Collard.
Many criminals consider Africa a safe haven for their illegal operations, as many African governments need to attend to other pressing issues such as fighting poverty, unstable politics, violent crime and large youth unemployment and still regard cybersecurity as a luxury, not a necessity.
In many organisations, cybersecurity budgets are reported to be less than 1% or are non-existent. Africa also faces the problem of a serious skill shortage of security professionals as well as a lack of awareness and skills among the general user population to protect them online. Many African Internet users are connecting to the Internet for the first time and with the sharp increase in the next few years you are looking at millions of people connecting without understanding the risks.
Another reason for why Africa is so attractive to cybercriminals is the lack of legislation and law enforcement. According to a report by the African Union, only about 20% of African states have basic legal frameworks to deal with cybercrime.
Kenya, South Africa and Mauritius are probably the most advanced in this regard and Nigeria is coming up fast.
“We have analysed the phish prone % (meaning user’s susceptibility to phishing) across our 25,000 plus customers and nine million end users around the world at KnowBe4 and results proved that what starts off with a 30% baseline hit rate is lowered by half to 15% in three months and down to only 2% 12 months later, showing a serious and measurable improvement and risk reduction,” added Collard.

Deliver a Deadly Counterpunch to Ransomware Attacks: 4 Steps

You can't prevent all ransomware attacks. However, it's possible to ensure that if a breach happens, it doesn't spread, affect business, and become a newsworthy event.
Wayman Cummings and Salva Sinno also contributed to this column.
Nearly 1.5 million new phishing sites are created each month. And more than 850 million ransomware infections were detected in 2018 alone. These statistics illustrate the threat that ransomware poses for every IT professional and every kind of organization.
Ransomware is a specific type of malware designed to encrypt a computer's content until the user pays to get the encryption or recovery key. This halts productivity, affecting business revenue. However, security pros can take decisive action to minimize the impact of ransomware.
The first line of defense is always a good offense. To prevent an attacker from establishing a foothold in an organization's network, organizations should put the following in place:
  • Best practices such as strong patching policies, regular system backups, multifactor authentication, application whitelisting, and restrictions of local administrator rights and privileges
  • Awareness programs to educate users about phishing and other forms of social engineering
  • Security tools that provide spam filtering, link filtering, domain name system blocking/filtering, virus detection, and intrusion detection and prevention
  • A zero-trust framework to identify, authenticate, and monitor every connection, login, and use of resources
  • Least privilege policies to restrict users' permissions to install and run software applications
Minimizing ransomware's impact is about more than just defending systems against attack. It also involves taking action to minimize the impact of breaches as they happen. This is critical, since all systems can be breached by attackers who have sufficient time and resources.
That means putting in place solid incident response (IR) programs. Planning ahead builds confidence in that IR capability. To that end, enterprises should review their IR policies and engage in tabletop exercises. And they should use operational benchmarking to improve their ability to respond before an incident occurs.
Hackers continue to evolve and become more sophisticated with their attacks. So, it is likely that a ransomware attack will breach every enterprise's environment at some point. When that occurs, these four steps will minimize the impact and recover enterprise data:
Step 1: IsolationBefore doing anything else, ensure that the infected devices are removed from the network. If they have a physical network connection, unplug them from that connection. If they are on a wireless network, turn off the wireless hub/router. Also unplug any directly attached storage to try to save the data on those devices. The goal is to prevent the infection from spreading.
Step 2: IdentifyThis step is often overlooked. By spending just a few minutes figuring out what has happened, enterprises can learn important information such as what variant of ransomware infected them, what files that strain of ransomware normally encrypts, and the options for decryption. Enterprises also may learn how to defeat the ransomware without paying or restoring system(s) from scratch.
Step 3: ReportThis is another step that many security professionals ignore, whether due to embarrassment or time constraints. However, by reporting the ransomware attack, enterprises may help other organizations avoid similar situations. Furthermore, they provide law enforcement agencies with a better understanding of the attacker. There are many ways to report a ransomware attack. One is by contacting a local FBI office in the US or registering a complaint with the FBI's Internet Crime Complaint Center website. The Federal Trade Commission's OnGuardOnline website and Scamwatch, an Australian Competition & Consumer Commission effort, also collect such data.
Step 4: RecoverIn general, there are three options to recover from a ransomware attack: 
  • Pay the ransom: This is not recommended because there are no guarantees the organization will get its data back after paying. Instead, the attacker might request even more money before unencrypting the data.
  • Remove the ransomware: Depending on the type of ransomware involved, an enterprise might be able to remove it without requiring a full rebuild. This process, however, can be very time consuming and is therefore not a preferred option.
  • Wipe and rebuild: The easiest and safest method of recovery is to wipe the infected systems and rebuild them from a known good backup. Once rebuilt, organizations need to ensure that no traces remain of the ransomware that led to the encryption. Once an organization rebuilds its environment, the real work begins. That organization must then do a full environmental review to determine exactly how the infection began and what steps it must take to reduce the potential of another breach.
It's simply not possible to keep all ransomware attacks at bay. However, it is possible to ensure that if a breach occurs, it does not spread, affect business, and become a newsworthy event.
By fending off the majority of attacks and dealing swiftly with the bad actors that get in the door — with the help of dynamic isolation, microsegmentation, and other modern cybersecurity technologies — organizations will keep their businesses on track and on target.
By: Mathew Newfield

Are You One Of Avast’s 400 Million Users? This Is Why It Collects And Sells Your Web Habits.


Avast, the multibillion-dollar Czech security company, doesn’t just make money from protecting its 400 million users’ information. It also profits in part because of sales of users’ Web browsing habits and has been doing so since at least 2013.
That’s led to some labelling its tools “spyware,” the very thing Avast is supposed to be protecting users from. Both Mozilla and Opera were concerned enough to remove some Avast tools from their add-on stores earlier this month, though the anti-virus provider says it's working with Mozilla to get its products back online.
But recently appointed chief executive Ondrej Vlcek tells Forbes there’s no privacy scandal here. All that user information that it sells cannot be traced back to individual users, he asserts.
Here’s how it works, according to Vlcek: Avast users have their Web activity harvested by the company’s browser extensions. But before it lands on Avast servers, the data is stripped of anything that might expose an individual’s identity, such as a name in the URL, as when a Facebook user is logged in. All that data is analysed by Jumpshot, a company that’s 65%-owned by Avast, before being sold on as “insights” to customers. Those customers might be investors or brand managers.
What do those customers get? Vlcek says Jumpshot, which was initially acquired in 2013, provides “insights on how cohorts of users on the internet use the web.” For instance, it could show a percentage of visitors who went from one website to another. That could be useful to anyone monitoring an advertising campaign. 
“Typical customers would be, for example, investors, who would be interested in how online companies are doing in terms of their new campaigns,” the new Avast chief explains. Say Amazon launches a new product—Jumpshot could determine how much interest it’s getting online.
Jumpshot's own website is a little more detailed, promising “incredibly detailed clickstream data from 100 million global online shoppers and 20 million global app users.” It’s possible to “track what users searched for, how they interacted with a particular brand or product, and what they bought. Look into any category, country, or domain.”
That might be unnerving to privacy-predisposed folk, but Vlcek compares this kind of data trading to the kind seen in healthcare. In that market, anonymized data is used to create case studies, where by looking at data trends it could be determined who is more likely to get a disease.
As a final assurance, Vlcek told Forbes he recognizes customers use Avast to protect their information and so it can’t do anything that might “circumvent the security of privacy of the data including targeting by advertisers.”
“So we absolutely do not allow any advertisers or any third party ... to get any access through Avast or any data that would allow the third party to target that specific individual,” he adds. As for how much money this actually makes for Avast, it’s around 5% of overall revenue, says Vlcek. Given the first half of 2019 revenue stood at just under $430 million, that’s still more than $20 million.
Avast’s user data sales have attracted concern as recently as last week, though. Adblock Plus founder Wladimir Palant has been tracking Avast’s Web browsing over 2019, and he reported the data slurping to Mozilla and Opera before they removed the add-ons from their stores just last week.
Palant now wants Google to do the same for Chrome. “Google Chrome is where the overwhelming majority of these users are,” he warned in a blog post earlier this month.


Please don’t buy this: smart doorbells

Though Black Friday and Cyber Monday are over, the two shopping holidays were just precursors to the larger Christmas season—a time of year when online packages pile high on doorsteps and front porches around the world.
According to some companies, it’s only logical to want to protect these packages from theft, and wouldn’t it just so happen that these same companies have the perfect device to do that—smart doorbells.
Equipped with cameras and constantly connected to the Internet, smart doorbells provide users with 24-hour video feeds of the view from their front doors, capturing everything that happens when a user is away at work or sleeping in bed.
Some devices, like the Eufy Video Doorbell, can allegedly differentiate between a person dropping off a package and, say, a very bold, very unchill goat marching up to the front door (it really happened). Others, like Google’s Nest Hello, proclaim to be able to “recognize packages and familiar faces.” Many more, including Arlo’s Video Doorbell and Netatmo’s Smart Video Doorbell, can deliver notifications to users whenever motion or sound are detected nearby.
The selling point for smart doorbells is simple: total vigilance in the palms of your hands. But if you look closer, it turns out a privatized neighborhood surveillance network is a bad idea.
To start, some of the more popular smart doorbell products have suffered severe cybersecurity vulnerabilities, while others lacked basic functionality upon launch. Worse, the data privacy practices at one major smart doorbell maker resulted in wanton employee access to users’ neighborhood videos. Finally, partnerships between hundreds of police departments and one smart doorbell maker have created a world in which police can make broad, multi-home requests for user videos without needing to show evidence of a crime.
The path to allegedly improved physical security shouldn’t involve faulty cybersecurity or invasions of privacy.
Here are some of the concerns that cybersecurity researchers, lawmakers, and online privacy advocates have found with smart doorbells.

Congress fires off several questions on privacy

On November 20, relying on public reports from earlier in the year, five US Senators sent a letter to Amazon CEO Jeff Bezos, demanding answers about a smart doorbell company that Bezos’ own online retail giant swallowed up for $839 million—Ring.
According to an investigation by The Intercept cited by the senators, beginning in 2016, Ring “provided its Ukraine-based research and development team virtually unfettered access to a folder on Amazon’s S3 cloud storage service that contained every video created by every Ring camera around the world.”
The Intercept’s source also said that “at the time the Ukrainian access was provided, the video files were left unencrypted, the source said, because of Ring leadership’s ‘sense that encryption would make the company less valuable,’ owing to the expense of implementing encryption and lost revenue opportunities due to restricted access.”
Not only that, but, according to the Intercept, Ring also “unnecessarily” provided company executives and engineers with access to “round-the-clock live feeds” of some customers’ cameras. For Ring employees who had this type of access, all they needed to actually view videos, The Intercept reported, was a customer’s email address.
The senators, in their letter, were incensed.
“Americans who make the choice to install Ring products in and outside their homes do so under the assumption that they are—as your website proclaims—‘making the neighborhood safer,’” the senators wrote. “As such, the American people have a right to know who else is looking at the data they provide to Ring, and if that data is secure from hackers.”
The lawmakers’ questions came hot on the heels of Senator Ed Markey’s own efforts in September into untangling Ring’s data privacy practices for children. How, for instance, does the company ensure that children’s likenesses won’t be recorded and stored indefinitely by Ring devices, the senator asked.
According to The Washington Post, when Amazon responded to Sen. Markey’s questions, the answers potentially came up short:
“When asked by Markey how the company ensured that its cameras would not record children, [Amazon Vice President of Public Policy Brian Huseman] wrote that no such oversight system existed: Its customers ‘own and control their video recordings,’ and ‘similar to any security camera, Ring has no way to know or verify that a child has come within range of a device.’”
But Sen. Markey’s original request did not just focus on data privacy protections for children. The Senator also wanted clear answers on an internal effort that Amazon had provided scant information on until this year—its partnerships with hundreds of police departments across the country.

Police partnerships

In August, The Washington Post reported that Ring had forged video-sharing relationships with more than 400 police forces in the US. Today, that number has grown to at least 677—an increase of roughly 50 percent in just four months.
The video-sharing partnerships are simple.
By partnering with Ring, local police forces gain the privilege of requesting up to 12 hours of video spanning a 45-day period from all Ring devices that are included within half a square mile of a suspected crime scene. Police officers request video directly from Ring owners, and do not need to show evidence of a crime or obtain a warrant before asking for this data.
Once the video is in their hands, police can, according to Ring, keep it for however long they wish and share it with whomever they choose. The requested videos can sometimes include video that takes place inside a customer’s home, not just outside their front door.
At first blush, this might appear like a one-sided relationship, with police officers gaining access to countless hours of local surveillance for little in return. But Ring has another incentive, far away from its much-trumpeted mission “to reduce crime in neighborhoods.” Ring’s motivations are financial.
According to Gizmodo, for police departments that partner up with Ring to gain access to customer video, Ring gains near-unprecedented control in how those police officers talk about the company’s products. The company, Gizmodo reported, “pre-writes almost all of the messages shared by police across social media, and attempts to legally obligate police to give the company final say on all statements about its products, even those shared with the press.”
Less than one week after Gizmodo’s report, Motherboard obtained documents that included standardized responses for police officers to use on social media when answering questions about Ring. The responses, written by Ring, at times directly promote the company’s products.
Further, in the California city of El Monte, police officers offered Ring smart doorbells as an incentive for individuals to share information about any crimes they may have witnessed.
The partnerships have inflamed multiple privacy rights advocates.
“Law enforcement is supposed to answer to elected officials and the public, not to public relations operatives from a profit-obsessed multinational corporation that has no ties to the community they claim they’re protecting,” said Evan Greer, deputy director of Fight for the Future, when talking to Vice.
Matthew Guariglia, policy analyst with Electronic Frontier Foundation, echoed Greer’s points:
“This arrangement makes salespeople out of what should be impartial and trusted protectors of our civic society.”

Cybersecurity concerns

When smart doorbells aren’t potentially invading privacy, they might also be lacking the necessary cybersecurity defenses to work as promised.
Last month, a group of cybersecurity researchers from Bitdefender announced that they’d discovered a vulnerability in Ring devices that could have let threat actors swipe a Ring user’s WiFi username and password.
The vulnerability, which Ring fixed when it was notified privately about it in the summer, relied on the setup process between a Ring doorbell and a Ring owner’s Wi-Fi network. To properly set up the device, the Ring doorbell needs to send a user’s Wi-Fi network login information to the doorbell. But in that communication, Bitdefender researchers said Ring had been sending the information over an unencrypted network.
Unfortunately, this vulnerability was not the first of its kind. In 2016, a company that tests for security vulnerabilities found a flaw in Ring devices that could have allowed threat actors to steal WiFi passwords.
Further, this year, another smart doorbell maker suffered so many basic functionality issues that it stopped selling its own device just 17 days after its public launch. The smart doorbell, the August View, went back on sale six months later.

Please don’t buy

We understand the appeal of these devices. For many users, a smart doorbell is the key piece of technology that, they believe, can help prevent theft in their community, or equip their children with a safe way to check on suspicious home visitors. These devices are, for many, a way to calmer peace of mind.
But the cybersecurity flaws, invasions of privacy, and attempts to make public servants into sales representatives go too far. The very devices purchased for security and safety belie their purpose.
Therefore, this holiday season, we kindly suggest that you please stay away from smart doorbells. Deadbolts will never leak your private info.

Malwarebytes teams up with security vendors and advocacy groups to launch Coalition Against Stalkerware

On November 19 2019, Malwarebytes announced its participation in a joint effort to stop invasive digital surveillance: the Coalition Against Stalkerware.
For years, Malwarebytes has detected and warned users about the potentially dangerous capabilities of stalkerware, an invasive threat that can rob individuals of their expectation of, and right to, privacy. Just like the domestic abuse it can enable, stalkerware also proliferates away from public view, leaving its victims and survivors in isolation, unheard and unhelped.
The Coalition Against Stalkerware is the next necessary step in stopping this digital threat—a collaborative approach steered by the promise of enabling the safe use of technology for everyone, everywhere. The coalition includes representatives from cybersecurity vendors, domestic violence organizations, and the digital rights space.
Our coalition’s founding members are Malwarebytes, Avira, Kaspersky, G Data, Norton Lifelock, National Network to End Domestic Violence, Electronic Frontier Foundation, Operation Safe Escape, WEISSER Ring, and the European Network for the Work with Perpetrators of Domestic Violence. Martijn Grooten, editor of Virus Bulletin, is serving as a special advisor.
Already, the coalition has produced results.
In the past month, both Malwarebytes and Kaspersky shared research and intelligence on stalkerware with one another. This exchange has improved the detection rate for both our products, but more than that, it has improved the safety of users everywhere.
Further, coalition members have taken on the task of defining stalkerware and creating its detection criteria, crucial steps in empowering the cybersecurity industry to better understand this threat and how to fight it.
Finally, the coalition’s website,, includes information for domestic abuse survivors and advocates, including links to external resources, information about state laws, recent news articles, and survivors’ stories.
With this group, we are making a call to the broader cybersecurity industry: If you have ever made a promise to protect people, now is the time to uphold that promise. Stalkerware is a known, documented threat, and you can help stop it.

Join our fight. You’ll be in good company.

Our journey against invasive monitoring apps

In 2019, Malwarebytes began a recommitment to detecting and stopping apps that could invasively monitor users without their knowledge. These types of programs, which we classify as “monitor” or “spyware” in our product, can provide domestic abusers with a new avenue of control over their survivors’ lives, granting wrongful, unfettered access to text messages, phone calls, emails, GPS location data, and online browsing behavior.
In this effort, we’ve analyzed more than 2,500 samples of programs that had been flagged in research algorithms as potential monitoring/tracking apps or spyware. We grew our database of known monitoring/spying apps to include more than 100 applications that no other vendor detects and more than 10 that were, as of October 1, still on the Google Play Store.
Further, we’ve written multiple blogs for domestic abuse survivors and advocates on what to do if they have these types of apps on their phones, how to protect against them, and how organizations supporting victims of stalking can secure their data. In the summer, we also offered cybersecurity advice to domestic abuse advocates and survivors for the National Network to End Domestic Violence’s Technology Summit in San Francisco.
We are proud of our work, but we cannot ignore an important fact—it was not conducted in isolation.
Our blogs relied on the expertise of several domestic abuse advocates, along with the published work of researchers in intimate partner violence and digital rights. Our invitations to local community justice centers were as much about presenting as they were about learning. Our meetings with local law enforcement taught us about difficulties in collecting evidence of these invasive apps, and how domestic abusers can slip through the cracks of legal enforcement.
Every time we reached out, we learned more and we improved. With the Coalition Against Stalkerware, we hope to deepen these efforts.


Rising to the challenge of delivering more secure elections

As efforts to modernize and digitize outdated and aging elections infrastructure take hold across the U.S., the demand for a revolutionized approach to cybersecurity has become an increasing imperative.  Democratic nations rely on public trust in the integrity of their institutions and in a republic with the guiding principles of government “of the people, by the people and for the people.”  There is perhaps a no more important system that that of free, fair, and secure elections.  
As we move deep into the digital era, societies have come to expect innovation in every aspect of their lives.  And while governments have often been slower to respond to this reality, innovations to elections systems are beginning to appear, such as mobile vote centers, digital pollbooks, QR code-based ballots, and even remote voting through mobile applications. 
Adoption of these new technologies has the potential to bring many benefits, including an improved voter experience and increase individual participation in the democratic process through enhanced access to cast a ballot.  However, digital-enabled network and cloud-supported architectures introduce new and unique challenges, particularly in the area of cybersecurity. 
Consider the realities of elections operations that create potential vulnerabilities and opportunities for exploitation:
  • Infrastructure is often stood uprapidly, on-demand and used only for very short intervals of time.
  • Supporting physical and network infrastructure is frequently leased or borrowed from various disparate entities (schools, libraries, government offices) and traffic may be routed across various untrusted networks.
  • Many poll workers and support staff are temporary contractors or volunteers (whose qualifications vary greatly by state) and may be trained insufficiently.
  • Voting machines and supporting infrastructure (routers, switches, firewalls, etc.) can spend significant amounts of time in storage and then are quickly deployed; sometimes passing through multiple hands, creating possible chain-of-custody challenges.
  • Physical safeguards of polling stations are difficult to scale and cost prohibitive.
Addressing these and other challenge begins with sound risk management strategies that align government focus, limited budgets, and time constraints to the areas of greatest positive impact. 
Let’s start with some good framing questions.

What are the risks?  Vulnerabilities?  Threats?

Understanding the risks to election operations is key.  Unfortunately, all too often public focus in unduly placed or heavily weighted on hackers, external threat actors, and hostile nation states.  In reality, one of the biggest threats to an election is a lack of public confidence in the veracity of the results; in other words, perception.  Basic security violations can do just as much, if not more, harm than a foreign threat actor and are are more likely to occur.  To combat these threats, stay focused on building a system that reinforces security fundamentals like integrity, audibility, accountability, non-repudiation and verifiable chain-of-custody.

What are the regulatory mandates, and can we go further with security best practices?

The Department of Homeland Security (DHS) designates elections systems as critical infrastructure; which mandates a host of regulatory standards and guidelines that must be adhered to or at least evaluated for applicability.  It’s important to understand how the NIST guidelines and CIS v7, for example, address the development of your controls and the entire security program, but look for opportunities to go further with industry best practices.  Not only is this good fiduciary duty, it recognizes the fact that security “compliance” should not be the end goal. 
The threat landscape is continually evolving; in some cases, faster than industry standards can be updated and implemented.  Solving these challenges requires building cross-functional teams, compromised of both regulatory (governance, risk, compliance) experts, security architects, and network engineers, and then empowering them to work collaboratively with elections operations teams in identifying evolving risk mitigation strategies that align with  standards and push for higher security levels where appropriate.

Is the architecture defensible?       

Elections infrastructure should be limited in scope to systems used strictly to support elections and not interconnected with other government systems or business networks.  Physical and logical separation (segmentation) are challenging to achieve but the upfront effort will make defending the system easier in the end.  Tightening and limiting the IT footprint not only makes regulatory and security compliance more achievable; it eases control complexity, simplifies traffic and data flows, and reduces noise in the system that could complicate monitoring for abnormalities, policy violations, and malicious activity during the election event. 
Understanding expected traffic patterns, implementing controls that enforce your policies, and adding in detection and prevention capabilities ought to be fundamental.  To be defensible, all of this must be manageable from a platform that offers full visibility, in  near real-time, to all network and application activity and has advanced correlation with internal network activity and advanced external threat intelligence.

Are 3rd party suppliers and vendors and clouds introducing unforeseen risk?

Choose partners and suppliers wisely and approach vendor risk methodically with rigor.  A chain is only as good as its weakest link, and so it is with interconnected systems.  Vendors should demonstrate cybersecurity maturity levels across their operations consistent with the elections system itself, otherwise they will have lowered the security of the entire system.  As an example, poor human resources security (like lack of continuous background checks) might enable a hostile insider access to the election system that could be used to compromise the integrity of the entire operation.
Additionally, it’s not safe to assume that any elections systems vendor is practicing sound security principles in their operations just because the election product itself is “certified” or because it has been marketed aggressively to the industry.  Look beyond the product itself and incorporate a broader assessment of the organization.  For a vendor to be a trusted, demand full transparency of their environment and be on guard for any push back or claims of “proprietary information” that create barriers to understanding how their technology operates under the hood.
At a minimum, practice sound vendor management by providing that a vendor’s master service agreement requires appropriate security maturity levels and include written legal authorization to verify any and all controls.  Negotiating these terms up front can help  mitigate a wide range of security challenges and prevent misalignment of expectations as the vendor’s technology is integrated into the ecosystem. 


The cybersecurity community must rise to the challenge of offering solutions that meet the demands of the coming revolution and risks of disruption of traditional voting models.  The constant drum beat of data breaches serves as a warning that the task is not easy.  Local governments and communities will need to invest heavily in order to build teams that are empowered to develop a mature election cybersecurity ecosystem.  These start with some of the basics mentioned here but ultimately will require creating an organizational culture attuned to security awareness and risk mindfulness at all levels.
By Shannon Brewster

Maersk CISO Says NotPeyta Devastated Several Unnamed US firms

At least two companies may have been dealt even more damage than the shipping giant, which lost nearly its entire global IT infrastructure.
The unprecedented 2017 NotPetya malware attack on global shipping giant Maersk has been well documented, but according to the organization's top cybersecurity executive, several other companies suffered equally if not even more devastating damage but have yet to publicly reveal the incidents.
Speaking at Black Hat Europe 2019, A.P. Moller Maersk A/S Chief Information Security Officer Andrew Powell said he believes globally approximately 600 companies were damaged by NotPetya around the time of the Maersk attack. Powell said that's because the source of the attackswas traced back to an application called M.E.Doc, a financial application that the Ukrainian government essentially requires any company to use if it is doing business in the country.
According to published reports, NotPetya was the key element in a nation-state-sponsored cyberattack campaign targeting the government of Ukraine. Instead, the malware proved to be far more virulent.
"Any company doing business in Ukraine and filing a tax return [in 2017] was hit," Powell said. "Very big companies in the U.S. got hit hard, two of them harder than us." Powell declined to name the companies and did not elaborate on how he came to know about these other organizations' NotPetya incidents. All told, estimates indicate the attack and recovery effort have cost Maersk nearly $300 million to date.
Published reports indicate NotPetya wreaked havoc all over the globe in nearly all industries. In the U.S., pharmaceutical giant Merck and shipping giant FedEx both lost more than $300 million from NotPetya as a result of cleanup and lost business.
Powell, a longtime information security executive, previously worked as a vice president for Capgemini, and spent nearly 30 years with the United Kingdom Royal Air Force, including serving as its CIO.
"We weren't alone," Powell said. "Maersk is one of the few companies that has been transparent about what happened. We haven't tried to disguise it or shy away from it."
An argument could be made, however, that Maersk had little choice. The Copenhagen-based shipping company, which transports approximately 20% of all global shipments, found itself virtually paralyzed by NotPetya in a matter of minutes.
Maersk NotPetya attack: What happened
In retrospect, Powell said, Maersk wasn't well prepared to cope with an attack as sophisticated and crippling as NotPetya. In early 2017, he said, its cybersecurity maturity, like many manufacturing and logistics companies, was relatively low. Even though digital processes had become critical to Maersk's day-to-day operations, computer networks and server infrastructure weren't considered mission critical; what really mattered, according to the company, was its high-profile physical assets such as ports, ships, and shipping containers. Hence digital assets were minimally protected.
So once a Maersk user in its Odessa office was infected, it spread through the Maersk global network faster than anyone imagined possible.
"Within seven minutes," Powell said, "most of the damage was done."
And that damage was staggering. According to Powell, NotPetya destroyed 49,000 laptops, more than 1,000 applications, all printing and file-sharing systems were knocked offline, its enterprise service bus and VMware vCenter cloud-management servers were ruined, and its DHCP and Active Directory servers were rendered useless.
What proved to be especially devastating, Powell added, was that both its primary and backup Active Directory systems were taken out, a scenario Maersk never thought possible. "[NotPetya] was designed to destroy online backups specifically, preventing recovery using online backup methods," Powell said. "We had no copies of our Active Directory. We thought we had nothing to restart the network with."
How Maersk recovered
Fortunately, a stroke of good luck came when IT leaders learned that the company's Lagos office had suffered a power outage during the NotPetya attack. Its IT systems – including its copy of the company's Active Directory – were undamaged. The Lagos AD node was physically removed, flown to Copenhagen, and used to rebuild the rest of the network. However, the AD recovery process alone took more than a week. Clearly, Powell said, it was a scenario Maersk should have planned for. "Nine days for an Active Directory recovery isn't good enough," Powell said. "You should aspire to 24 hours; if you can't, then you can't repair anything else."
Meanwhile, during that time, Maersk had no way of knowing what was in its millions of shipping containers worldwide, or how to deliver them to their destinations. The result was a massive cascade of supply chain disruptions that rippled around the world. One well-known European retailer, Powell noted as an example, depends on Maersk for nearly all its shipments. In the wake of NotPetya, the retailer risked running out of clothes to sell in its stores.
The company's physical command-and-control recovery processes were far more capable, and Powell said the company initiated those processes to quickly retain control of its kinetic assets, prioritizing management of its temperature-controlled shipments.
From an IT perspective, Powell was surprised the solution that proved to be most helpful during the recovery was WhatsApp. Employees quickly connected with each other on their personal mobile devices, and used WhatsApp groups to share information, discuss problems, develop solutions, and share with others to put them into action.
"The employees created groups around the way they operated," Powell said, adding that it proved to be a silver lining following the incident. "We used WhatsApp to help rebuild our business processes, and ultimately the attack helped us redesign our business."
Lessons learned
Powell, who joined Maersk in June 2018 following the attack, said perhaps the most important lesson learned was that organizations must direct more IT resources into system recovery, especially offline backup capabilities. "Trust me, it is the best thing to invest in," Powell said, "because high-level nation-state cyberweapons will take out everything you have online."
Maintaining and ensuring data integrity must also be a focus of cybersecurity programs. Powell also said that attackers increasingly value data over infrastructure, and while any given attack campaign may appear focused on destroying data, the reality is that adversaries increasingly realize there is more value in simultaneously stealing the data and selling it later to the highest bidder.
Powell said specific technologies that Maersk has found to benefit from employing post-attack include endpoint detection and response, privileged access management, and a threat intelligence platform. Beyond any particular product, however, Maersk seeks to make cybersecurity a core tenant of its global day-to-day operations. As part of that effort, every employee in the company is now trained on cybersecurity, including what to do during a cybersecurity crisis.
"In Danish, safety and security is the same word," Powell said. "So it makes sense to put cybersecurity into our safety mindset. And that's really paying off for us."
Powell noted that while Maersk has dramatically improved its cybersecurity posture since the NotPetya attack, it is critical to understand that Maersk or any other organization could be hit with a similarly debilitating cyberattack at any time. Not only are nation-state-level cyberweapons falling into the hands of proxy adversaries, but these adversaries are probably already inside of most organizations, he said. "We have recognized at least three [nation-states] that have used a proxy to get into our network in the past six months, and they're doing that all around the globe."
By Eric Parizo, Senior Analyst, Ovum (