Stop saying yes

We learned last year that the Russian Carbanak hacking group were planning to target hospitality businesses. We learned this week that they’re succeeding, and extracting ransom (or causing disruption) at luxury hotels all over the place, including in Britain.

What incredibly sophisticated technique are they using to penetrate security? Are there basements full of hollow-eyed Russian nerds frantically typing into keyboards as they try to “penetrate the firewall”? Are they sending agents dressed as ninjas to sneak in at night and plant devices on the target network?

Of course not. This isn’t Hollywood. They’re sending out spam emails with Microsoft Office document attachments. Users at the target are opening these emails, double-clicking the attachment, and then clicking on “OK” when asked to enable macros. Then, because the targets rarely seem to have any sensible cyber-security in place, the newly-enabled macro has write access to most of the network and can merrily trundle off encrypting documents and installing backdoors.

What’s the answer? It’s not rocket science.

1. Train users not to open these emails in the first place. Have someone sensible to whom they can forward emails about which they’re uncertain.
2. Train users not to open documents in unsolicited emails. Really. Just don’t open them. If it’s actually a real invoice from a previously unknown supplier, guess what? They’ll call you soon enough when you don’t pay it.
3. TRAIN USERS NOT TO CLICK “OK”. No document you receive by email should EVER need macros, or any other enhanced rights. Just routinely click “Cancel” (or “No”) when you get a dialog box you don’t understand. Make sure IT support know you’re going to do this, so that they can intervene if there is a dialog box that actually needs you to click OK.
4. Don’t give users local admin rights. If your software requires it, send the software back and tell the vendor to join us in the 21^st century. Or, in fact, the 20^th, frankly.
5. Restrict access to your network. No-one needs write access to everything. Senior staff need very little access to anything (because they should get their information through their direct reports). Almost no-one needs “modify” rights, and those should be assigned document by document. Think about it. How often do you modify a document, as opposed to opening one, or creating one, or saving a new version? No modify right = no ransomware.
6. Upgrade to Microsoft Office 2016. I know. I don’t usually shill for Microsoft on here, but in this case it’s the first version of Office that really lets you turn off this STUPID macro-enabled document feature, and that’s worth the effort.
7. Actually spend some money on cyber-security (or better, on information assurance, which is what cyber becomes when it grows up). Try to do this before you’ve suffered a painful attack.

And breathe.