勒索軟件如何教會大英圖書館遵循眾所周知的最佳實踐.pdf

《勒索軟件如何教會大英圖書館遵循眾所周知的最佳實踐.pdf》由會員分享，可在線閱讀，更多相關《勒索軟件如何教會大英圖書館遵循眾所周知的最佳實踐.pdf（46頁珍藏版）》請在三個皮匠報告上搜索。

1、Kidnapping a LibraryHow Ransomware Taught the British Library to Follow Well-Known Best Practices Brian Myers PhD,CISSP,CCSKExperience20 years in software development9 years in information securityPast PositionsDirector of InfoSec,WebMD Health ServicesSenior AppSec Architect,WorkBoardSenior Risk Adv

2、isor,Leviathan SecurityCurrent WorkIndependent Information Security ConsultantCo-organizer,OWASP AppSec Days PNWSafetyLight LLCGoalsUnderstand what happens in a ransomware attackImprove our own disaster recovery planningAgendaThe British LibraryThe AttackThe ConsequencesLessons LearnedAgendaThe Brit

3、ish LibraryThe British LibraryThe AttackThe ConsequencesLessons LearnedThe British LibraryManuscripts and BooksHistoryregularly acquiring disparate collections1972British Museum books 1970sNewspaper LibraryPatent Office Library1982India Office Library1983National Sound Archive2004UK Web ArchiveEndan

4、gered Archives2000sDigitization partnerships2013Non-print Legal Deposit LibraryMany objectsManuscriptsBooksMapsImagesThesesJournalsNewspapersStampsPatent RecordsSound ArchivesArchived UK WebsitesWax Seals from the Magna CartaTibetan Prayer WheelsChinese Oracle BonesAnglo-Saxon SwordHebrew Astrolabe,

5、14th c.Ancient Roman Wax TabletsHow Big is the British Library?Printed items170 millionBookshelves466 miles+6 per yearWeb pages1.56 petabytesStaff1700 peoplelibrarians,researchers,IT,administrative staffAnnual Budget142 million$200m2023 What Information Systems Does the Library Have?POS systems on s

6、ite Cafe,gift shopCollectionsDigital archivesOnline catalog(s)Public-facing websiteOnline learning materialsReader registrationDigital archive accessInternal networkFirewalls,terminal serversOffice systems:HR,Payroll,Email,file sharesWhats the Librarys Infosec Program Like?Firewalls(Sophos XG)MFAInc

7、ident Response PlanRisk RegisterCIS hardening standardsRoutine security assessmentsMDM on endpointsPCI encryption for credit card dataBusiness Continuity ManagerCorporate Information Governance Group(CIGG)Security roadmap(plans to address known risks)Regular risk assessment activity“Cyber Essentials

8、”assessment passed in 2019Recently upgraded Terminal Services serverAgendaThe British LibraryThe AttackThe AttackThe ConsequencesLessons LearnedThe AttackRhysidas Modus Operandi Leverage external-facing remote services(such as VPNs)Phish Authenticate with compromised valid credentials.(Often lack of

9、 MFA makes this easier.)GAIN ENTRY Evade detection by“living off the land.”Lateral movement with built-in tools ipconfig,RDP,PowerShell Steal data for double extortionLOOK AROUND Inject ransomware into running processes Encrypt files,adding.rhysida extension Create a ransom note PDF with payment ins

10、tructions Delete ransomware ATTACKSource:CISA Cybersecurity Advisory,Nov 15 2023DateEventOct?Rhysida gets credentials for a third-party account with access to BL networkOct 25(late Tue)Attacker logs in through Terminal ServicesOct 26 1 AMAutomatic alert investigated;nothing foundOct 26 7 AMFurther i

11、nvestigation;account re-enabled with new passwordOct 26-28Attackers explore network:Copy full sections of network drivesSearch across files for keywords(“passport”;“confidential”.)Oct 28 Sat 1:30 AM440 GB of network traffic leaves the library network?Ransomware runsAttackers“destroy servers”7:35 AMI

12、T outage.Ransomware confirmed.9:15 AMIncident declaredSystems Down.Business Halts.Reader registrationOnline catalogBook requestsAccess to digital assetsDeliveries from Yorkshire Environmental monitoringPhone lineNetwork access WifiWebsiteExhibition ticket salesGift shop salesAgendaThe British Librar

13、yThe AttackThe ConsequencesThe ConsequencesLessons LearnedSat Oct 28 9:15 AM-Incident declared10:00 AM-Crisis Response Team convenes on WhatsAppMon Oct 30Library re-opens in“a pre-digital state”Confirmed that all onsite backups were encryptedWed Nov 1All corporate desktop/laptop use ceasesTue Nov 14

14、BL confirms that a ransomware attack has occurredWed Nov 15BL confirms personal data of users and staff was stolen;still determining full extend of the attackMon Nov 20Rhysida puts 10%of stolen data up for sale(20 BTC)Mon Nov 29Rhysida dumps the remaining stolen dataAftermathWhat Exactly did the Att

15、ackers Do?Files from Finance,Tech,and HR departments Some personal staff files Included contact info for some staff,partners,and customers.THEFT Destroyed dataEncrypted files and backups“Destroyed servers”Aggressively deleted logs and partitions,rendering some servers inoperable and unrecoverable.DE

16、STRUCTIONWhich Systems Were Most Affected?UsersVPNData CenterEMAILEMAILFINANCEFINANCELIBRARY LIBRARY MANAGEMENT MANAGEMENT SYSTEMSYSTEMRecovery PlanMarch 2024Access to only 50%physical collections;even staff access is limitedWebsite downDigitization activity pausedDigital collections still being bro

17、ught back No access for researchers to journals,databases,theses“Print legal deposit”received but not processedFailing terms of Sound Heritage grant because access is downOctober 2024AgendaThe British LibraryThe AttackThe ConsequencesLessons LearnedLessons LearnedRoot Cause Complex network topology

18、failed to contain/restrict attacker activity Older applications rely on manual ETL processes for data transfer,increasing the volume of customer and staff data in transit on the network through unsecured processes Legacy infrastructure is the primary contributor to the length of time that the Librar

19、y will require to recover.Lessons Learned 1.Enhance network monitoring2.Retain on-call security expertise3.Fully implement MFA4.Enhance intrusion detection5.Implement network segregation6.Practice comprehensive business continuity plans7.Maintain a holistic view of cyber risk.8.Manage systems life c

20、ycles to eliminate legacy technology.9.Prioritise remediation of issues arising from legacy technology10.Prioritize recovery alongside security.11.Increase cyber-risk awareness and expertise at the senior level.12.Regularly train all staff in evolving risks.13.Manage staff and user well-being in inc

21、ident plans.Deeply upsetting to staff and users whose work is disrupted and compromised.14.Review acceptable personal use of IT.Allowing personal use of network storage increases attack intrusiveness for staff members.15.Collaborate with sector peers.16.Implement government standards.Review and audi

22、t often.#ItemNIST#NIST Name1Enhance network monitoringSI-4System Monitoring2Retain on-call security expertiseIR-7Incident Response Assistance3Fully implement MFAIA-2Identification&Authorization4Enhance intrusion detectionSI-4System Monitoring5Implement network segregationAC-4Information Flow Enforce

23、ment6Practice comprehensive business continuity plansCP-2Contingency Plan12Regularly train all staff in evolving risksAT-2Literacy Training&Awareness16Implement government standards.Review and audit oftenCA-7Continuous Monitoring#ItemNIST#NIST Name13Manage staff and user well-being in incident plans

24、IR-4Incident Handling14Review acceptable personal use of ITPL-4Rules of Behavior#ItemNIST#NIST Name8Manage systems life cycles to eliminate legacy technologySA-3System Development Lifecycle9Prioritise remediation of issues arising from legacy technologySI-2Flaw Remediation#ItemNIST#NIST Name10Priori

25、tize recovery alongside securityCP-10System Recovery and Reconstitution#ItemNIST#NIST Name7Maintain a holistic view of cyber riskRA-3Risk Assessment11Increase cyber-risk awareness and expertise at the senior levelPM-1PM-9RA-1Program ManagementRisk Management StrategyRisk Assessment PoliciesRemediati

26、on ActionsRebuild legacy servers.Segment networkEmbrace the cloud.Provide robust and resilient backups.Enhance on-premise MFA capabilitiesEnhance privilege access management(PAM)INFRASTRUCTUREClear policies,procedures,and SoPsStandardization in developmentCompliance with mandated standardsStronger a

27、nd more embedded governance structuresMANAGEMENTNew Risks AcknowledgedIncreased risk from new attackers from having publicly fallen victimCultural change:risk that desire to return to normal business quickly will compromise plans for changeRisk of inadequate staffing for cyber-security and cloud eng

28、ineeringLack of understanding of complicated legacy systems may inhibit pace of recovery or lead to sub-optimal decisions.(need informed diagnosis;visionary planning;and good management objectives)Risks of failure to understand and account for risks in new(cloud-based)infrastructure“Substantial disr

29、uption of attack creates an opportunity to implement significant structural changes in ways that would otherwise have been considered too disruptive to countenance.”ResourcesLearning Lessons From the Cyber-Attack(British Library)British Library Annual Report and Accounts 2023/24#StopRansomware Guide(CISA)SentinelOnes explanation of Rhysida ransomwareBrian Myers briansafetylight.dev