Comments on the Travelex ransomware incident
- Last Updated: Friday, 10 January 2020 09:29
- Published: Thursday, 09 January 2020 08:53
As has been widely reported, the Travelex foreign exchange company has experienced a long-running business continuity incident due to cyber criminals using ransomware to obtain control over Travelex IT systems. In response to the incident Continuity Central has been gathering comments from cyber resilience providers…
James Smith, Principal Security Consultant and Head of Penetration Testing at Bridewell Consulting:
Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry.
Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough. Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.
It’s important to learn from past incidents and build those learnings into a cyber response / resilience plan. Having the right processes in place are critical in being prepared for an attack. This includes technical aspects like replicating data, off-site backups, network segregation, firmware updates and even regular penetration testing. It also covers response — not just in fixing the issue, but in informing the wider business, the media, and most importantly customers.
The first thing to learn from this is that all organizations are at risk because everyone has something of value to lose. Whether that’s access to systems, intellectual property or customer data.
The second thing to learn is that having a plan in place to mitigate risk is essential. Prevent, detect, respond. Those are three key elements to live by and should cover everything from the business impact of an attack, technical considerations on how to prevent them, as well as how you’d respond to stakeholders in the event of an attack, customers, staff, the ICO, etc.”
Whether companies should pay the ransom always sparks debate — but the negatives always outweigh the positives. If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored. There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great. Then of course there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.
If organizations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the ‘pay or not pay’ question is greatly reduced.
David Emm, Principal Security Researcher at Kaspersky:
The ongoing impact of this security breach serves as a stark reminder for businesses to adopt and maintain robust cyber security policies and procedures – given that sustained attacks of this nature seriously drain a company’s resources and profits, and the amount of work involved to get a company back up and running. Even if a company on the receiving end of a ransomware attack declines to pay a ransom, cleaning up its systems, restoring data and ensuring business continuity is an involved and costly process.
This development also poses the question: should companies ever pay a ransom to cyber criminals? Whilst the decision to pay to restore valuable data is entirely a decision for the victim, it is important to remember the following: you can never entirely trust cyber criminals to keep their end of the deal, and in paying large sums to them, you are helping to fund cyber crime and making ransomware a more lucrative business in the future.
The best way for an organization to combat cyber attacks is by putting in place an effective cyber security strategy before becoming a target. Kaspersky recommends that businesses do the following in order to avoid ransomware attacks:
- Secure the business using robust security solutions, and keep all software up to date.
- Make sure to apply security updates to your operating system and applications as soon as they are available.
- Regularly run a system scan to check for possible infection.
- Back up valuable information.
- Ensure that access to corporate systems is secure and that robust authentication mechanisms are in place, including the use of two-factor authentication.
- Educate your employees about the risks associated with opening up dangerous email attachments from unknown sources, as well as the importance of maintaining strong passwords.
ThreatConnect CEO, Adam Vincent:
Financial institutions are a lucrative target – they hold highly sensitive information and have a mandate to protect the personal information of their customers.
When faced with a ransomware attack, financial institutions have two choices – cave to demands or try and fight back.
No company is immune from the dangers of being compromised. It’s essential that any potential target understands as much as they can about the threats they face.
While financial services institutions tend to operate with security front of mind, there is still an opportunity to collaborate more within the industry and increase intelligence sharing so they understand as much as they can about the threats they are facing.
For example, what types or variants of malware have been used to steal, delete, or ransom personal identifiable information or IP specific to financial services? What ransomware has been used in attacks against other organizations within the industry? How does this ransomware work and how does it ransom the targeted data?
Ultimately, the more you know, the better and quicker you’ll be able to respond to a new threat.
Alan Stewart-Brown, VP of EMEA, Opengear
It is likely that the ransomware found a way into a vulnerable part of the network and then distributed itself across the entire network which is why Travelex needed to shut the whole thing down to prevent any further spread or damage. This is likely to have caused a long delay in fixing the problem as it is unlikely that they would have had enough skilled technical staff to quickly travel to their various remote sites or branches and to determine which specific pieces of equipment had been affected by the Ransomware and to then isolate that particular part of the network.
If Travelex had deployed Network Resilience technology such as smart out of band systems (OOB) to use at their remote sites or branches this could have allowed them to air gap the network from the outside world and remotely diagnose and determine which specific equipment had been affected and then keep that totally isolated, whilst they brought any unaffected parts of the network back online to at least get a partial network running to ensure that essential services were able to be maintained.
A recent example is the Wannacry virus with the NHS – large portions of the infrastructure was taken down to prevent spreading further, with there not being enough people to deal with the scale of the attack. Technology such as out of band could be used in this circumstance to take the network offline briefly, figure out what equipment had been affected, patch this to prevent the risk of any further issues and then bring the essential services online in an ordered fashion.