[metaslider id=2951] … Read More
Archives for April 2017
SMEs Still Too Complacent About Cyber Attack
Still not taking cyber security seriously? If you’re running a small and medium-sized enterprise, it might be tempting to think that attackers have bigger fish to fry – but you fall into this trap at your peril.
Research published today by the British Chambers of Commerce makes that point articulately – one in five businesses in the UK has been the victim of a cyber attack over the past 12 months. The BCC does say that large businesses are more likely to have come under attack than their smaller counterparts, but 18 per cent of companies with fewer than 100 employees say they have been targeted.
This is hardly the first warning entrepreneurs have had about cyber attack. But all the evidence suggests only small numbers are taking steps to protect themselves. Overall, just 24 per cent of businesses have sufficiently robust cyber security protections in place to qualify for some form of accreditation, the BCC says. Amongst the smallest firms, the figure falls to just 15 per cent.
Nor do businesses have contingency plans for taking action when an attack does occur. Almost two-thirds say they would look to their IT provider to resolve issues following a breach.
“Cyber attacks risk companies’ finances, confidence and reputation, with victims reporting not only monetary losses but costs from disruption to their business and productivity,” warns Adam Marshall, the director-general of the British Chambers of Commerce.
“Firms need to be proactive about protecting themselves from cyber-attacks. Accreditations can help businesses assess their own IT infrastructure, defend against cyber-security breaches and mitigate the damage caused by an attack. It can also increase confidence among the businesses and clients who they engage with online.”
The BCC also pointed to the General Data Protection Regulation, new European Union rules on data security that come into force during 2018 and will affect all organisations. The regulation, which gives watchdogs the right to fine companies up to 3 per cent of their annual turnover for a failure, offers another imperative for businesses to take action, Marshall points out. The GDPR applies to all organisations, whatever their size.
“Businesses should be mindful of the extension to data protection regulation coming into force next year, which will increase their responsibilities and requirements to protect personal data,” he adds. “Firms that don’t adopt the appropriate protections leave themselves open to tough penalties.”
The BCC’s warning, though aimed at companies of all sizes, follows mounting frustration about the difficulty of persuading SMEs to confront the challenges of cyber security.
While the UK government has launched a range of initiatives aimed at helping SMEs to improve their cyber-security capabilities, with one recent scheme offering up to £5,000 to spend on cyber training and advice, take-up so far has been limited. Research published by Juniper last year found that 27 per cent of smaller businesses did not believe they were big enough to be of interest to cyber attackers, despite a series of reports revealing that even the very smallest companies have already been targeted online.
Today’s Phishing Attacks
The phishing landscape has undergone a major shift that’s affecting what is being attacked, targeting email addresses rather than user names, according to a new report. This news was reported in the “2017 Phishing Trends and Intelligence Report” by Joseph Opacki and Crane Hassold, both formerly with the FBI and now with PhishLabs. Exploiting human vulnerabilities continues to be the most attractive and successful path for targeting organizations’ and individuals’ assets, the report said. “Phishing was and continues to be, by a wide margin, the most prolific method used to distribute ransomware. Fighting back against ransomware requires fighting back against phishing,” the authors said. Last year, they analyzed 1 million confirmed malicious phishing sites that resided in 170,000 unique domains. They also investigated and mitigated 7,800 phishing attacks every month by identifying the underlying infrastructure used and then shutting them down. They also analyzed thousands of unique malware samples from 100 ransomware variants in 20 banking Trojan families. Key findings of the report follow.
Phishing attacks are growing in the US, but the statistic that was surprising to us, is that Canada was one of the hardest hit with a 237% increase in 2016.
10 Cyber Security Threats to keep you awake at night
Businesses have cause to celebrate the benefits of technology – but fear it as well – as cyber-security journalist Tom Reeve explains.
From word processing, accounting packages and emails to process automation, just in time shipping and online sales and marketing, the hardware and software that drives modern businesses have enabled massive jumps in productivity while driving down costs.
However, the very internet service (check this link right here now to know more) that enables your business – your entire IT infrastructure from the boardroom to the shop floor – may be hijacked by attackers to eat your organisation from within. This goes beyond losing control of your Twitter account or the front page of your website being defaced – it is a battle for your data and your money.
You may consider cyber-security as an IT issue or something that falls under the remit of the audit committee, but IT is everywhere and organisations ignore cyber-security at their peril – just ask TalkTalk, Tesco Bank and Camelot, to name just a few.
In a series of articles I will look at who these attackers are, what they are looking for and how you and your board of directors can fight back against the hackers.
But first, let’s take a quick tour through 10 of the biggest threats facing organisations, large and small.
1. Network infiltration is the basis for many high-profile attacks, and it involves exploiting weaknesses in software, systems, hardware or staff to gain privileged access to servers and workstations. There are many ways to hack your network and cyber-security experts will tell you that it’s not a matter of if you get hacked – but when.
Once the attacker has gained entry to a trusted device on your network, then he’s spoilt for choice: steal the data on the computer, spy on the user to glean further usernames and passwords to other devices, lock the user out (see ransomware) or exploit weaknesses in the corporate network to force his way into other machines. Or he could harness the machine as part of a botnet, using it to send spam or attack computers outside your network.
Last year, it was revealed that Australian government systems, including a branch of the Defence Department, had been infiltrated repeatedly in the past five years, leading to the loss of plans for a geostationary satellite system among other things.
2. Ransomware is pretty much what it says on the tin, a new wrinkle on an attack that’s about as old as humanity itself. Ransomware is notable for being the one cyber-attack that goes out of its way to advertise itself. While other malicious software conceals itself, ransomware only hides for as long as it takes to encrypt your files. Then it launches a big banner proclaiming your new status as its victim.
Ransomware creators are noted for their excellent “customer” service. Their business model relies on teaching the victim how to do something that they probably haven’t done before: purchase bitcoins. They often include tutorials and even videos detailing each step.
Angela Sasse, professor of human-centred security at UCL, has interviewed victims about their experience of being attacked, and she says they often rave about how helpful the ransomers have been. However, this is to miss the point: by paying them, you are supporting their criminal business model and the advice from law enforcement, at least officially, is not to pay.
3. Trojan horses are a class of attack in which the harmful payload is hidden inside another ‘beneficial’ program, the most insidious examples of this being programs that claim to rid your computer of viruses or fix common configuration problems. Once downloaded, they will often ask for administrator rights on your device, be it a desktop, tablet or mobile phone.
Having enslaved your machine, a Trojan will typically open a connection to the internet and attempt to connect to a command and control server. Sometimes it will lie dormant, making it harder to detect and investigate the source of the attack. But when he’s ready, the attacker can download his choice of malware including keyloggers for sniffing passwords, botnet controllers to turn your machine into a DDoS robot and network intrusion tools to gain access to other machines.
Some Trojans have even been known to eliminate the competition by installing antivirus software and cleaning out other malware it finds on its host. Trojans are an effective and popular way to control computers, and even intelligence agencies have been known to employ them.
In the past year we have seen Trojans which bypass security on the Chrome browser, target customers of online Russian banks and even one designed to manipulate currency rates.
4. Phishing is an attack on your staff aimed at luring them into giving away passwords and other sensitive information. Dressed up as an email from a trustworthy source, it can appear to come from someone the person knows such as a friend or colleague or a bank or government agency.
Through training and vigilance, the incidence of successful phishing attacks can be reduced, but even so, the most savvy of users can fall for this attack if they aren’t paying attention.
Phishing attacks are usually sent to thousands of users at a time, but a more refined version of the attack, called spear-phishing, targets individuals. After carefully researching their victim, often using sources such as social media and publicly available corporate records, the attacker will write an email that sounds as if the the sender knows the recipient personally.
Phishing and spear-phishing were used to gain access to the email accounts of Democratic Party officials in the US ahead of the presidential election, and is also the most common type of malicious email that most people receive. Learning to spot them is one of the most effective skills you can learn for online survival.
5. Whaling is considered a variation of phishing even though it doesn’t contain any malware. Instead, it seeks to deceive the recipient into believing that it was written by a trusted figure – such as the company boss or a supplier – with instructions for wiring money.
In one well-known case, Ubiquiti, a manufacturer of network devices, was scammed out of $46.7 million ( 37 million) by “an outside entity targeting the Company’s finance department. This fraud resulted in transfers of funds aggregating $46.7 million held by a Company subsidiary incorporated in Hong Kong to other overseas accounts held by third parties,” according to an SEC filing.
And slightly closer to home, last year, two European manufacturers – Leoni AG and FACC – lost €40 million each in separate whaling attacks. In the case of FACC, the CEO and CFO were both sacked.
6. Supply chain attacks come from trusted suppliers who have privileged access to your corporate network. Organisations often trust their suppliers with sensitive information and access to their internal affairs while forgetting that suppliers don’t always have perfect control over their own IT networks.
To mitigate the risks of supply chain data leaks, it could be beneficial to use technology such as supply chain software that can restrict access to sensitive information while also tracking who is retrieving the data from the system. A little bit of carefulness and tech upgrades could help to reduce supply chain attacks while also making inventory management an easier task for the employees.
In one well-known case in 2013, Target Stores in America was compromised by an HVAC service provider which had access to the retailer’s internal networks through a purchase order management system. Attackers gained access to Target through the HVAC supplier and then waited several months, until the Black Friday shopping weekend, to launch a massive attack against thousands of point-of-sale terminals, stealing details on 110 million people.
7. Zero-day vulnerabilities are a class unto themselves. All software packages are thought to have vulnerabilities, and responsible developers patch them as quickly as they can once they become aware of them. Responsible disclosure is a process whereby security researchers inform companies of the problem and give them the opportunity to patch the problem before it is announced to the wider computing community.
However, malicious researchers, sometimes called black hats, don’t disclose vulnerabilities when they discover them because hidden vulnerabilities are valuable. Zero-days – so-called because developers have zero days to respond to them – are traded by criminal groups and even nation states for up to half a million dollars in some cases.
However, most organisations don’t need to worry about zero-days for the simple reason that they only retain their value for as long as they remain unknown. The more a zero-day is used, the more likely it is to be discovered. Organisations need only ask themselves, are we worth a zero-day attack? If not, move on – there are enough other things to worry about.
8. Vulnerable equipment and software is less about deliberate attacks and more about manufacturers’ sloppy security practices. In the rush to get a product to market, or keep costs as low as possible, security often takes a backseat.
When acquiring new hardware or software, ask yourself if you can trust the supplier. A little research on the internet can reveal whether the manufacturer has been cited in many security research reports. You may also want to hire Denver IT services or others in your location so that there’s someone to keep an eye on everything software-related.
Not only should you look for reliable equipment and software, but you should also look for an ISP who will not misuse your data. You can use a VPN on your device to secure your data as well. It’s best to go with a reputable internet service provider (like viasat satellite internet). You can also consider the add-on features provided by many ISPs, such as providing an internet connection in addition to antivirus, to protect your device from external malware.
Even brand names are not immune. It was recently revealed that Honeywell SCADA controllers – network-connected devices for controlling industrial processes – contained insecure password data and were also vulnerable to “path traversal” attacks. And CISCO regularly publishes security alerts alongside software updates, detailing vulnerabilities that it has discovered and fixed.
9. BYOD are those personal devices that staff use to connect to your network. Whether it’s a mobile phone or a tablet, every time you allow a member of staff to connect their device to your network, you are shaking hands with a computer of unspecified pedigree and unknown hygiene.
Consider why you are allowing these mobile devices to access your network, and if it is just to allow them to use the Wi-Fi, consider setting up an isolated network for this purpose.
10. Denial of service is an attack that can bring your website or cloud services grinding to a halt. A common attack method, known as distributed denial of service (DDoS), typically employs a botnet of thousands of compromised computers to flood a victim’s server with packets of useless information.
The target becomes bogged down in the sheer number of requests it is forced to handle in attacks lasting minutes or days, slowing and sometimes crashing the device.
In a new wrinkle on this tried and tested attack, attackers are using the Mirai malware to take over internet-connected CCTV cameras and digital video recorders and launching the biggest DDoS attacks ever seen. Last year, Twitter, Spotify, Netflix, Amazon and Reddit were among the many websites taken offline for several hours by an attack on the Dyn DNS service which appears to have been enabled, at least in part, by a Mirai botnet.
So there you have it – ten cyber-threats facing your organisation.
Cerber Ransomware Now Evades Machine Learning
From Dark Reading
New variant has been broken into separate harmless-looking components to fool ML-based detection systems, Trend Micro says.
Cybercriminals have repeatedly shown an ability to innovate past whatever security controls organizations and industry have been able to throw in their way. So it is little surprise that some have begun taking a crack at machine learning tools.
Researchers at security vendor Trend Micro recently discovered a new version of the Cerber ransomware sample that appears designed specifically to evade detection by machine learning algorithms.
“The Cerber changes are really interesting as they’re a direct response to changes in how some products are detecting malware,” says Mark Nunnikhoven, vice president of cloud research for Trend Micro.
The newest version separates the different stages of the malware into multiple files and dynamically injects them into a running process, he says. “This helps to conceal them from various detection methods.”
Like other ransomware threats, the new version of Cerber also is distributed via email. The email contains a link to self-extracting archive stored in a Dropbox account controlled by the attackers. The archive contains three files—one containing a Visual Basic script, the second a DLL, and the third, a binary file. The script is designed to load the DLL, which then reads the binary file and executes it. The binary file contains a new loader for Cerber and also the configuration settings for the malware.
The loader first checks to see if it is running in a sandbox or other protected environment. If it discerns that it’s not in a protected environment, it injects the entire Cerber binary into one of several running processes, Trend Micro said in an alert this week.
“In their current form, some static machine learning-tools can have a hard time seeing the various pieces of the new configuration of Cerber,” Nunnikhoven says. The malicious parts of it don’t get analyzed, so the malware doesn’t get flagged.
The reason is that static machine learning approaches look at the content of a file and evaluate the contents to see if they match malicious behaviors and attributes, he says.
But if the malicious content of the file is hidden for instance via encryption, or it is injected in real-time into a legitimate process, the content is not evaluated for suspicious behavior and attributes, he says.
“Say someone walks up to the door and they’ve got their hands behind their back. You look through the peephole and don’t see an immediate threat so you let them in,” he says. You don’t know until they are already in the house whether whatt they have in their hands is malicious or benign.
The latest innovations only make Cerber harder to detect via machine learning algorithms, he says. It can still be detected by other mechanisms. “The take-home message is that only using one technique to detect malware leaves you vulnerable if the criminals adapt to it.”
News of Cerber’s latest tricks comes even as a new report from Carbon Black shows that many organizations remain unconvinced about the benefits of applying artificial intelligence and machine learning techniques to detect and stop cyber threats.
Nearly 75% of 410 security researchers that Carbon Black surveyed for the report describe AI-driven cybersecurity tools as being flawed, while 70% are convinced cyberattackers are capable of bypassing machine learning-based systems.
Mike Viscuso, co-founder and CTO of Carbon Black, says many current machine learning-based anti-malware tools are designed to stop attacks based on an inspection of files rather than behavior. They therefore miss the growing number of attacks that involve no malware files at all, he says.
Static, analysis-based approaches relying exclusively on files have been useful in the past. AI and ML-based tools can be useful in augmenting human decision-making and in spotting non-obvious relationships in massive volumes of security data. But they are of somewhat limited use in detecting non-malware attacks, he says.
Rather than using ML tools to look at individual files, organizations should be monitoring application and service activity, communications among processes, unauthorized requests to run applications, and changes to permission and credential levels, Vicuso says.
“If security tools are looking for just malware, they are missing an entire class of attacks that rely on native operating system tools to carry out nefarious actions. Attacks are evolving. So should [be] our defenses.”
Scam of the Week: The Evil Airline Phishing Attack
Our friends at Barracuda run their Email Threat Scanner over hundreds of thousands of customer mailboxes and discovered a highly effective phishing attack that tricks a whopping 90% of the victims. You need to tell your users about this right away.
The campaign targets companies that deal with frequent shipping of goods or employee travel, for instance logistics, shipping, or manufacturing, but almost any organization has people that frequently visit customers or business partners.
The phishing attack targets these employees, and the attackers do quite a bit of research before sending the phishing emails. The messages are constructed with subject lines and bodies that include destinations, airlines, and other details that are specific to each victim, helping them appear more authentic. Here is an example subject line:
Fwd: United Airlines: Confirmation – Flight to Tokyo – $3,543.30
“After getting the employee to open the email, the second tool employed by the attacker is an advanced persistent threat embedded in an email attachment. The attachment, usually a flight confirmation or receipt, is typically formatted as a PDF or DOCX document. In this attack, the malware will be executed upon the opening of the document,” Asaf Cidon, vice president of content security services at Barracuda, said in a post explaining the attacks.”
To start with, send this to all employees, no matter if they travel or not. Feel free to copy/paste/edit:
There is a new spin on an existing phishing scam you need to be aware of. Bad guys are doing research on you personally using social media and find out where and when you (might) travel for business. Next, they craft an email especially for you with an airline reservation or receipt that looks just like the real thing, sent with a spoofed “From” email address that also looks legit.
Sometimes, they even have links in this email that go to a website that looks identical to the real airline, but is fake. They try to do two things: 1) try to steal your company username and password, and 2) try to trick you into opening the attachment which could be a PDF or DOCX. If you click on the link or open the attachment, your workstation will possibly get infected with malware that allows the bad guys to hack into our network.
Remember, if you want to check any airline reservations or flight status, open your browser and type the website name in the address bar or use a bookmark that you yourself set earlier. Do not click on links in emails to go to websites. And as always…. Think before You Click!
What To Do About It
Barracuda recommends the following. (Here at KnowBe4 we call it defense-in-depth but it is the same concept):
“Companies should use a multi-layered security approach to block this type of attack.
- The first layer is sandboxing. Effective sandboxing and advanced persistent threat prevention should be able to block malware before it ever reaches the corporate mail server.
- The second layer is anti-phishing protection. Advanced phishing engines with Link Protection look for links to websites that contain malicious code. Links to these compromised websites are blocked, even if those links are buried within the contents of a document.
- The third layer is employee training and awareness. Regular training and testing of your employees will increase their awareness and help them catch targeted attacks without compromising your internal network.”
We could not agree more.
If you want to spend less time putting out fires, get more time to be proactive, and get the things done you know need to be done, step your employees through effective security awareness training. It will help you prevent compromises like this or at least make it much harder for the bad guys to social engineer your users. More than 9,000 of your peers are using KnowBe4. Find out how affordable this is for your organization.
Contact us for more information.