Symtrex Inc.

Cyber Security Specialist

Call - 866-431-8972 | Send an Email | Request a Quote
Visit Us On FacebookVisit Us On TwitterVisit Us On Linkedin

Profile

Many businesses continue to leave their doors wide open to unsophisticated attackers, research shows

by

From Bitdefender – Flip Truta

New research reveals that cyber-attacks by unsophisticated hackers this year have successfully exploited vulnerabilities that many of the world’s famed businesses were already aware of but did nothing to fix.

Despite upcoming laws that will charge them millions in penalties if found non-compliant, many businesses worldwide continue to neglect standard security procedures.

The latest evidence comes from the 20th annual EY Global Information Security Survey (GISS), which breaks some disconcerting news regarding the willingness of big businesses to beef up security.

While the surveyed companies weren’t named in the report, the research was conducted with the aid of “1,200 C-level leaders of the world’s largest and most recognized organizations.” Here’s what EY found:

Only 56% of those surveyed are changing or planning to change their strategies due to the increased impact of cyber threats. Even though most organizations are spending more on cybersecurity, only 12% expect an increase of more than 25% this year.

Potential damage from a cyber-attack isn’t always immediately obvious, yet 64% say an attack that “did not appear to have caused any harm” would not likely persuade the powers-that-be to spend more on cybersecurity.

Many, however, recognize that lack of adequate resource allocation can increase cybersecurity risks. As many as 20% of respondents admit they do not have enough of a grasp on current information security implications and vulnerabilities to decide what needs to be done.

Cybersecurity budgets are bigger in organizations that place dedicated security officers in key lines of business, as well as in companies that report on cybersecurity to the board audit committee at least twice a year. Some companies also seek the counsel of cybersecurity lawyers from Sidley Austin (https://www.sidley.com/en/services/privacy-and-cybersecurity) or similar law firms that can offer their legal guidance and support through data security breaches of all dimensions.

However, while 50% report to the board regularly, only 24% say the go-to person with responsibility for cybersecurity sits on that board. Moreover, only 17% of respondents say boards have enough of a grasp on IT security matters to properly assess the effectiveness of preventive measures.

The report also reveals, perhaps most importantly, that common attacks described as “cyberattacks carried out by unsophisticated, individual attackers” have successfully exploited vulnerabilities that many of the surveyed organizations were aware of. According to EY analysts, this finding points to “a lack of rigor in implementing standard security procedures.”

Other findings include:

  • Malware and phishing are regarded as the most prolific threats in the past 12 months
  • Careless, unaware and/or malicious employees are seen as the most significant increasing vulnerability to organizations’ security
  • 75% rate the maturity of their vulnerability identification as “very low to moderate.”
  • 12% say they have no formal breach-detection program
  • 35% describe their data-protection policies as ad-hoc or non-existent
  • 38% either have no identity and access program or have not formally agreed on such a program.
  • 57% of respondents have an “informal” threat intelligence program or do not have one at all
  • just 12% of respondents can confidently say they can detect a sophisticated cyberattack targeting their organization

If you have questions or would like to discuss how to improve your security posture – contact us.

SyncCrypt ransomware able to sneak past most antivirus defenses

by

From SC Magazine – August 17, 2017 – Doug Olenick,

A new ransomware called SyncCrypt is using a unique method of downloading the malicious files that makes it very hard for an antivirus program to detect.

SyncCrypt was detected by Emisoft researcher xXToffeeXx, reported Bleeping Computer,  and is spread via spam emails containing an attachment with .wsf (Windows Script File) files. What is unusual about this, other than a .wsf file being used – which is rare – said Bleeping Computer founder Lawrence Abrams, is the .wsf will download an image with embedded .zip files containing the ransomware.

“This method has also made the images undetectable by almost all antivirus vendors on VirusTotal,” Abrams said.

Once the email is opened and the target decides to open the attachment, the social engineering plan being used has the document being listed as a court order, a JavaScript script activates that downloads the image. If the victim clicks on the downloaded image the cybercriminal’s sense of humor, or perhaps musical taste, appears when an image of Olafur Arnalds’ album titled “& They Have Escaped the Weight of Darkness” is shown.

However, whether or not the image is opened the .zip file is downloaded and its contents, a sync.exe, readme.html and readme.png, are extracted, Abrams said. The good news is that while image file tends to pass through most antivirus files contained inside the .zip file are more susceptible to detection. Although Bleeping Computer found that VirusTotal still detected them less than 50 percent of the time.

If properly installed the files are encrypted with a .kk extension and then the ransom note appears giving the victim 48 hours to pay about 0.1 bitcoin.

At this time there is no way to decrypt the files and the best defense is to ensure all files are properly backed up.

Two Dangerous Ransomware Are Back – Protect Your Computers

by

From the Hacker News – Swati Khandelwal

Ransomware has been around for a few years but has become an albatross around everyone’s neck—from big businesses and financial institutions to hospitals and individuals worldwide—with cyber criminals making millions of dollars.

In just past few months, we saw a scary strain of ransomware attacks including WannaCry, Petya and LeakerLocker, which made chaos worldwide by shutting down hospitals, vehicle manufacturing, telecommunications, banks and many businesses.

Before WannaCry and Petya, the infamous Mamba full-disk-encrypting ransomware and the Locky ransomware had made chaos across the world last year, and the bad news is—they are back with their new and more damaging variants than ever before.

Diablo6: New Variant of Locky Ransomware

locky-ransomware-decrypt-files

First surfaced in early 2016, Locky has been one of the largest distributed ransomware infections, infecting organisations across the globe.

By tricking victims into clicking on a malicious attachment, Locky ransomware encrypts nearly all file formats on a victim’s computer and network and unlocks them until the ransom in Bitcoins is paid to attackers.

The ransomware has made many comebacks with its variants being distributed through Necurs botnet and Dridex botnet.

Read the full story ->

To find the best endpoint security tools, focus on these features

by

Finding the best endpoint security for your enterprise is a complex, ever-changing task. Learn what features tools offer now to protect endpoints touching the enterprise systems.

By Kevin Tolly – Tolly Group

When McAfee was formed in 1987 to sell the first commercial antivirus package, it set a baseline approach that has persisted to this day: Have a list of character strings that are unique to particular viruses and then scan files (and those files in memory) for the strings. Generally, if the scanner found one of the strings (the virus’s signature), it had very probably found a virus.

As other vendors emerged, they battled over their effectiveness at various aspects of this passive scanning approach. They focused on compiling the biggest, most comprehensive database of virus and malware signatures. The best endpoint security software available simply scanned for “bad” signatures every time a file was downloaded or opened. We use custom software development services so we know we’re getting the best software that we need for our business. Vendors would boast about having better research teams to catch more viruses.

A number of additional virus-hunting techniques were introduced over the years — heuristic scanning to deal with polymorphic viruses that purposefully avoided having consistently scannable signatures, allowing the software to run but cordoning off its requests to the operating system to watch for malicious behaviors, and the introduction of reputation-based ratings to score the likelihood that a given executable could be relied on to be safe. But the basic pattern held: A monolithic software package at the endpoint watched all the new files and called out known bad actors.

Recently, though, the enhancements have begun to overtake the core static scanning components of antivirus software. “Next-gen” endpoint security tools have emerged as a new product category with specific characteristics.

Real-time a defining trait of next-generation endpoint security

Signature files are static and threats are dynamic. At a certain point, it simply became impractical (if not impossible) to update signature files incessantly and instantaneously in an attempt to contend with zero-day threats. These are by definition threats that no virus collector has yet catalogued as of the moment they are launched.

So, if anything, “real-time” is the defining characteristic of the best endpoint security offerings in the next generation of tools. For many products, this means jettisoning the endpoint-resident signature file altogether and using different means to ferret out viruses and malware.

Analysis replaces signature matching

In next-gen tools, the best endpoint security offerings replace signature matching with analysis (in real-time, of course). Different products, naturally, will analyze different aspects and attributes to determine if a piece of code represents a threat to the endpoint.

Some of the analysis techniques have evolved from traditional endpoint products. For example, reputation analysis has been in use for a number of years. This technique generally involves searching a database containing lists of known “bad actor” IP addresses and websites that have been confirmed to be sources of malware.

For some traditional vendors, moving to next-gen tools means taking various techniques that they have developed over the years within their traditional product line and integrating to provide a more effective solution.

Many security products will evaluate multiple attributes of a piece of code. Each piece of information would be used to build a risk score that, ultimately, would help the tool determine whether the code should be blocked. One next-gen vendor claims to have developed over six million possible indicators of malware and uses that information to determine whether a given piece of code is malware.

Isolation aids analysis

Another variation of analysis involves simply letting the suspect code run on your system, to analyze what it does. If it tries do something bad, like erase files or make outbound network contact without authorization, then by definition it is malware and should be contained.

This approach, known generally as sandboxing, is not new. What is new is the implementation: One vendor leverages the high-performance virtualization features built into most PC hardware these days. That vendor creates a micro VM that can be termed a one-sample sandbox. The code is run, its behavior analyzed, a threat decision is made and the VM is discarded. Every sample gets its own fresh VM within which to run and be analyzed.

Even best endpoint security tools can’t do it all

In the realm of next-gen endpoint security, niche vendors are continually coming up with new takes on the issue. There are always new features being added. But it’s also important to understand what next-gen endpoint security is not. It is not a one-size-fits-all solution to your endpoint security woes. Nor is it a “me, too” list of vendors all doing the same thing. And, importantly it is not necessarily meant to be a total replacement for traditional endpoint security. It is simply a means to obtain the best endpoint security possible which is, in turn, a key element of an overall approach to keeping your systems secure.

 

‘Insider Sabotage’ among Top 3 Threats CISOs Can’t yet Handle

by

These five steps can help your organizations limit the risks from disgruntled employees and user errors.

Although insider sabotage is among the top three security threats companies face, 35% of chief information security officers in the US still lack the best practices to handle it properly, according to a Bitdefender study.

Insider sabotage – whether by a former employee who still has network access and is bent on sabotage or a careless staff member who clicks on phishing links when using company devices, or even a contractor or associate – can be particularly devastating because it’s usually not detected until the damage is done.

As the bring-your-own-device (BYOD) to work trend becomes even more widespread, CISOs should conduct regular security trainings to make current employees vigilant toward cyber hacks and schemes. Did they receive a suspicious email? Then they shouldn’t click on any URL or download attachments. Because hackers can expertly impersonate company email addresses and templates, employees need to be trained about address typos that could signal a scam.

Increasing cloud adoption raises other concerns about cloud security for a growing number of companies that have lost proprietary data across a longer timeframe by disgruntled former or current employees, who should have to think twice about acting out against their employers.

If caught, those who deliberately harm a business may be in for some tedious prison time. A sysadmin from Baton Rouge, for example, was sentenced to 34 months in federal prison for causing substantial damage to his former employer, a Georgia-Pacific paper mill, by remotely accessing its computer systems and messing with commands. Obviously, access from all systems and networks associated with the company should have been revoked when the man was fired.

“To limit the risks of insider sabotage and user error, companies must establish strong policies and protocols, and restrict the ways employees use equipment and infrastructure or privileges inside the company network,” recommends Bogdan Botezatu, senior e-threat specialist at Bitdefender. “The IT department must create policies for proper use of the equipment, and ensure they are implemented.”

Here are five steps CISOs can take to avoid insider sabotage:

  1. Enforce a strict information security policy, and run regular training sessions with employees to prevent malware infection of company networks.
  2. Immediately revoke all access and suspend certificates for former employees to prevent them from leaving the company with backups and confidential data, or from making administrative changes before leaving the company.
  3. Keep a close eye on internal systems and processes, and set up notifications for any changes that should occur.
  4. Implement role-based access control to restrict access to unauthorized employees.
  5. Never rely solely on usernames and passwords to safeguard confidential company data. Instead, implement multiple authentication methods such as two-factor, two-person or even biometric authentication.