[metaslider id=2951] … Read More
Threats evolve. One of the first companies I was working for was hit by a ‘denial of service’ attack, an email was sent to a friend of mine which had a script that made sheep dance all over your screen. It was pretty amusing so she decided to send it to the distribution list in the office. Let’s just say that the system administrators were not amused, as it brought the network down completely, and took the afternoon to bring everyone back up. This was in 1995. Now security did evolve to a certain extent, this type of attack would have been caught by either your UTM, email security appliance or end point solution. Over the course of several years, security solutions did evolve – firewalls, end point, network access control and logging. In the early 2000’s, the terms SIM, SEM and SIEM were the rage, and the next best thing for organizations to battle against threat actors, as it was a great solution to review all of the events from your network in one centralized location. That was also when you could back up your logs to a CD.
Fast forward to today, we have embraced BYOD, Cloud technology, IoT devices, and no one actually picks up the phone any more – email or texting is the communication tool providing immediate gratification. (anyone remember what a telex machine is). This explosion of technology, and reliance on said technology, has completely altered the threat landscape. Organizations are subject to ransomware, trojans, APT’s, insider threats and more – which ‘can’ make it through your defenses, and be hard to detect and remediate.
In a recent article from Dark Reading by Kelly Sheridan, it identifies that the current SIEM systems have flaws, and while reading this, I was not surprised. Almost any product that collects event logs identifies themselves as an SIEM, and some SIEM’s now promote the security analytics more than logging portion of the product. In addition, the introduction of a new acronym – SOAPA – which stands for security operations and analytics platform architecture (Network World, November 29, 2016), was created to distinguish themselves from SIEM.
Advances for the SIEM is not moving at the same speed as the threats, or taking into account different threat vectors. Typically event data is sent from the host devices, using either standard syslog or through the use of an agent, to a repository of some sort. This event data is then queried using a set of correlation rules, that will then initiate an alert or a response of some sort. While most SIEM’s identify that they have huge libraries of pre-built reporting, they need to be refined to accommodate your organization AND they need to be regularly reviewed to ensure that any new “threats” will be discovered, and alerted on or have a response of some sort created.
While for some attacks the SIEM will most definitely be advantageous to the organization, and of course, if you are required to collect and monitor logs for a compliance requirement it is a necessity, however the threats today take into account how these platforms work. The threat actors are meticulous; and look at ways to evade the traditional security platforms.
The growth in products that are deemed to include security analytics/behavioural analysis can assist organizations in determining if network activity is malicious. The products look at the typical activity of a network over time, baseline it, and then can provide a relatively good assumption when the activity deviates that there is a potential issue at hand.
By combining behavioural analysis/security analytics, machine learning and threat intelligence, an organization will be provided a more comprehensive review of activity on your network. Using a system that is not based on rules, but rather looking holistically at all of the users, devices, applications and how they all interact, running it through algorithms and machine learning techniques – this will provide a more accurate detection of a threat.
To find out more, contact us.
Finding the best endpoint security for your enterprise is a complex, ever-changing task. Learn what features tools offer now to protect endpoints touching the enterprise systems.
When McAfee was formed in 1987 to sell the first commercial antivirus package, it set a baseline approach that has persisted to this day: Have a list of character strings that are unique to particular viruses and then scan files (and those files in memory) for the strings. Generally, if the scanner found one of the strings (the virus’s signature), it had very probably found a virus.
As other vendors emerged, they battled over their effectiveness at various aspects of this passive scanning approach. They focused on compiling the biggest, most comprehensive database of virus and malware signatures. The best endpoint security software available simply scanned for “bad” signatures every time a file was downloaded or opened. We use custom software development services so we know we’re getting the best software that we need for our business. Vendors would boast about having better research teams to catch more viruses.
A number of additional virus-hunting techniques were introduced over the years — heuristic scanning to deal with polymorphic viruses that purposefully avoided having consistently scannable signatures, allowing the software to run but cordoning off its requests to the operating system to watch for malicious behaviors, and the introduction of reputation-based ratings to score the likelihood that a given executable could be relied on to be safe. But the basic pattern held: A monolithic software package at the endpoint watched all the new files and called out known bad actors.
Recently, though, the enhancements have begun to overtake the core static scanning components of antivirus software. “Next-gen” endpoint security tools have emerged as a new product category with specific characteristics.
Real-time a defining trait of next-generation endpoint security
Signature files are static and threats are dynamic. At a certain point, it simply became impractical (if not impossible) to update signature files incessantly and instantaneously in an attempt to contend with zero-day threats. These are by definition threats that no virus collector has yet catalogued as of the moment they are launched.
So, if anything, “real-time” is the defining characteristic of the best endpoint security offerings in the next generation of tools. For many products, this means jettisoning the endpoint-resident signature file altogether and using different means to ferret out viruses and malware.
Analysis replaces signature matching
In next-gen tools, the best endpoint security offerings replace signature matching with analysis (in real-time, of course). Different products, naturally, will analyze different aspects and attributes to determine if a piece of code represents a threat to the endpoint.
Some of the analysis techniques have evolved from traditional endpoint products. For example, reputation analysis has been in use for a number of years. This technique generally involves searching a database containing lists of known “bad actor” IP addresses and websites that have been confirmed to be sources of malware.
For some traditional vendors, moving to next-gen tools means taking various techniques that they have developed over the years within their traditional product line and integrating to provide a more effective solution.
Many security products will evaluate multiple attributes of a piece of code. Each piece of information would be used to build a risk score that, ultimately, would help the tool determine whether the code should be blocked. One next-gen vendor claims to have developed over six million possible indicators of malware and uses that information to determine whether a given piece of code is malware.
Isolation aids analysis
Another variation of analysis involves simply letting the suspect code run on your system, to analyze what it does. If it tries do something bad, like erase files or make outbound network contact without authorization, then by definition it is malware and should be contained.
This approach, known generally as sandboxing, is not new. What is new is the implementation: One vendor leverages the high-performance virtualization features built into most PC hardware these days. That vendor creates a micro VM that can be termed a one-sample sandbox. The code is run, its behavior analyzed, a threat decision is made and the VM is discarded. Every sample gets its own fresh VM within which to run and be analyzed.
Even best endpoint security tools can’t do it all
In the realm of next-gen endpoint security, niche vendors are continually coming up with new takes on the issue. There are always new features being added. But it’s also important to understand what next-gen endpoint security is not. It is not a one-size-fits-all solution to your endpoint security woes. Nor is it a “me, too” list of vendors all doing the same thing. And, importantly it is not necessarily meant to be a total replacement for traditional endpoint security. It is simply a means to obtain the best endpoint security possible which is, in turn, a key element of an overall approach to keeping your systems secure.
Mobile malware attacks increased more than three times between 2015 and 2016, according to a new report from Kaspersky Lab. Here’s what you need to know.
In 2016, the number of malicious installation packages hit more than 8.5 million—three times more than the year before, according to a report on mobile malware evolution from Kaspersky Lab, released on Tuesday. The firm registered nearly 40 million attacks by malicious mobile software over the course of the year as well.
Geographically speaking, the nations with the highest number of attacks were Bangladesh, Iran, Nepal, China, and Indonesia, the report stated.
The No. 1 malware threat of 2016? Trojans, which gained super-user privileges that allowed them to secretly install advertising applications and display ads on the infected device, and even buy apps on Google Play, the report found. And this trend shows no sign of slowing down.
The Trojans attacked Android devices via vulnerabilities that are patched in newer versions—however, most users do not update their phones in a timely manner, leaving them open to danger.
“Cybercriminals are taking advantage of the fact that most devices do not receive OS updates (or receive them late), and are thus vulnerable to old, well-known and readily available exploits,” the report stated.
Because this malware installs its modules in the system directory, it makes remedying the situation difficult, the report noted. “Some advertising Trojans are even able to infect the recovery image, making it impossible to solve the problem by restoring to factory settings,” it stated.
Kaspersky Lab also found installations of the modular trojan Backdoor.AndroidOS.Triada, which allowed hackers to alter text messages sent by other apps and steal money from the device owner.
Google Play remains a popular place for cybercriminals to find business: Kaspersky Lab detected about 50 new applications infected by Trojan.AndroidOS.Ztorg.am, the new modification of Trojan.AndroidOS.Ztorg.ad. And many of these apps were installed more than 100,000 times.
“Representatives of this class of malicious software have been repeatedly found in the official Google Play app store, for example, masquerading as a guide for Pokemon GO,” the report stated. “This particular app was downloaded over half a million times and was detected as Trojan.AndroidOS.Ztorg.ad.”
Ransomware attacks grew the most over 2016: Trojan-Ransom increased almost 6.5 times, now representing 4% of all malware installation packages. Kaspersky Lab detected 261,214 mobile ransomware Trojans in 2016. “This growth was caused by the active distribution of two families of mobile ransomware – Trojan-Ransom.AndroidOS.Fusob and Trojan-Ransom.AndroidOS.Congur,” according to the report. The criminals behind the Trojan usually demand between $100 to $200 to unlock a device, Kaspersky Lab noted.
Hackers also evolved their use of mobile banking Trojans over 2016, many of which learned how to bypass new Android security measures and continue stealing user information.
“This year, we will continue to closely monitor the development of mobile banking Trojans: the developers of this class of malware are the first to use new technologies and are always looking for ways to bypass security mechanisms implemented in the latest versions of mobile operating systems,” the report noted.
Internet of Things (IoT) devices are also a growing target for cybercriminals, with an “attack-the-router” Trojan Switcher targeting the Wi-Fi network that an infected device is connected to. “If the Trojan manages to guess the password to the router, it changes the DNS settings, implementing a DNS-hijacking attack,” the report stated.
The 3 big takeaways for TechRepublic readers
1. A new report from Kaspersky Lab found that the number of malicious installation packages hit more than 8.5 million in 2016, three times more than 2015.
2. Trojans were the No. 1 malware threat of 2016, due in part to cybercriminals attacking mobile devices that had not been updated.
3. Ransomware attacks and IoT attacks are increasingly common, the report found.
Electronic health record databases proving to be some of the most lucrative stolen data sets in cybercrime underground.
Medical insurance identification, medical profiles, and even complete electronic health record (EHR) databases have attracted the eyes of enterprising black hats, who increasingly see EHR-related documents as some of the hottest commodities peddled in the criminal underground. A new report today shows that complete EHR databases can fetch as much as $500,000 on the Deep Web, and attackers are also making their money off of smaller caches of farmed medical identities, medical insurance ID card information, and personal medical profiles.
The data comes by way of a report from Trend Micro’s TrendLabs Forward-Looking Threat Research (FTR) Team, which took a comprehensive look at how attackers are taking advantage of healthcare organizations’ weaknesses to devastating effect. Cybercriminals always have their eyes open for new profitable revenue streams, and the poor security around increasingly data-rich EHR systems pose a huge opportunity for the bad guys. It might therefore be beneficial for medical clinics to invest in a secure and robust EMR (electronic medical record) platform that might not be so easy to steal patient data. Dermatology clinics, for instance, can seek out software providers like PatientNow or the ones like them that can provide them with secure EMR software (Dermatology PatientNow) that will be suitable for their clinic.
“Monetizing raw data such as PII is nothing new in the underground. What makes EHR in the underground so different is that some of the data can be used to create a whole new list of offerings,” says Mayra Rosario Fuentes, the author of the TrendLabs report. “These wares include fraudulent documents like tax returns or fake IDs, fake driver’s licenses or birth certificates, but also stolen prescriptions with which the buyer can buy drugs. This gives them access to controlled substances such as Ambien, a popular sleep disorder medication known to be abused by many users.”
Fuentes and her FTR team combed through the Deep Web to understand pricing models used by the criminals to sell EHR data. Complete databases may be the most highly coveted items for sale, but other wares based on raw and processed stolen health data were well within the price ranges of even petty crooks.
Medical insurance IDs with valid prescriptions were selling for $0.50 US, and complete profiles of US victims including medical and health insurance data were selling for under $1. Meanwhile, fraudulent tax returns based on stolen medical records were marketed for $13.50 and fake birth certificates based on data stolen from medical records were selling for $500.
Attackers are practically printing money when it comes to this new line of stolen goods, considering how poorly healthcare organizations are protecting their key assets. According to a a separate report out today featuring a survey conducted by 451 Research on behalf of Thales, 69% of US healthcare organizations report their biggest spend is on perimeter defenses.
Meanwhile, they’re leaving holes in the network big enough to drive monster trucks through them, by way of Internet of Things (IoT) medical devices and other poorly secured systems. The TrendLabs report detailed research conducted through Shodan that showed how many of these systems were left accessible to the public internet with minimal to no access controls. Not only did these systems exposing the network to further lateral attacks, but in many instances they provided direct access to the EHR systems themselves, as was the case from exposed interfaces to Polycom conference systems that researchers found in one case.
The federal government is in the final stages of enacting legislation that will require all businesses in Canada to report any cyber security breach as soon as they become aware of it.
It’s a step meant to close what critics say has been a major gap in this country’s protection of personal and financial data.
The new laws were passed as part of the Digital Privacy Act in 2015, but have not yet come into effect due to the need for “related regulations outlining specific requirements.”
Industry stakeholders had also asked government for a “transition period” allowing them to better prepare their computer systems and internal policies to report hacking attempts and issues pertaining to computer viruses on their networks.
That pause is about to expire, according to Innovation, Science and Economic Development Canada, which wrapped up a series of public consultations in the fall.
A spokesman said a summary of those consultations was posted to the federal department’s website in October. Draft regulations, outlining exactly when and how business must report data breaches, are expected to appear in the Canada Gazette, the official publication of the federal government, in the coming weeks. Those draft regulations will be opened for another round of public consultations before they are forwarded to Parliament for approval.
In much of Europe, and an increasing number of U.S. states, any breaches of personal data or financial information at a private corporation must be immediately reported to authorities.
Outside of Alberta, which enacted its own legislation requiring the reporting of a hack or other breach of data, Canada has not had such strict reporting laws.
Until now, it was up to a company to decide whether to go public if it was hacked, allowing a vast majority of cyber intrusions to go unnoticed.
It’s been an issue the federal Office of the Privacy Commissioner has been warning about for years.
In 2007, apparel and home goods company TJX was forced to admit that its systems had been hacked. The admission followed mounting pressure from financial institutions that had been forced to deal with an increase in fraudulent charges to their customers’ accounts. While TJX announced the news in 2007, the company was later revealed the breach had actually started in 2005 and that it involved more than 100 million credit card numbers, double what it initially stated.
Under the new legislation, companies will be forced to immediately report the system breach, what information was lost and how the attacker gained access. The information would have to be reported to the Office of the Privacy Commissioner of Canada, who will decide whether it needs to be released publicly. At the very least, the information collected by the commissioner’s office could be used to alert other businesses to the hackers’ tactics. It could be forwarded to financial institutions to minimize fraudulent charges or identity theft, for instance. The privacy commissioner’s office could also order the business to notify individuals who may be affected by the breach.
Companies will also need to maintain a record of all breaches involving personal information and provide a copy of those record to the privacy commissioner’s office upon request. Organizations that fail to report data breaches to the privacy commissioner’s office or keep records of prior incursions could face fines of as much as $100,000.
“Think of it like the federal government enforcing cyber hygiene on businesses in Canada,” said David Masson, country manager for Canada at cyber-security firm Darktrace. “What this does is change the way businesses actually do security issues. They are going to have to do it now. They’re going to have to have adequate safeguards in place … and actually use the tools they’ve got and know what’s going on in their networks.”
The requirements from government come as Canadian businesses are reeling from an onslaught of new attacks from hackers. A newly released study from cloud security company Scalar Decisions Inc. found the average number of cyber attacks against small and medium-sized business in Canada has risen 44 per cent since the company began tracking data in 2014. The report surveyed more than 650 information technology workers at small and medium-sized businesses across the country. Those businesses spent a total of $7.2 million in 2016 to recover from data breaches.
Of those affected by ransom ware, an increasingly popular attack by hackers that locks a company’s computers until a ransom has been paid to the attacker, only 21 per cent reported the incident to authorities, according to Scalar.
“Organizations need trained personnel who understand how to react when faced with threats,” said Ryan Wilson, chief technology officer at Scalar in a statement. “The increase in incidents and decreasing confidence we are seeing coincides with the growing sophistication, severity and cost of attacks.”
Darktrace’s Masson agreed, saying that while large companies may have the talent and resources to respond to a attack on their computer networks, small and medium-sized firms may not. However, the new requirements will still mean those small and medium-sized businesses must report a data breach to the Office of the Privacy Commissioner or face a possible fine.
“The big guys know what to do and have the resources and security teams to do it with,” said Masson. “Small and medium enterprises don’t have that.”
Monique Moreau, vice-president of national affairs for the Canadian Federation of Independent Business, said a vast majority of businesses in Canada have no idea that these regulations are coming. She said she would like to see leniency from the federal government, particularly when it comes to small business owners, for first-time offences.
“Government has a role to play here. What we’re always emphasizing is education before enforcement.For a vast majority of business owners, the first time they will hear about this is when this happens to them,” said Moreau. “Do they know (about the reporting requirement)? Probably not. Are they prepared at this point? Probably, also, not.”
The CFIB, which represents 109,000 small and medium-sized businesses across the country, said it will be notifying its membership about the upcoming regulations as more specifics regarding the legislation are posted in the Canada Gazette. Moreau said the organization has 200 country managers who regularly liaise with members about various business issues and that this will become one of the new issues they will be highlighting.