Jan 31, 2017 | Cybersecurity Advice, Network Security, Web Filtering
Poor cybersecurity practices exist at many US organizations, which are allowing hackers and other cybercriminals to gain access to corporate networks, steal data, and install malware and ransomware. Businesses can implement highly sophisticated cybersecurity defenses, but even multi-million-dollar cybersecurity protections can be easily bypassed if poor cybersecurity practices persist.
This month we have seen two reports issued that have highlighted one of the biggest flaws in cybersecurity defenses in US enterprises. Poor password hygiene.
The purpose of passwords is to prevent unauthorized access to sensitive data, yet time and again we have seen data breaches occur because of end users’ poor choice of passwords and bad password practices.
Earlier this month, SplashData released its annual report on the worst passwords of 2016. The report details the top 25 poorly chosen passwords. This year’s report showed that little had changed year on year. Americans are still very bad at choosing strong passwords.
Top of this year’s list of the worst passwords of 2016 were two absolute howlers: 123456 and password. Number three and four were no better – 12345 and 12345678. Even number 25 on the list – password1 – would likely only delay a hacker by a few seconds.
Another study also highlighted the extent to which Americans practice poor password hygiene. Pew Research asked 1,040 US adults about their password practices. 39% of respondents said they used the same passwords – or very similar passwords – for multiple online accounts, while 25% admitted to using very simple passwords because they were easier to remember. 56% of 18-29-year-old respondents said that they shared their passwords with other individuals, while 41% of all respondents said they shared passwords with family members.
The results of this survey were supported by later research conducted by Telsign, who found a very blasé attitude to online security among U.S. citizens. Although 80% of respondents admitted to being concerned about online security (and half of those claimed to have had an online account hacked in the past year), 73% of respondents´ online accounts are guarded by duplicate passwords and 54% of respondents use five or fewer passwords across their entire online life.
While the Pew Research and Telsign surveys did not specifically apply to businesses, these poor password practices are regrettably all too common. Passwords used for corporate accounts are recycled and used for personal accounts, and poor password choices for company email accounts and even network access are common. Although two factor authentication is not a solution to the problem of poor personal cybersecurity practices, only 38% of U.S. companies use it to protect their networks from poor corporate cybersecurity practices.
Poor Cybersecurity Practices That Leave Organizations Open to Cyberattacks
Unfortunately, poor cybersecurity practices persist in many organizations. IT departments concentrate on implementing sophisticated multi-layered defenses to protect their networks and data from hackers, yet are guilty of failing to address some of the most basic cybersecurity protections.
The failure to address the following poor cybersecurity practices at your organization will leave the door wide open, and hackers are likely to be quick to take advantage.
More than 4,100 data breaches of more than 500 records were reported by organizations in the United States in 2016*. Many of those data breaches could have been avoided if organizations had eradicated their poor cybersecurity practices.
Some of the main cybersecurity mistakes made by US companies include:
- Not conducting a comprehensive, organization-wide risk assessment at least every 12 months
- The failure to enforce the use of strong passwords
- Not providing employees with a password manager to help them remember complex passwords
- The continued use of unsupported operating systems such as Windows XP
- Failure to apply patches and updates promptly
- Not restricting the use of administrator accounts
- Failure to adequately monitor devices for shadow IT
- Failure to block macros from running automatically
- Giving employees unnecessary access to data systems and networks
- Not providing employees with cybersecurity awareness training
- Not instructing employees on the safe handling of personally identifiable information
- Failure to conduct anti-phishing simulation exercises
- Failure to notify new employees and vendors of IT security policies and procedures before data access is provided
- Not revising and updating IT security policies and procedures at least every six months
- Failure to change default logins on networked devices
- Failure to encrypt data on portable storage devices
- Allowing employees full, unfettered access to the Internet
- Failure to implement a spam filter to block malicious email messages
- Failure to monitor applications with access to data
- Failure to create appropriate access controls
- Failure to monitor the activity of employees
*2016 Data Breach Report from Risk Based Security
Jan 27, 2017 | Web Filtering
Internet filtering laws in the UK could soon be updated to allow Internet Service Providers (ISPs) to legally block explicit website content.
Former UK Prime Minister David Cameron announced in 2013 that his – and his party’s – aim was to implement greater controls over the Internet and to start blocking pornography by default. In the summer of 2013, pornography filters were put in place by most Internet Service Providers in the UK. Major ISPs in the UK now require customers to opt-in if they wanted to use their computers to view online pornography. However, unless requested, pornography filters are applied.
However, last year, as part of a new EU ruling covering mobile phone roaming charges, the porn filter in the UK was determined to be illegal. The EU ruled that companies are not permitted to block access to legal website content, only website content that is illegal in member states.
The UK opted out of the law after it was passed last year, allowing ISPs to continue to block Internet porn without violating the EU’s ‘Net Neutrality’ laws. However, even though the UK voted out, ISPs were only ever requested to implement porn filters. Internet filtering laws in the UK have never been introduced.
The Digital Economy Bill – which has already been passed by the House of Commons – has had a number of amendments added this week, one of which covers the use of Internet filters. If the Bill is written into law, this will be the first legislation in the UK covering the use of Internet filters.
The new clause is as follows: “A provider of an internet access service to an end-user may prevent or restrict access on the service to information, content, applications or services, for child protection or other purposes, if the action is in accordance with the terms on which the end-user uses the service.”
The UK’s House of Lords will now subject the bill, and the proposed amendments, to close scrutiny next week, examining the Bill line by line. While it is possible that some of the controversial elements of the Bill will be dropped, it is now looking likely that Internet filtering laws in the UK will be introduced.
The Bill also requires ISPs in the UK to block websites containing pornography that do not have any age verification mechanism in place. According to Department of media, culture, and sport parliamentary under-secretary of state Lord Ashton, ISPs will be required to block these websites, with the legislation enforced by the British Board of Film Classification.
While the UK has voted to leave the EU following the ‘Brexit’ vote, until the UK actually leaves the European Union it is required to comply with EU laws. Currently there is some confusion over whether the blocking of pornography by default in the UK contravenes EU laws.
While there is some doubt over the matter, the UK’s communications regulator – OFCOM – has not instructed ISPs to lift the block and require customers to opt in if they want to restrict access to pornography.
A spokesperson for the Department of media, culture, and sport said “We are committed to keeping children safe from harmful pornographic content on the internet and this amendment will give internet service providers reassurance the family friendly filters they currently offer are compliant with EU law.”
Jan 20, 2017 | Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
There is an important reason why the use of web filters in libraries is increasing. The cost of providing computers with Internet access to patrons is not inconsiderable, yet in order to qualify for discounts under the E-Rate program, libraries must implement a web filter to comply with CIPA regulations. Libraries must use the web filter to block obscene images (pornography), images of child abuse, and any other graphics that could cause minors to come to harm.
However, there is another reason why the use of web filters in libraries is important. This has been clearly demonstrated this week in St. Louis, MO.
Web Filters in Libraries are Not Only About Internet Control
This week, every computer in the St. Louis Public Library System was taken out of action. Visitors were still able to visit the library and use the books, but do little else. All book borrowing stopped since it is not possible to for library staff to log borrowing on the checkout system. Patrons have also been prevented from gaining access to the Internet. Even the email system has been locked and taken out of action.
What kind of computer malfunction causes the entire network of computers to stop working? The answer is ransomware.
Ransomware is malicious software that has been developed with one sole purpose: To encrypt system and data files to prevent access. Once downloaded, ransomware locks files with powerful encryption preventing files from being accessed. The attacker then sends a ransom demand offering the unique keys to decrypt files in exchange for payment.
Typically, attackers demand $500 in an anonymous currency such as Bitcoin to unlock each computer that has been attacked. In the case of the St. Louis Public Library system, the ransom demand was $35,000. All 700 of the library systems’ computers – across 16 locations – were attacked and encrypted.
Some ransomware variants also act as information stealers. Fortunately for the library, its inventory was unaffected and payment card information and other personal information of patrons were not stolen.
The St. Louis Public Library system will not be paying the extortionate ransom demand. It has instead opted for the only alternative in cases of ransomware infections. To wipe its entire system and reinstall files from backups. That is not a quick process. It could take weeks; certainly days.
The ransom payment may be avoided, but removing the infection will still result in considerable costs being incurred. Then there is the impact the attack has had on patrons of the city’s libraries. The library system is primarily used by poor and disadvantaged individuals. According to library spokesperson Jen Hatton, “For many of our patrons, we’re their only access to the internet.” Hatton also said, “This is their only access to a computer. Some of them have a smartphone, but they don’t have a data plan. They come in and use the Wi-Fi.”
It is not clear how the infection occurred, although there are two main ways that ransomware is installed: Malicious spam email messages and by visiting malicious websites. Both of these attack vectors can be blocked if appropriate software is installed.
Web Filters in Libraries are an Important Ransomware Defense
A spam filter can be used to filter out malicious messages. Those messages contain attachments, which if opened, infect computers or download ransomware. User interaction is required. If the messages are quarantined and not delivered to users’ inboxes, infection can be prevented.
In the case of malicious links contained in emails – an alternative to attachments – a click will direct the user to a malicious website where ransomware is downloaded. Even if a link is clicked, access to the website can be blocked with a web filter. Web filters in libraries can also be configured to stop patrons and staff from visiting malicious sites while browsing the Internet. If a website that is known to be malicious is accessed – deliberately or accidentally – the site will not be displayed and infection will be blocked. Web filters in libraries can also block the downloading of files that are commonly used to infect computers – executable or JavaScript files for example.
The use of web filters in libraries is therefore not just about limiting access to inappropriate and harmful website content. Web filters in libraries are an important cybersecurity protection that can help to ensure that, come what may, patrons will still be able to access the Internet and borrow books.
Jan 17, 2017 | Cybersecurity Advice
If you use a computer, you are at risk of having your device infected with malware; however, listed below are some useful tips for preventing malware infections.
Unfortunately, signature-based anti-malware software is far less effective at preventing infections than in years gone by. Malware developers are now using a wide range of strategies and techniques to prevent traditional anti-malware solutions from detecting and blocking infections.
Rely on anti-malware or anti-virus software alone and sooner or later you may find your device has been compromised, your keystrokes are being logged, and your – or your organization’s – data are being stolen.
However, there are some straightforward strategies that you can adopt to prevent malware infections and keep your computer, and your network, malware-free.
10 Tips for Preventing Malware Infections
Backup Your data
OK, a data backup will not prevent a malware infection, but it can help you recover if your computer is infected with ransomware or if your data are corrupted as a result of an infection – or removal of malware. The only way to recover from some infections is to wipe out your system and restore it from a previously known safe point. You must therefore have a safe point that you can use. Nightly backups should be performed. You only then stand to lose 24 hours of data at most.
Keep your malware definitions up to date
Anti-malware software may not be as effective as it once was, but you do need to give it a fighting chance. If you do not keep your definitions 100% up to date you are asking for trouble. This may sound obvious, but many organizations delay updating malware definitions for forget to set software to update automatically on all devices.
Never click on links or open email attachments from unknown senders
Cybercriminals target employees as it is far easier to gain access to a corporate network if an employee bypasses their organization’s defences and installs malware. All it takes is for one employee to install malware for attackers to gain a foothold in a network. Ensure that all employees receive anti-phishing training and have at least basic IT security skills. Most data breaches start with a phishing email.
Ensure operating systems and software are patched promptly
Operating systems, firmware, and all software must be kept up to date. As soon as patches are released, cybercriminals will be reverse engineering them to uncover the vulnerabilities. Don’t delay applying patches. Good patch management policies are essential for preventing malware infections.
Watch out for shadow IT
Downloading pirated software is an excellent way to infect computers with malware. Pirated software is often bundled with malware, spyware, and all manner of nasties. Block the running of executables and keygens if practical. Only install software from trusted sources. As an additional check, before installing software, check the software provider’s MD5 hash against your copy. If it’s a match, install. If not, delete.
Take care with USB drives
Not all malware comes via the web or email. USB drives can easily introduce malware. Make sure your anti-malware solution is configured to automatically scan USB drives before granting system access and never plug in a drive from an unknown source.
Perform regular malware scans
Having anti-virus and anti-malware software will not necessarily mean your system is protected. Full system scans should still be performed. Some infections can slip under the radar. A full scan should be performed at least once a month.
Keep abreast of the latest malware trends
You may have limited time, but it is important to keep abreast of the latest attack trends, cyberattacks, data breaches, and threat reports. Check the warnings from US-CERT, and monitor websites such as DarkReading, CIO, CISO, and The Register. A little research goes a very long way.
Keep mobile devices protected
Mobiles can easily be used to introduce malware onto networks to which they connect. Mobiles are often used on unprotected Wi-Fi hotspots, and the devices are increasingly being targeted by hackers. Ensure security software is installed on mobile devices and security settings on phones are active.
Use a firewall, web, and Wi-Fi filtering
A firewall is essential tool for preventing malware infections, although businesses should consider purchasing a next generation firewall device. Next generation firewalls combine a traditional firewall with other network device filtering functionalities. Web and Wi-Fi filtering solutions are also important. By filtering the Internet, it is possible to prevent drive-by malware downloads and carefully control the risks that employees take.
Jan 10, 2017 | Cybersecurity News, Web Filtering
There is now a new and particularly dangerous ransomware threat to deal with. Spora ransomware could well be the new Locky.
Locky and Samas ransomware have proved to be major headaches for IT departments. Both forms of ransomware have a host of innovative features designed to avoid detection, increase infections, and inflict maximum damage, leaving businesses with little alternative but pay the ransom demand.
However, there is now a new ransomware threat to deal with, and it could well be even bigger than Locky and Samas. Fortunately, the ransomware authors only appear to be targeting Russian users, but that is likely to change. While a Russian version has been used in attacks so far, an English language version has now been developed. Spora ransomware attacks will soon be a global problem.
A considerable amount of time and effort has gone into producing this particularly dangerous new ransomware variant and a decryptor is unlikely to be developed due to the way that the ransomware encrypts data.
In contrast to many new ransomware threats that rely on a Command and Control server to receive instructions, Spora ransomware is capable of encrypting files even if the user is offline. Shutting down Internet access will not prevent an infection. It is also not possible to block access to the C&C server to stop infection.
Ransomware variants have previously been developed that can encrypt without C&C communication, although unique decryption keys are not required. That means one key will unlock all infections. Spora ransomware on the other hand requires all victims to use a unique key to unlock the encryption. A hard-coded RSA public key is used to generate a unique AES key for every user. That process occurs locally. The AES key is then used to encrypt the private key from a public/private RSA key pair generated for each victim, without C&C communications. The RSA key also encrypts the unique AES keys for each user. Without the key supplied by the attackers, it will not be possible to unlock the encryption.
This complex encryption process is only part of what makes Spora ransomware unique. In contrast to many other ransomware variants, the attackers have not set the ransom amount. This gives the attackers a degree of flexibility and importantly this process occurs automatically. Security researchers believe the degree of automation will see the ransomware offered on an affiliate model.
The flexibility allows businesses to be charged a different amount to an individual. The ransom set based on the extent of the infection and types of files that have been encrypted. Since Spora ransomware collects data on the user, when contact is made to pay the ransom, amounts could easily be adjusted.
When victims visit the attacker’s payment portal to pay the ransom, they must supply the key file that is created by the ransomware. The key files contains a range of data on the user, including details of the campaign used. The attackers can therefore carefully monitor infections and campaigns. Those campaigns that are effective and result in more payments can then be repeated. Less effective campaigns can be dropped.
Currently there are multiple payment options, including something quite different. Victims can pay to unlock the encryption, or pay extra to prevent future attacks, essentially being granted immunity.
Emisoft researchers who have analyzed Spora ransomware say it is far from a run of the mill variant that has been quickly thrown together. It is the work of a highly professional gang. The encryption process contains no flaws – uncommon for a new ransomware variant – the design of the HTML ransom demand and the payment portal is highly professional, and the payment portal also contains a chat option to allow communication with the attackers. This degree of professionalism only comes from extensive investment and considerable work. This threat is unlikely to go away soon. In fact, it could prove to be one of the biggest threats in 2017 and beyond.
Infection currently occurs via spam email containing malicious attachments or links. Currently the attachments appear to be PDF invoices, although they are HTA files containing JavaScript code. Preventing emails from being delivered is the best form of defense. Since no decryptor is available for Spora, a backup will be required to recover for the infection or the ransom will need to be paid.
