Network Security
Far too often, news of data breaches is accompanied by details of the failures in network security that allowed a hacker access to confidential data. Many of these failure are avoidable with adequate precautions such as a spam email filter and mechanism for controlling access to the Internet.
Almost as many breaches in network security can be attributed to poor employee training. Password sharing, unauthorized downloads and poor online security practices can result in hackers gaining easy access to a network and extracting confidential data at will.
It has been well chronicled that hackers will bypass organizations with strong network security and turn their attention to fish that are easier to catch. Make sure your organization does not get caught in the net – implement appropriate web filters and educate your employees on the importance of network security.
May 5, 2016 | Cybersecurity Advice, Cybersecurity News, Internet Security News, Network Security, Web Filtering
Over the past two weeks there have been three worrying instances of the Angler exploit kit being used to infect website visitors with malware and ransomware. Cybercriminals are increasingly using exploit kits to deliver their malicious payloads and all organizations need to be aware of the risk.
Why AUPs May Not Be Sufficient to Keep Networks Secure
Many companies advise employees of the types of websites that can be accessed via work networks and which are forbidden. Typically, employees are banned from visiting pornographic websites, using the Internet for the sharing of copyright-protected material, installing shareware or other unauthorized software, and using unauthorized web applications and gaming sites.
Employees are provided with a document which they are required to read and sign. They are informed of the actions that will be taken for breaching the rules: verbal and written warnings for example, and in some cases, instant dismissal. These AUPs are usually effective and employees do heed the warnings if they value their jobs.
If an employee breaches the AUPs and accesses pornography for instance, action can be taken against that individual. It is probable that no harm will have been caused and the matter can be dealt with by HR.
However, if an employee breaches AUPs and visits a website that has been compromised with malware or installs shareware that includes malicious files, taking action against the employee will not undo the damage caused.
To better protect networks, AUPs should be enforced with a software solution. By implementing a web filtering solution, HR departments can ensure that inappropriate website content is not accessed, while IT departments can be prevented from having to deal with malware infections.
Even if AUPs are followed to the letter, malware may still be downloaded onto the network. The risk has recently been highlighted by two security incidents discovered in the past two weeks.
Legitimate Websites Compromised with Angler Exploit Kit
Last week, news emerged that a toy manufacturer’s website had been compromised and was being used to infect visitors with malware. The website had been loaded with the Angler exploit kit and was being used to silently infect visitors’ devices with ransomware.
An exploit kit is a malicious toolkit used by hackers to probe for security vulnerabilities in website visitors’ browsers. A visitor to a website containing an exploit kit – BlackHole, Magnitude, Nuclear, Styx, or Angler for example – will have their browser checked for out of date plugins such as Adobe Reader, Silverlight, Flash, or Java. If the plugins are not up to date, security vulnerabilities can be exploited to download a payload of malware. These attacks are silent and the website visitor will be unaware that their machine has been compromised.
This week, two more websites were discovered to have been hijacked and were being used to direct visitors to the Angler exploit kit. These websites were much more likely to be visited by company employees. They were the sites of two CBS-affiliated TV stations: KMOV in St. Louis and WBTV in Charlotte, North Carolina.
These news websites would be unlikely to be banned in AUPs, and few organizations would see the risk of their employees visiting these websites.
News Websites Contained Malvertising Directing Users to the Angler Exploit Kit
While the toy manufacturer’s website was directly infecting web visitors, in the case of KMOV and WBTV the attackers were using a common technique called malvertising. The websites had not been loaded with the Angler exploit kit, instead the attacks were taking place via third party adverts that were being served on the sites.
The sites contain adblocks which were used to serve advertisements via the Taggify network – a legitimate advertising network. However, a rogue advertiser had got around the controls put in place by Taggify and malicious adverts were being served.
The attackers hosted the malicious ad components – images and JavaScript- on their own servers. The malicious adverts were then served on unsuspecting website visitors. However, the rogue advertiser was also serving legitimate ads and these were displayed to web crawlers and scanners to avoid detection. Other users were served an advert that redirected them to the Angler exploit kit. If those visitors had browsers with out of date plugins, they would be infected with whatever payload the attackers chose to deliver.
Reduce Risk of Attack with a Web Filtering Solution
These three recent cases are just the tip of the iceberg. Criminals are hijacking all manner of websites and using them to host exploit kits. Legitimate websites serving third party adverts are also being targeted with malvertising.
Enforcing AUPs with a web filtering solution can help to prevent end users from visiting websites that have been compromised with malware. A web filter – such as WebTitan – can also be used to block third party advertisements from being displayed.
Unfortunately for enterprises, it is not possible to install patches as soon as they are released. Many patches require reboots, and that is not practical. The number of patches being released to plug security holes is considerable, and it takes time to patch all devices that connect to a network. Good patch management policies can reduce the likelihood of a successful attack, but they cannot prevent all attacks from taking place. If a web filtering solution is used that can block malvertising and websites known to contain malware, end users and networks will be better protected.
Apr 30, 2016 | Cybersecurity Advice, Cybersecurity News, Network Security, Web Filtering
There are some very good reasons why you should block file sharing websites. These websites are primarily used to share pirated software, music, films, and TV shows. It would be unlikely for the owner of the copyright to take action against an employer for failing to prevent the illegal sharing of copyrighted material, but this is an unnecessary legal risk.
However, the main risk from using these websites comes from malware. Research conducted by IDC in 2013 showed that out of 533 tests of websites and peer-2-peer file sharing networks, the downloading of pirated software resulted in spyware and tracking cookies being downloaded to users’ computers 78% of the time. More worryingly, Trojans were downloaded with pirated software 36% of the time.
A survey conducted on IT managers and CIOs at the time indicated that malware was installed 15% of the time with the software. IDC determined that overall there was a one in three chance of infecting a machine with malware by using pirated software.
Even visiting torrent sites can be harmful. This week Malwarebytes reported that visitors to The Pirate Bay were served malicious adverts. An advertiser used a pop-under to silently redirect users to a malicious site containing the Magnitude exploit kit which was used to downloaded Cerber ransomware onto users’ devices.
A study conducted by UC San Diego involved testing pirated software downloads using VirusTotal. VirusTotal checks files against the databases of 47 different anti-virus engines. The research team determined that 50% of pirated files were infected with malware.
Dealing with malware from pirated software was determined to take around 1.5 billion hours per year. For businesses the cost can be considerable. IDC calculated the cost to enterprises to be around $114 billion in 2013 alone. And that was just for the clean-up. The cost of data breaches caused by illegal software installations was estimated to be in the order of $350 billion.
Time to Block File Sharing Websites?
Organizations can monitor devices and check for unauthorized software installations on individual devices; however, by the time a software installation has been discovered, malware is likely to already have been installed. A recent report by Verizon suggests that on average, hackers are able to exfiltrate data within 28 minutes of gaining access to a system.
One of the easiest ways to manage risk is to block file sharing websites such as P2P and torrent sites. A web filter can be easily configured to block file sharing websites and prevent them from being accessed. Many web filters can also be configured to block specific file types from being downloaded, such as keygens and other executables.
By blocking file sharing websites organizations can ensure that copyright-violating activities are prevented and malware risk is effectively managed. Furthermore, web filters can be used to block web-borne threats such as phishing websites, compromised webpages, spam and botnets, adware, malware, ransomware, and anonymizers.
The failure to block file sharing websites could turn out to be costly. It is far better to block potentially dangerous websites and online activities than to have to cover the cost of removing malware infections and dealing with data breaches.
Apr 28, 2016 | Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
Organizations are investing in technology to ensure the perimeter defense are not breached; however, it is also important to address the risk of insider data breaches. According to a recent report from Forrester, internal incidents were responsible for more than half of data breaches suffered by firms. Cybercriminals have stepped up their efforts and are attacking organizations with increased vigor, but the report suggests more than half of data breaches are caused by employee errors, oversights, and negligence.
Employees are under increasing pressure to get more work completed in less time. This can easily lead to errors being made or shortcuts being taken. Employees may be security minded most of the time, but it is all too easy for sloppy data security practices to creep in. Even with the most robust perimeter security defenses in place, simple mistakes can lead to disaster.
Email Borne Attacks Are Still A Major Risk
During the past 12 months the volume of spam email has fallen considerably. This is partly due to law enforcement taking down major botnets and the increasing use of efficient spam filters. Even with the reduced volume the threat from spam email is considerable. The Forrester report indicates spam email volume has dropped from almost 89% of all emails in 2014 to 68% of emails in 2015. However, over 91% of all spam emails contain a malicious link and 2.34% contain malicious email attachments.
Cybersecurity awareness training has helped to mitigate the risk of insider breaches to some degree but they are still occurring. Most employees now know not to open email attachments from people they do not know, but what about from people they do know?
There has been an increase in business email compromise attacks in recent months. These attacks involve the sending of spam and phishing emails from within an organization. These emails are more likely to result in malicious email attachments being opened and links being clicked than emails from strangers. All emails should be treated as suspicious and should be carefully checked, not only those from outside an organization.
Employees are aware never to run an executable file that has been sent via email and to be wary of opening zip files from strangers. The Forrester report suggests that attackers are increasingly using standard office files to infect their targets. Microsoft Office files are used in 44.7% of attacks.
Employees who install unauthorized software are also placing their companies at risk. The use of shadow IT is behind many data breaches. Cybercriminals are exploiting vulnerabilities in the software installed by end users. Many of these programs contain serious vulnerabilities.
How to Address the Risk of Insider Data Breaches
Tacking the threat from within is more complicated that securing the defense perimeter as it is far harder to prevent employees from making simple mistakes. Organizations must take steps to reduce the likelihood of mistakes being made, while also ensuring that when employees do make data security snafus do not prove to be catastrophic.
Some of the ways organizations can address the risk of insider data breaches include:
- Conduct background checks before hiring new staff
- Ensuring access to systems is terminated before staff are
- Limiting network privileges
- Block the copying of critical data onto portable devices
- Provide all new staff with data security training
- Regularly conducting refresher training sessions
- Conducting quarterly cybersecurity fire-drills to ensure training is not forgotten.
- Sending regular email bulletins to keep cybersecurity awareness training fresh in the mind
- Sending dummy phishing emails to staff to test the effectiveness of training
- Scanning for shadow IT installed on user devices
- Ensuring bank transfer requests are checked by two individuals before being authorized
- Using a web filtering service to block phishing websites and limiting access to potentially risky websites
- Configuring a web filter to block the downloading of risky file types
It may not be possible to eliminate the risk of insider data breaches, but it is possible to effectively mitigate risk.
Apr 5, 2016 | Cybersecurity News, Network Security
2015 may have been the year of the healthcare data breach, but 2016 is fast becoming the year of ransomware with new strains such as Samas ransomware appearing at an alarming rate. Recently the Federal Bureau of Investigation reached out to U.S. businesses, seeking help to deal with the latest Samas ransomware threat.
Samas Ransomware Being Used to Encrypt Networks
Samas ransomware – also known as Samsa, Samsam, and MSIL – is different from many strains of ransomware that were used by cybercriminals last year. The new ransomware strain is being used to attack businesses rather than consumers. Last year, criminals were sending out ransomware randomly via spam email.
Ransom demands of 0.5-1 Bitcoin were the norm, with consumers often willing to pay to recover their files, accounts, photographs, and other important data. However, businesses hold far more valuable data. If criminals are able to infect enterprise computers and encrypt important business files, higher ransom demands can be sent. In many cases those demands have been paid.
In order to obtain large ransoms, cybercriminals need to infect networks rather than single computers. If an end user downloads ransomware onto their computer, and that ransomware has the capability to spread laterally and infect other systems, enterprises are more likely to pay to unlock the encryption. Even when viable backups exist, the complexity of some of the ransomware now being used makes paying the ransom an easier and lower cost option. Since some ransomware is capable of deleting backup files, the restoration of data may simply not be an option. Samas ransomware has been reported to delete Volume Shadow Copy Service (VSS) data.
Access to Systems is Gained by Cybercriminals Weeks Before Samas Ransomware is Deployed
The mode of action of Samas ransomware is different from other families of malicious file-encrypting software such as Locky, CryptoWall, and Cryptolocker.
Attackers are exploiting a vulnerability in the JBoss enterprise application platform to compromise an external web server. This is achieved by using a security program called JexBoss. Once access to a server has been gained, attackers mask communications using a Python based SOCKS proxy. A variety of software tools are then used to gain access to login credentials, and they in turn are used to compromise other systems and devices within an organization’s infrastructure. Several different tactics are then used to deploy Samas ransomware on numerous machines.
Several analyses of infected systems were conducted by Dell SecureWorks, which revealed attackers had compromised systems several weeks or months before the ransomware was actually deployed. Had the system compromise been detected earlier, the ransomware infections could have been avoided. Unfortunately, the initial compromise is difficult to detect, and anti-virus products are slow to detect new threats such as Samas ransomware.
Apr 1, 2016 | Cybersecurity News, Network Security, Web Filtering
The FBI issued warnings last year over the rise in popularity of Bitcoin ransomware, and a few days ago the law enforcement agency reached out to companies requesting assistance to help it tackle the threat from the latest ransomware variants, just days before the malicious software was used on MedStar Health System.
Over the last few weeks a number of healthcare institutions have reported being attacked with ransomware, and there is no telling how many companies have had corporate and customer data encrypted by attackers. Many do not like to advertise the fact they have been attacked.
While attacks on individuals only result in relatively small ransoms being paid, the same cannot be said for companies. Ransom demands of tens of thousands of dollars are issued, and many companies feel they have little alternative but to pay the ransom demand in order to recover their data.
Unfortunately for enterprises, the threat from Bitcoin ransomware is unlikely to go away any time soon. More cybercriminals are getting in on the act and attacks will continue as long as they prove to be profitable. The bad news is Bitcoin ransomware is very effective. Worse still, attacks require little technical skill and cost very little to pull off.
Bitcoin Ransomware Kits Mean Little Skill is Required to Pull Off a Successful Attack
According to a report in the Italian newspaper La Stampa, the cost of conducting a ransomware attack can be shockingly low and requires little in the way of skill. One reporter at the newspaper set out to discover just how easy it is to buy ransomware and conduct an attack. After visiting underground forums on the darknet, the researcher found a board where ransomware-as-a-service was being offered.
One poster on a Russian forum was not only offering ransomware for sale, but made it exceptionally easy for would-be cybercriminals to conduct campaigns. The purchaser would be supplied with the ransomware, distribution tools to send out the malicious file-encrypting software via email and advertising networks, and this Bitcoin ransomware service could be bought for as little as $100.
According to the article, the purchaser would be allowed to keep 85% of the ransoms that were collected, with the remaining 15% going to the seller of the service. There appears to be no shortage of takers. The hacker behind this campaign allegedly has between 300 and 400 active customers. This is only one seller. There are many more offering such a service. The campaigns may not be particularly sophisticated, but the reality is that they don’t actually need to be.
Some sellers even offer Bitcoin ransomware kits where purchasers only need to enter in their Bitcoin address for the payment of the ransom, the amount they wish to charge their victims for the security keys, and they can download everything they need, including instructions on how to run the campaign. These services are not being sold for big bucks. The sellers know they can earn considerable sums by taking a cut of the ransoms that are paid.
The standard rates being charged by attackers to supply security keys for single computer infections is between 0.5 and 1 Bitcoin – approximately $200-$425. All that is required for an attacker to make a profit is one or two victims to install the Bitcoin ransomware and pay for a security key. According to data released by Tripwire, half of American ransomware victims have ended up paying the ransom demand to recover their data.
Until law enforcement efforts to track down attackers and shut down underground forums improve, and victims stop paying ransoms, the attacks are likely to continue to increase.
What businesses need to do is to make sure they are better protected to prevent Bitcoin ransomware from being installed and to ensure they have viable backups in case ransomware does get installed on their networks.
Mar 31, 2016 | Cybersecurity Advice, Network Security, Social Media, Web Filtering
There are a number of ways for managed service providers to increase cash flow and boost profits. Efficiency can be improved, staff productivity can be increased, better margins achieved, and new in-house products could be developed. Unfortunately, all of these are easier said than done.
The main ways to increase profits by a significant amount is to attract new customers and increase the amount each existing client is spending.
If only there was a secret ingredient that MSPs are missing that could help them help to win more business and get each client to spend more! The good news is that for many MSPs, there is such a product.
Any MSP that has yet to include a web filtering service into their product portfolio could be missing out on substantial profits.
Web Filtering – An Easy Way for MSPs to Increase Profits
Filtering the Internet is now essential for many enterprises. In certain Industries it is mandatory for companies to filter the Internet. They need to ensure sensitive data are protected and risk is effectively managed. Networks must be protected from attacks by hackers and with an increasing number of web-borne threats, Internet usage policies alone are not sufficient to keep organizations protected. Those policies need to be enforced and a web filter is the natural choice.
In some industries, education for example, it is mandatory for the Internet to be filtered. Minors must be prevented from accessing obscene website content or other material that could be harmful. Even when it is not mandatory to filter the Internet it is often desirable. Hotels, restaurants, transport networks, airports, cafes, and coffee shops are choosing to implement controls to ensure all users enjoy a safe browsing experience.
In business, productivity losses from Internet abuse can be considerable. If every employee wasted an hour each day on personal Internet use, the losses to a medium-sized company would be substantial. Some studies suggest even more time is wasted by employees each day on non-work related Internet activities.
Failure to filter the Internet can prove costly in many ways. For example, the accessing of adult content in the workplace can lead to the development of a hostile working environment, which affects morale, productivity, and can cause all manner of HR headaches. The use of torrent sites and the downloading of pirated films, music, TV shows, and software can cause organizations legal headaches as well as placing pressure on bandwidth.
Many websites are unsafe and accessing those sites places organizations at a greater risk of a malware infection. A single compromised computer can cause an incredible amount of damage. The latest ransomware attack on Medstar Health is a good example. A computer virus was inadvertently downloaded which resulted in the shutdown of the health system’s email for its entire workforce, as well as its electronic medical record system.
Hollywood Presbyterian Medical Center was attacked with ransomware and had to pay $17,000 to obtain security keys to unlock its data. It is not only healthcare organizations that are having to deal with ransomware. U.S Police Departments have been forced to pay attackers after their computers have been locked by file-encrypting software, and many organizations have fallen victim to ransomware, keyloggers, viruses, and other malicious software. These infections are a drain on productivity and take a considerable amount of time and resources to fix.
A web filtering solution can protect against web-borne threats, can be used to tackle productivity losses, and prevent illegal or unsuitable website content from being accessed. Web filtering is now less of an option for many businesses and more of a requirement. MSPs offering such a service can fine it is an easy sell and a great way to boost profits.
What to Look for in a Web Filtering Product
In order for a third-party product to be included in an MSPs existing portfolio it should have a number of features. MSPs therefore need to find a web filtering product that:
- Has generous margins
- Is easy for sales teams to sell to clients
- Has a low management overhead
- Is easy to install
- Appeals to a wide range of clients
- Can be easily incorporated into existing product offerings
- Can be easily incorporated into back-office systems
There is a product that ticks all of these boxes, and that is WebTitan Cloud.
WebTitan Cloud and WebTitan Cloud for WiFi – Ideal Web Filtering Solutions for MSPs
WebTitan Cloud is a 100% cloud-based DNS filtering solution that has been designed to be easy to implement, maintain, manage, and sell to clients. WebTitan Cloud a no-brainer for many organizations, allowing thousands of dollars to be saved.
WebTitan Cloud can help organizations increase productivity of the workforce, improve security posture to prevent malware infections, and highly competitive pricing means considerable savings can be made by organizations looking to switch web filtering providers.
WebTitan can be implemented without any effect on Internet speed, there is no need for any additional hardware, no software downloads are required. Our product is easy to use and management is straightforward and not labor-intensive.
Key Features and Benefits of WebTitan Cloud that will Appeal to MSPs
WebTitan Cloud and WebTitan Cloud for WiFi have been developed to be appealing to MSPs and their clients. To make it as easy as possible for our web filtering solutions to be incorporated into existing client packages and allow MSPs to boost profits, we offer the following:
White labelling – Allows MSPs to add their own branding and color schemes.
Hosting choices – We can host on our servers, provide private cloud hosting, or you can run our solution within your own infrastructure.
Generous margins for MSPs and highly competitive pricing – An easy way to boost profits.
Usage-based Monthly billing – Makes WebTitan Cloud more affordable for clients.
Flexible pricing – Our product can easily be included in your pricing models.
Multi-tenanted solution – Advanced customer management features makes it easy to add new clients.
API-Driven – Easy integration into back-end billing and reporting systems.
Highly scalable – Our web filtering solution is suitable for businesses of all sizes.
Excellent Support – Industry leading customer service and technical support. If you have a problem, it will be rapidly resolved.
To find out more about how easy it is to incorporate WebTitan Cloud into your existing portfolio and boost profits contact our sales team today.
Mar 25, 2016 | Cybersecurity Advice, Cybersecurity News, Network Security
Web-borne attacks on enterprises are increasing, although it is important not to forget to protect against email attacks, as shown by a recent campaign using the Olympic Vision keylogger.
Olympic Vision Keylogger Used in Recent Business Email Compromise Attacks
The attackers behind the latest campaign are using the Olympic Vision keylogger to gain access to business email accounts. Trend Micro discovered the latest campaign and was able to trace the attacks and link them to two Nigerian cybercriminals. Trend Micro determined that the current campaign has been conducted in 18 different countries including the United States.
Business email accounts contain a wealth of data, which in the wrong hands, could result in considerable damage being caused to an enterprise. However, it is not only data stored in the email accounts that hackers want to obtain. The cybercriminal gang behind the latest attacks have a different purpose. Attacks are being conducted to gain access to business email accounts to use them to send emails to account department employees instructing them to make bank transfers to the attackers’ accounts. Large transfers are often made following a business email compromise (BEC) attack.
If hackers can gain access to the email account of a senior executive, they can use that account to send messages to members of staff in the accounts or billing departments requesting transfers be made to their bank accounts. BEC is a highly effective attack strategy. If an email is sent from a CEO to the accounts department requesting an urgent transfer be made, many employees would not think twice before making the transfer as instructed.
This social engineering technique takes advantage of the fact that many employees would not question a direct request from a CEO or senior account executive. A transfer is made and the attacker receives the funds, withdraws the money, and closes the account. This often occurs before any red flags are raised, even when the transfer is for tens or hundreds of thousands of dollars.
Sophisticated Attacks Being Conducted Using Unsophisticated Malware
The Olympic Vision keylogger is not a sophisticated malware. Once installed on a device it will steal information including the computer name, Windows product keys, keystrokes, network information, clipboard text, and data saved in browsers, messaging clients, FTP clients, and email clients. It is also capable of taking screenshots.
Those data are then encrypted and are sent via email, FTP, or other means to the attacker. The Olympic Vision keylogger is capable of displaying fake error messages, and can disable computer functions to evade detection – Task Manager for example can be blocked as can registry editing tools. The Olympic Vision keylogger is capable of terminating programs that may detect it, and uses anti-emulation to prevent it running in a sandbox.
With the information collected, attackers are not only able to gain access to business email accounts, they can search for other computers, study workflows, and gather intelligence. The intel is used to construct convincing emails and ensure they are sent to individuals in the account department authorized to make bank transfers.
The attacks can be incredibly lucrative. The FBI reported recently that BEC attacks have been used by cybercriminals to obtain around $800 million dollars from businesses in the past year.
How to Protect Against BEC Attacks
There are a number of strategies that can be used to prevent BEC attacks from taking place. Software solutions can be used to prevent malware such as the Olympic Vision keylogger from being installed. SpamTitan spam filtering software can be used to block emails containing malicious attachments to prevent them from being sent to end users. If malicious emails are blocked, this places less reliance on end users not to open infected email attachments. SpamTitan can also block phishing emails, which are also used to gain access to login credentials via links to malicious websites.
Staff training is also essential. End users should receive basic security training and be advised of best practices to adopt to reduce risk. With software solutions and a culture of security awareness, the majority of attacks can be prevented.
However, it is also essential to introduce policies and procedures to prevent fraudulent bank transfers being made. A wise precaution is to introduce policies that require bank transfer requests to be authorized by a supervisor. This additional control can help to ensure fraudulent transfer requests are identified.
Any atypical request for a transfer from a senior account executive, especially those that require large sums to be transferred to accounts not previously used by the company, should be verified with the person who made the request prior to the transfer being made.
Mar 12, 2016 | Internet Security News, Network Security
Effective enterprise patch management policies can greatly improve security posture and prevent cyberattacks; however, many enterprise IT staff are confused about patch management.
A new survey conducted by Tripwire suggests that InfoSec staff often confuse patch management with vulnerability mitigation. The complexity of enterprise patch management also leaves many security professionals unsure about when patches should be applied and the impact of applying patches.
The Complexity of Enterprise Patch Management Causes Problems for Many IT Security Professionals
The Tripwire survey was conducted on 480 IT security professionals and asked questions about enterprise patch management policies at their organizations.
The results show that IT staff are struggling to ensure that all systems are maintained in a fully patched state. 67% of respondents said that at least some of the time, they are unsure about which patches need to be applied to certain systems.
The complexity of enterprise patch management is a problem. For instance, a patch may be issued to address Adobe Flash vulnerabilities, but it comes bundled with Google Chrome updates. It addresses Flash vulnerabilities in Chrome, where Adobe Flash is embedded, but does not address standalone installations or Flash vulnerabilities in other browsers. 86% of respondents said that issues such as this mean they find it difficult to understand the impact of a patch. It is all too easy for security vulnerabilities to remain after a patch has been applied.
Patches are released that address multiple security vulnerabilities, but they do not address those vulnerabilities across all systems. The application of a patch will not necessarily remediate a security vulnerability entirely. According to Tripwire, ““The relationship between patches and vulnerabilities is far more complex than most people think.”
There is also considerable confusion between patches and software upgrades. When it comes to addressing security vulnerabilities, a patch may address some, an upgrade may address others, and there is often some overlap. Because of this, organizations struggle to ensure that all software is properly patched and fully up to date.
The survey revealed that half of enterprises do not know the difference between applying patches and remediating security vulnerabilities. 7% of respondents didn’t realize there was a difference between applying a patch and resolving a security vulnerability, while 43% said their staff had trouble understanding the difference.
Patches are now being issued regularly and many enterprises find it difficult to cope with the sheer number of patches being released. Before the survey was conducted, Tripwire expected only a small number of organizations to be experiencing “patch fatigue.” However, it is clear from the results of the survey that this is a widespread problem. 50% of respondents said that patches are now being released at an unmanageable rate.
Enterprise patch management may be one of the most basic security measures, but effective patch management is anything but simple.
Mar 10, 2016 | Cybersecurity Advice, Network Security, Web Filtering
Ransomware is not new; however, cybercriminals have been using the malicious software with increased frequency in recent months as a sure fire way of generating income. It is now essential to protect networks from ransomware due to the increased risk of attack.
What Is Ransomware?
Ransomware can be considered to be rogue security software. It uses the same encryption that companies are advised to use to protect their data from cyberattackers. It encrypts files to prevent them from being used or accessed. Encrypted files can only be unlocked with a security key. Attackers lock data and demand a ransom to provide the security key. Without the key, the files will remain locked forever. It is therefore important for organizations to take steps to protect networks from ransomware. The threat of attack is increasing and failure to take proactive steps to reduce risk could prove costly.
Why are Ransomware Infections Increasing?
Malware can be used to record keystrokes and gain login credentials to access bank accounts, or to create botnets that can be sold as a service. Corporate secrets can be sold to the highest bidder, or Social Security numbers, names, and dates of birth stolen and sold on to identity thieves. However, attacks of this nature take time and effort. Ransomware on the other hand gives criminals the opportunity to make a quick buck. Several hundred of them in fact.
If a cybercriminal can infect a single machine with ransomware and lock that device, a ransom of between $300 to $500 can be demanded. The ransom must be paid using the virtually anonymous Bitcoin currency. Bitcoin can be bought, sold, traded, and spent without having to disclose any identifying information. Cybercriminals are able to demand ransoms with reasonable certainty that they will not be caught.
Ransomware-as-a-service is being offered on underground networks, meaning cybercriminals do not need to be skilled hackers or programmers. For a payment of between 5% to 20% of the profits and a nominal download fee, criminals are able to use the malware to generate a significant income.
Ransomware is lucrative. One of the most sophisticated strains of ransomware, CryptoWall, has been estimated to have netted its developers around $325 million in profit. Considerably more in fact, since the CyberThreat Alliance figures were calculated in 2015.
It is not difficult to see the attraction of ransomware. Because of the effectiveness of ransomware campaigns, we are only likely to see even more infections in 2016. In fact, this year there have been a number of ransomware infections reported by companies who have failed to protect networks from ransomware infections, leaving them little alternative but to pay to have their data unlocked. The victims include schools, healthcare providers, and even law enforcement departments. All organizations need to protect networks from ransomware or they may be left with little choice but to pay a ransom to unlock their files.
Who Is Being Targeted with Ransomware?
In the majority of cases, individuals and businesses are not actually targeted. Ransomware is sent out randomly via spam email. Oftentimes, millions of emails are sent in a single campaign. It is a numbers game and a percentage of emails will be opened, a smaller number of machines will be infected, and organizations that have failed to protect networks from ransomware are likely to have to pay the ransom.
However, businesses are also being targeted by attackers as the money that can be demanded to unlock devices – and networks – is much higher. A business may decide to pay several thousand dollars to recover critical data. Hackers and cybercriminals know this and are targeting organizations with spear phishing emails designed to get users to visit malicious websites that download ransomware. Spam emails are also sent with the malware disguised as invoices or even image files.
How Much Are Cybercriminals Asking to Unlock Encrypted Devices?
While single users receive $500 demands, the same cannot be said of businesses. Attackers can demand whatever fee they want. In February, Hollywood Presbyterian Hospital felt that paying a $17,000 ransom was the most logical solution considering the cost of data loss, downtime, and the restoration of its systems. The effort required and the cost of rectifying an infection could exceed the ransom cost by several orders of magnitude.
Horry County school district in South Carolina paid a ransom of $8,500 to decrypt 25 servers. The FBI investigated and told the school it had no alternative but to pay the ransom if it wanted to recover its data. In 2015, the Tewkbury, Mass., Police Department was also forced to pay up after it suffered a CryptoLocker attack. While data could be restored from a backup, the most recent file was corrupted and the only viable backup was more than 18 months old. In late February, 2016., Melrose Police Department, Mass., also paid a ransom to unlock files.
Is There an Alternative to Paying A Ransomware Ransom?
Depending on the type of ransomware used by cybercriminals in their attack, it may be possible to unlock data without paying a ransom. In some cases, data may not actually be locked at all. Users may just be fooled into thinking that it is.
Scareware is used to fool users into thinking they have been attacked with ransomware, when in actual fact they have not. Paying the ransom will remove the scareware from the device, but since no files have been encrypted, it is possible to remove the malware without paying the ransom. Many security tools can be used. In fact, that is how the attackers often make their money. By selling victims a security tool to remove their own infection.
Kovtar ransomware is a little different. This malware locks a computer and displays a message that cannot be removed. A lock screen is used which is displayed on boot, which prevents the user from using their device. It resides in the registry, but can be removed without paying a ransom. It has been commonly used as a police scam, claiming the user had visited websites displaying child pornography, even though in all likelihood they did not. It displays an FBI or police department warning, and demands that a payment be made to avoid any further action.
However, ransomware that actually encrypts files is a different beast entirely. Encryption cannot be unlocked without a security key, although it may be possible to restore files from a backup or with a system restore. Provided of course that those files have not also been encrypted. Some ransomware encrypts the files needed to restore data from a backup, or the backup files themselves.
When files have been encrypted, even the FBI has advised individuals to pay the ransom. In 2015, Joseph Bonavolonta, FBI cybercrime chief in Boston, was quoted as saying, “To be honest, we often advise people just to pay the ransom.”
The FBI says that most ransomware attackers are true to their word and supply the keys. That is not necessarily the case though. The keys may not be supplied and the individual could receive a further demand. Some ransomware that has been tweaked has been broken, making it impossible to decrypt locked files. Paying the ransom in such cases would not allow data to be recovered. There is no guarantee that payment of a ransom will result in a working key being provided. It is therefore essential to implement a number of measures to protect networks from ransomware infections.
How to Protect Networks from Ransomware?
There are a number of strategies that can be adopted to protect networks from ransomware infections and to reduce the damage caused if security defenses are breached.
Perform Regular Backups
Performing daily and weekly backups is essential. This measure will not protect networks from ransomware, but it will reduce the damage cause if an infection occurs. Backups of data should ensure files can be recovered. However, backups cannot always be restored. Just as the Tewkbury Police Department. It is essential that backups are not stored on portable devices that are left connected to computers. Ransomware can encrypt portable drives and can scan and lock files on networks, not just on individual devices.
Use a Spam Filter
Ransomware is often spread via spam email. One of the best ways to protect networks from ransomware is to prevent spam email from being delivered. Using a robust spam filtering solution will ensure the majority of malicious emails are caught and quarantined to prevent them from being opened by end users.
SpamTitan blocks 99.9% of spam emails, greatly reducing the likelihood of employees infecting their computers and corporate networks with ransomware.
Train Staff How to Identify Malicious Emails
Staff training is essential and a great way of helping to protect networks from ransomware. Emails are occasionally delivered to inboxes even with a robust spam filter in place. Employees must therefore be made aware of the risk and taught best security practices to avoid compromising their network or infecting their devices. Employees should be told never to open an email attachment that has been sent from someone they do not know. They should always check the email address of the sender carefully. Unfortunately, ransomware is not only spread via spam emails and web-borne attacks are more difficult to identify.
Use WebTitan to Block Malicious Websites
Cybercriminals use malicious advertising – terms malvertising – to lure individuals onto malicious websites where drive-by ransomware downloads take place. These adverts are often placed on legitimate websites via third party advertising networks. Malicious links are also posted on social media networks. Phishing emails also contain links to malicious sites that download ransomware.
One of the best ways that businesses can reduce the risk of a web-borne attack and protect networks from ransomware infections is by limiting the websites that can be accessed via their Wi-Fi and hard-wired networks. Blocking websites known to contain malware, preventing the downloading of file types commonly associated with ransomware, and blocking third party adverts from being displayed can all greatly reduce risk. To do this, a web filter is required.
WebTitan Cloud for Wi-Fi and WebTitan Gateway can be used by businesses, schools, and operators of Wi-Fi networks to reduce the risk of a ransomware attack. WebTitan blocks users from engaging in risky online behaviors and visiting malicious websites. Regardless of the level of training provided to users of computer networks, it is not possible to eliminate risk entirely. Using a web filtering solution to protect networks from ransomware, along with staff training and a spam email filter can greatly improve security posture.
The cost of these protections for businesses, educational institutions, and healthcare organizations is likely to be far lower than the cost of paying a ransom.
Mar 3, 2016 | Cybersecurity News, Internet Security News, Network Security
A new report released by the Ponemon Institute suggests data breaches caused by mobile devices are not as rare as previously thought. Last year, Verizon released a data breach report suggesting that while mobile malware is increasing, it is not yet a major threat for attacks on organizations. Attacks are conducted, but they tend to target individuals.
Are Corporate Data Breaches Caused by Mobile Devices?
Verizon determined that only 1% of data breaches use mobile devices as an attack vector. The Ponemon report suggests the figure is far higher, with 67% of respondents claiming the use of mobile devices by employees was certain or likely to have resulted in a beach of sensitive corporate data.
The Ponemon study, which was commissioned by security firm Lookout, set out to cast some light on enterprise mobile security risk. 588 IT security professionals employed by Global 2000 companies in the United States were asked about the threat from mobile devices.
The report suggests there is a disconnect between IT departments and employees when it comes to the data that can be accessed using mobile devices. Many IT departments have implemented controls to limit data access via BYOD or corporate devices. However, employees still appear to be able to access corporate data none the less
The study found significant discrepancies between the data IT departments said could be accessed, and the responses provided by employees. For instance, when both groups were asked about whether confidential or classified documents could be accessed, 33% of employees said access was possible compared to just 8% of IT security professionals. 19% of IT security professionals said mobile devices could not be used to access customer data, yet 43% of employees said the data were accessible via their mobiles.
IT departments must therefore implement better controls to ensure mobile devices cannot be used to access sensitive data, or employees must be trained on the potential risks from using their mobile devices. Policies would also need to be developed to dictate what mobile devices can and cannot be used for.
The Average Infected Mobile Device Costs Organizations $9,485
The report also looked into the cost of data breaches caused by mobile devices. The average infected device was estimated to cost an organization an average of $9,485.
According to the report, mobile malware infections are a real concern. For any given company, many of the devices in use are already be infected with malware. The study suggested that “Of the 53,844 mobile devices in the average Global 2000 enterprise, 1,700 of those devices are infected by malware at any given time.”
When asked about the protections put in place to manage data access by employees, many companies had already implemented a number of safeguards to keep corporate data secure.
47% of organizations used whitelists and blacklists, 40% used mobile device management, while 45% used identity management. However, more than 4 out of 10 respondents said that none of those security measures were used by their organizations.
With the threat from mobile malware high, organizations need to devote more time and resources to mobile device security. Fortunately, this appears to be the case. The Ponemon report indicates that mobile security budgets are increasing and will represent 37% of the IT security budget next year. A considerable improvement on the current 16%.
Feb 24, 2016 | Cybersecurity News, Internet Security News, Network Security
Security vulnerabilities in wireless devices can be exploited by hackers, but what about mousejacking wireless mice and hijacking wireless keyboards? According to a team of security researchers at Bastille, an IoT security start-up, the devices can be hijacked and used by hackers to steal data or compromise a network. Furthermore, in many cases the devices can be hijacked from up to 330 feet away. That’s far enough away for a hacker to be able to sit in his or her car outside a building and force a user to download malware. All a hacker is likely to need is about $15 of very readily accessible hardware say the researchers.
Mousejacking – A New Concern for Security Professionals
Bastille’s researchers looked at wireless mice and keyboards from major device manufacturers such as Logitech, Microsoft, Lenovo, HP, and Gigabyte. Since alerting the manufacturers to the risk of mousejacking and keyboard-jacking, some have released patches to address the vulnerabilities. For others, no patches have yet been developed leaving the devices vulnerable to attack. The problem does not appear to affect Bluetooth devices, but all other mice and keyboards that use a wireless dongle are potentially vulnerable.
With basic hardware, including a software-defined radio, a hacker could scan for the frequencies used by wireless devices and identify targets. Once a target was identified, forged packets could be transmitted to the address of the target.
While traffic sent between a wireless keyboard or mouse and the device’s dongle is encrypted, the dongle can still accept unencrypted commands, provided those keystrokes or clicks appear to come from its accompanying wireless mouse or keyboard. The researchers were able to inject keystrokes by sending unencrypted packets via the dongle that pairs with its wireless device.
Mousejacking could potentially be used to download malware onto devices, although Bastille software engineer Marc Newlin has hypothesized that the flaw could be used by a hacker to set up a wireless hotspot on the device. That hotspot could then be used to exfiltrate data, even in the absence of a network connection. A command window could also be opened on the device and a network vulnerability introduced, or a rootkit could be installed.
Logitech has already issued a patch and Lenovo has addressed the vulnerability for all new devices, but its patch cannot be applied to existing devices and must be installed at the time of manufacture. Microsoft is looking into the reported vulnerability but a patch has not yet been issued. Some Dell devices can also be patched, but not all.
While an mousejacking attack would be complicated and difficult to pull off outside of a controlled environment, a skilled hacker in close proximity to a device could potentially conduct a mousejacking attack. Since mousejacking can be used up to 330 feet away from the device, that individual would not even need to be in the building.
Feb 22, 2016 | Cybersecurity News, Network Security
A hacker has compromised the official Linux Mint website and has linked the official Linux Mint ISO to a modified version hosted on a server in Bulgaria. The modified ISO contains malware that will allow the hackers to take control of the machines on which Linux Mint is installed. The Linux Mint cyberattack has impacted all individuals who downloaded the ISO on 20th February.
The ISO included an IRC backdoor that will allow attackers access to all infected systems. The Linux Mint ISO hack was achieved by modifying a PHP script on the WordPress installation used on the site.
The Linux/Tsunami-A malware connects to an IRC server and can receive instructions from the hacker behind the attack. The machine on which the malware is installed could be used as part of a DDoS attack, or the machine could have further malware downloaded to it.
The backdoor had been installed in the 64-bit version of the Linux Mint 17.3 Cinnamon edition. While the 32-bit version does not appear to show any sign of an infection, the hacker responsible appears to have been attempting to install a backdoor in that ISO as well, as that file was also stored on the attacker’s server. The hacker responsible was reportedly trying to construct a botnet, although Mint Protect Leader Clement Lefebvre has said that the intentions of the hacker are not fully understood.
The names of three individuals who are believed to be involved in the Linux Mint cyberattack have been obtained by Lefebvre’s team. They are associated with the website on which the modified ISO was hosted, although it is not clear at this stage whether an investigation into those individuals will be launched. That will depend on whether any further action is taken by the hacker, according to a blog post by Lefebvre.
Linux Mint Cyberattack Compromised 71,000 User Accounts
In addition to linking to a modified version of the ISO file, the forum database on the Linux website has also been compromised. The account details of all 71,000 individuals registered on the forum have been exposed. That database has been listed for sale for a reported 0.197 Bitcoin according to ZDNet.
Fortunately, the Linux Mint cyberattack was discovered quickly and action taken to prevent further malicious copies of the ISO being downloaded. The Linux website has been taken offline while the issue is fixed.
All individuals who downloaded the ISO from the official website have been advised to check to see if their version has been hacked. It is possible to determine whether the ISO has been hacked by checking its MD5 signature by running “md5sum yourfile.iso”, using the name of the downloaded ISO and checking this against the valid signatures posted on the Linux Mint website.
All individuals who have an account on forums.linuxmint.com have had their username, email address, private messages, and encrypted copies of their password exposed. Users have been advised to change their passwords immediately.
Feb 17, 2016 | Cybersecurity News, Internet Security News, Network Security
A Google engineer has accidentally discovered a critical glibc security vulnerability that has existed since 2008. After committing several hours to hacking the vulnerability, Google engineers managed to come up with a fully working exploit that could be used to remotely control Linux devices. The glibc security vulnerability has been compared to the Shellshock security vulnerability uncovered in 2014 due to sheer number of hardware devices and apps that could potentially be affected.
The security vulnerability came as a surprise to Google engineers who were investigating an error in an SSH application which caused a segmentation fault when trying to access a specific web address. It was only after a detailed investigation that they discovered the fault lay with glibc.
Maintainers of glibc were contacted and alerted to the security vulnerability, but as it turns out they were already aware of the issue. It had been reported in July 2015 but had not been rated as a priority. That said, when Google contacted Red Hat, they confirmed they too had discovered the flaw and were working on a patch.
Linux Devices at Risk from Critical Glibc Security Vulnerability
While Windows, OS X, and Android devices are unaffected by the glibc security vulnerability, hundreds of thousands of hardware devices could potentially be affected. The security flaw affects most distributions of Linux and thousands of applications that use GNU C Library source code. All versions of glibc above 2.9 are affected.
The code is used for Linux distributions used for a wide range of hardware, including routers. The vulnerability is a buffer overflow bug in a function that performs domain lookups: getaddrinfo()
If hackers managed to replicate Google’s exploit they would be able take advantage of the vulnerability and remotely execute malicious code. The security vulnerability could be exploited when unpatched devices make queries to domain names or domain name servers controlled by attackers.
Google engineers have been working with Red Hat to develop a patch to address the vulnerability, and by combining knowledge of the vulnerability they have been able to develop a fix for the flaw, and a patch has now been released. It is essential that the patch is applied as soon as possible to ensure that the vulnerability cannot be exploited.
Updating to the latest version of glibc may be a fairly straightforward process. Linux servers can be patched by downloading the update, although things may not be quite so straightforward for some applications, which will need to be recompiled with the new library code. This could potentially result in a number of devices remaining vulnerable for some time.
Now that the vulnerability has been announced, hackers will be attempting to develop an exploit. Google has published a proof of concept, although obviously not full details of its weaponized exploit. The exploit is apparently not straightforward, which should buy Linux administrators a little time and allow them to check systems and ensure that affected hardware devices are patched.
Feb 11, 2016 | Cybersecurity Advice, Internet Security News, Network Security, Web Filtering
One of the main priorities for IT professionals in 2016 is securing Wi-Fi hotspots. The use of unsecured public Wi-Fi is notoriously risky. Cybercriminals spy on the activity taking place at WiFi hotspots, and it is at these Internet access points is where many man-in-the-middle attacks take place.
The Dangers of Unsecured WiFi
Preventing employees from using personally owned and work devices on unsecured Wi-Fi networks is a major challenge, but one that must be met in order to keep work networks free from malware.
When employees use smartphones, tablets, and laptops to connect to unsecured Wi-Fi networks, there is a high risk that those devices may be compromised. Hotspots are frequently used to deliver malware to unsuspecting website visitors, and malicious software can subsequently be transferred to work networks. With personally owned devices increasingly used for private and work purposes, the risk of a work network malware infection is particularly high.
The risks associated with unsecured Internet access points are well known, yet people still tend to still engage in risky behavior when accessing the Internet via these wireless networks. In a rush to take advantage of free Internet access, basic security best practices are all too often ignored. Devices are allowed to connect to Wi-Fi hotspots automatically and Wi-Fi hotspots are not checked to find out if they are genuine or have been spoofed.
Security Professionals Concerned About Employees’ Use of Unsecured WiFi Networks
A recent survey conducted by the Cloud Security Alliance indicates security professionals are very concerned about the use of unsecured WiFi networks. The Cloud Security Alliance is a collective of security professionals, businesses, and privacy and security organizations that are committed to raising awareness of cybersecurity best practices.
The organization recently conducted a survey and asked 210 security professionals their opinions on the top threats to mobile computing in 2016. 2010 member organizations were polled and more than 8 out of 10 respondents (81%) said that the threat from unsecured WiFi access points was very real, and was one of the biggest mobile security risks in 2016.
The Importance of Securing WiFi Hotspots
Many organizations that operate a network of Wi-Fi hotspots have yet to implement security measures to keep users of those networks secure. Those Wi-Fi access points are made available to customers in bars, restaurants, hotels, airport lounges, sporting venues, and on public transport such as busses and trains.
Guests are allowed to connect to those networks, yet little is done to police the activity that takes place over the network. Consequently, the door is left open for cybercriminals to conduct attacks.
Failing to provide even a basic level of security is a big mistake. If patrons suffer malware infections, data loss, identity theft, or other forms of fraud as a result of accessing the internet at a particular location, they are likely never to return.
With IT professionals now educating their staff members about the dangers of using unsecured WiFi access points, businesses that offer secure WiFi access are likely to attract far greater numbers of customers than those that do not.
There is a cost associated with securing WiFi hotspots of course. However, what must be considered is the amount of business that will be lost as a result of not securing WiFi hotspots. The cost of implementing security measures is likely to be much lower in the long run.
Securing WiFi Hotspots with WebTitan Cloud for WiFi
A business offering customers wireless Internet access used to have to purchase additional hardware or software in order to secure WiFi access points. Not only was there a cost associated with adding a security solution, implementing that solution was a complex task that required skilled staff and many man-hours.
Providing a secure browsing environment for customers would mean getting them to download software to the device used to access the Internet. That is hardly a practical solution for a bar or restaurant where quick and easy access to the internet is required by customers.
WebTitan offers a much easier solution that makes securing WiFi hotspots a quick and easy task. Since WebTitan Cloud for WiFi is a 100% cloud-based security solution, it requires no additional hardware and no software installations. Any user can connect to a WiFi network and benefit from a secure browsing environment, regardless of the device they use to connect.
Setting up a WiFi web filtering security solution is also fast and painless, and doesn’t require much in the way of technical expertise. Simply change the DNS settings and point them to WebTitan, and a secure browsing environment will be available to customers in a matter of minutes.
Websites known to contain malware can be easily blocked, users can be prevented from downloading files types frequently associated with malware, and web content can be filtered to stop users from engaging in questionable internet activity such as viewing pornography. Securing WiFi hotspots couldn’t be any easier.
If you are interested in securing WiFi hotspots run by your company, contact WebTitan today to find out just how easy and cost effective it can be to offer your clients a secure browsing environment.
US Sales +1 813 304 2544
UK/EU Sales +44 203 808 5467
IRL +353 91 54 55 00
or email us at info@webtitan.com
Feb 5, 2016 | Cybersecurity Advice, Network Security, Web Filtering
Organizations running WiFi networks are facing attacks from all angles. Many companies are choosing to implement web filters for WiFi networks to help mitigate risk from the growing number of malware variants that are being used to attack businesses via their WiFi networks.
A new report issued by Bilbao-based antivirus software developer Panda Security, has revealed the extent of the problem. Last year, over 84 million new malware samples were identified, which equates to 27% of all malware previously identified.
The proliferation in malware has been attributed, in part, to the rise in use of antivirus software and the effectiveness of those software programs. When a new malware is discovered, antivirus signatures are updated and shared with all antivirus software developers. In a very short space of time, all AV engines will block a particular malware.
Hackers have respondent by using software that modifies malware slightly, allowing hundreds or thousands of variants to be released. An increased number of malware variants are needed in order to get past antivirus software programs, as many AV engines are capable of detecting malware that has been modified slightly. The more variants are used, the higher the probability of malware getting past security software.
When Panda was formed in 1990, the company was detecting approximately 100 new malware variants a day. Today 230,000 new samples are discovered every day, on average.
Trojans are the most common malware form, with the full breakdown of new malware variants detailed below:
| Malware Type |
% of new malware discovered in 2015 |
| Trojans |
51.45% |
| Viruses |
22.79% |
| Worms |
13.22% |
| PUPs |
10.71% |
| Spyware |
1.83% |
Blocking Malware with a Web Filtering Solution
Malware is installed on user devices via a variety of different vectors. Spam email is one of the most common methods of malware delivery, but fortunately, one of the most straightforward to block. A robust anti-spam solution can be used to block the vast majority (over 99.7%) of spam emails from being delivered. Training users how to recognize malware can help to ensure that any rogue emails that get past the filter will be identified and deleted before any damage is caused.
Blocking malware from being installed via malicious websites can be more difficult. Hackers use exploit kits to probe for security vulnerabilities in browsers and browser plug-ins, and deliver malware in drive-by attacks without the knowledge of website visitors. Social engineering tactics are used to fool users into downloading malware, and malicious software can be installed on legitimate websites or placed on adverts displayed by those websites.
One of the best protections to implement to ensure users’ devices are not infected with malware is a web filter. A web filter will restrict access to websites known to contain malware, as well as categories of websites where malware is most likely to be located. As well as protecting users from objectionable website content such as pornography or religious extremist material, it will also keep their devices safe and free from Trojans, viruses, worms and other malicious software. A web filtering solution can be a highly effective protection against malware as part of a multi-layered security system.
Web Filters for Wi-Fi Networks Keep Internet Users Secure
One of the ways enterprises are keeping their wireless networks secure is by using web filters for WiFi networks. WiFi networks are particularly risky and need to be secured. Due to the risk of using wireless networks, many customers avoid networks that are unsecured.
Installing software solutions on individual devices that connect to wireless networks is far from ideal. Many companies have BYOD policies that permit the use of personal devices at work, and it would not be practical to install web filtering software solutions on each and every device used to connect to the network. In a coffee shop or hotel, this would simply not be possible.
The easy solution is to use DNS-based web filtering solutions, as they do not require the installation of any software on users’ devices. All that is required to run DNS-based web filtering is a simple change to the DNS server addresses on the company’s router.
Any user with a modicum of technical knowhow would be able to bypass a DNS-based web filter and access blocked content, although with some minor configuration changes to the router, users can be prevented from using any other DNS servers other that the one with the web filtering solution in place.
TitanHQ web filters for WiFi networks
TitanHQ’s web filters for WiFi networks offer highly granular controls. WebTitan Cloud for WiFi networks can be fine-tuned to suit any organization’s needs, allowing light control of Internet use to highly restrictive Internet filtering.
No software installations are required thanks to the 100% cloud-based system, and no additional hardware is required. Only very minor changes need to be made to point DNS servers to the correct location, and after basic parameters are set, WebTitan’s web filters for WiFi networks will be up and running.
It may not be possible to eliminate the risk of a malware attack, but with WebTitan Cloud for WiFi, risk can be reduced to a low and acceptable level.
Key benefits of WebTitan web filters for WiFi networks
- Create a family-friendly, safe and secure web browsing environment.
- Accurately filter web content through 53 pre-set categories and up to 10 custom categories.
- Filter by keyword and keyword score.
- Filter content in 200 languages.
- No hardware or software installations required
- Suitable for static and dynamic IPs
- No impact on broadband speed
- Suitable for use with multiple routers
- No limits on access points or users
- Scalable solution for businesses large and small
- Block access to inappropriate website content
- Block phishing attacks and malware and ransomware downloads
- Integrate the solution into existing billing, auto provisioning and monitoring systems through a suite of APIs
- Manage access points through a single web-based administration panel.
- Easy delegation of the management of access points
- Schedule and run reports on demand with real time-views of Internet activity and extensive drill down reporting.
- World class customer service
- Highly competitive pricing and a fully transparent pricing policy
Find out more about the benefits of installing web filters for WiFi networks by calling TitanHQ today
Feb 4, 2016 | Cybersecurity News, Internet Security News, Network Security
Two highly serious Netgear NMS300 ProSafe security vulnerabilities have been discovered that could be exploited by hackers to gain control of servers running the software, and/or download any file on the server on which the software is running.
The Netgear NMS300 ProSafe network management system is used by many companies to configure and monitor their network devices. Netgear NMS300 ProSafe is popular with small to medium size businesses as the software is free to use on fewer than 200 devices.
Recently Agile Information Security researcher Pedro Ribero discovered two critical Netgear NMS300 ProSafe security vulnerabilities.
Netgear NMS300 ProSafe Security Vulnerabilities
One of the vulnerabilities (CVE-2016-1525) allows remote code execution by an unauthenticated user via the Netgear NMS300 web interface. A hacker would be able to exploit this security flaw and upload and run java files with full system privileges, potentially gaining full control of the server on which the software is being run.
The NMS300 system is used to manage a wide range of networked devices such as routers, switches, network-storage devices, wireless access points and firewalls. Not only could this vulnerability allow the configuration of these devices to be changed, it would also permit an attacker to install firmware updates on those devices.
The second vulnerability (CVE-2016-1524) discovered by Ribeiro is an arbitrary file download, that would permit an authenticated user to download any file stored on the server that is being used to run NMS300.
These Netgear NMS300 ProSafe security vulnerabilities are particularly serious and at the present time there is no patch available to plug the security flaws. Users can improve protection and prevent the Netgear NMS300 ProSafe security vulnerabilities from being exploited by restricting access to the web interface with new firewall rules to limit access. Ribeiro recommends never exposing Netgear NMS300 to the Internet or untrusted networks.
Both vulnerabilities affect Netgear NMS300 versions 1.5.0.11, 1.5.0.2, 1.4.0.17 and 1.1.0.13
Jan 27, 2016 | Cybersecurity News, Internet Security News, Network Security
An Irish data security survey conducted in December, 2015., has revealed that a third of Irish companies have suffered a data breach in the past 12 months, highlighting the need for Irish companies to improve their security posture.
ICS Irish data security survey indicates employees are the biggest risk
150 IT security professionals took part in the Irish Computer Society survey with 33% claiming their employer had suffered a data breach in the past 12 months. In 71% of cases, the data breaches occurred as a result of the actions of staff members.
Perhaps unsurprisingly given the number of inadvertent data breaches that had been caused by staff members, 45% of respondents cited employee negligence as being the biggest single data security threat they faced. Protecting networks from errors made by employees is going to be one the biggest security challenges faced by Irish IT professionals in 2016.
Other major security concerns highlighted by respondents included the increasing number of end user devices that are being used to store sensitive data, and the increasing threat of cyberattacks by hackers.
Improving security posture by tackling the issue of employee negligence
Employees are the weakest link in the security chain, but that is unlikely to change unless less technical members of staff are provided with training. It is essential that they are advised of the risk of cyberattacks and what they can personally do to lessen the chance of a data breach occurring. In many cases, some of the most fundamental data security measures are not so much ignored, but are just not understood by some members of staff.
It may be common knowledge for instance, that 123456 does not make a very secure password, that email attachments from strangers should not be opened, and links to funny videos of cats on social media networks might not turn out to be as innocuous as they seem.
Tackling the issue of (dare we say) employee data security stupidity is essential. It is far better to do this before a breach is suffered than afterwards. Proactive steps must be taken to improve understanding of cybersecurity risks, and what employees can do to reduce those risks.
ICS Irish data security survey respondents indicated the best way of improving data protection knowledge is by conducted formal training sessions. 57% of respondents said this was the best approach to deal with data security knowledge gaps.
Fortunately, the level of training being provided to staff is increasing, not only for end users but also data security staff. However, there is clearly still a long way to go. Only 56% of respondents said they had received the right level of training on how to achieve the objectives set up their organizations.
The full findings of the Irish data security survey will be made available at the Association of Data Protection Officers National Data Protection Conference, taking place on January 27/28 in Ballsbridge, Dublin.
Jan 25, 2016 | Cybersecurity News, Network Security
A security vulnerability has been discovered with FortiGuard network firewall appliances that could potentially be exploited by hackers. Should the FortiGuard SSH backdoor be exploited, a hacker would be able to gain full administrative privileges to Fortinet security appliances.
FortiGuard SSH backdoor is an unintentional security vulnerability
The FortiGuard SSH backdoor was not been installed by hackers, but is an unintentional security vulnerability in the FortiOS operating system. The FortiGuard SSH backdoor was discovered this month by a third party security researcher. An exploit for the security vulnerability has already been published, making it imperative that all users of FortiGuard firewall appliances install the latest version of the operating system. All users must ensure that their devices are running on FortiGuard version 5.2 or above.
After the security vulnerability was announced Fortinet started an investigation to determine whether any other devices were affected. A statement released by Fortinet last week indicates that in addition to Fortinet FortiGuard, FortiAnalyzer, FortiCache, and FortiSwitch are also affected and contain the vulnerability.
In order to prevent the backdoor from being exploited users have been advised to upgrade to version 3.0.8 of FortiCache, version 3.3.3 of FortiSwitch, and versions 5.0.12 or 5.2.5 of FortiAnalyzer.
The FortiGuard SSH backdoor is a Secure Shell vulnerability. According to a Fortinet blog post, the security vulnerability has not been created by a malicious insider or outsider, but was an “unintentional consequence” of a feature of the operating system. The aim was to ensure “seamless access from an authorized FortiManager to registered FortiGate devices.” The vulnerability involves an undocumented account which has a hard-coded password.
If it is not possible for users to immediately upgrade to the latest OS, Fortinet advises using a manual get around, which involves disabling SSH access and switching to a web-based management interface until the OS can be upgraded.
Last month a security vulnerability was discovered in the ScreenOS operating system used by Juniper Networks. In that case, the backdoor had been inserted by a malicious insider or outsider. The code would allow a hacker to gain full administrative privileges to NetScreen firewall devices and view encrypted data sent via VPN networks.
Jan 21, 2016 | Cybersecurity News, Network Security
Many companies have responded to the threat of data theft by hackers by using encryption. If hackers do break through the security perimeter and gain access to computers or networks, customer data will not be exposed. However, the same cannot be said of employee data. A new security report suggests employee data theft is rife, and that the personal information of employees is much more likely to be stolen that customer data.
Employee data theft is a real concern – Don’t forget to encrypt ALL sensitive data!
A recent study has shown that when it comes to protecting intellectual property and the personal information of employees, mid-sized companies around the world fail to use the same stringent measures that they apply to customer data.
The Sophos/Vanson Bourne study revealed that 43% of midsized companies – those employing between 100 and 2,000 members of staff – do not regularly encrypt human resources files. Human resources files usually contain sensitive information on employees: names, addresses, contact telephone numbers, dates of birth, emergency contact information, and government IDs such as Social Security numbers. These are exactly the kind of data sought by hackers. These data can easily be used to commit identity theft.
The survey was conducted on respondents from Australia, Canada, Japan, Malaysia, and the United States indicating this is a global problem.
In the United States, where ma high percentage of cyberattacks on midsized companies are taking place, 45% of companies appear not to be encrypting employee data, even though these companies face a high risk of employee data theft. Even financial data is left relatively unprotected. Almost a third of companies in the United States are not encrypting their financial data.
It is not a case of encryption not being implemented at all by midsized companies. In the United States for example, 43% of midsized companies use encryption to some degree, while 44% claim they widely encrypt data. The figures are understandably lower for small organizations, in a large part due to the cost of encryption. 38% of small businesses widely encrypted data. Half of larger organizations used encryption for most data.
Companies are not applying safeguards evenly and are leaving gaping security holes. It is not only the threat of employee data theft that is being underestimated. Many organizations are not encrypting data they send to the cloud. Only 47% claimed to encrypt “some files” sent to the cloud and just 39% encrypt all data sent to the cloud. However, 84% of respondents claimed to be worried about cloud security.
Why is encryption not being universally applied?
The survey probed respondents to find out why data encryption is not being used. Four out of ten organizations claimed this was due to budgetary constraints. Three out of ten said it was because of performance trade-offs and a similar number said it was an issue with how to actually encrypt data. Interestingly almost 20% of respondents claimed that encryption wasn’t actually effective at protecting sensitive data.
There is also a commonly held belief that encryption is complex, or cannot easily be implemented. While this was certainly the case a few years ago when full disk encryption was the only option, this is now no longer the case. Encryption technology has advanced considerably in recent years. Companies should therefore take a fresh look at encryption and take steps to prevent employee data theft and the exposure and theft of their intellectual property.
Hackers steal data for financial gain. Employee data theft should be a concern, as should the theft of intellectual property. These data have considerable value. It is not just customer data that can be used to commit fraud or be sold on the black market.
Jan 14, 2016 | Cybersecurity Advice, Internet Security News, Network Security
Over the past four weeks we have seen numerous cybersecurity predictions for 2016 issued by security firms. Security experts are trying to determine which part of the now incredibly broad threat landscape will be most favored by cybercriminals in 2016.
Some companies have made very specific cybersecurity predictions for 2016. They have come out with very bold claims, even predicting the presidential elections will be disrupted by a major cyberattack. Others believe 2015 will be broadly similar to 2015, with just an increase in ransomware attacks and even more massive data breaches suffered.
What all of the cybersecurity predictions for 2016 have in common is that the next 12 months are expected to be tough for security professionals.
The number and types of devices now connecting to corporate networks is broader than ever before. People are now far more likely to own and use three or more Internet-connected devices and use them on a regular basis. Alternative payment methods are being used more frequently. There is now more than ever to attack and too many devices and systems to keep secure. Unsurprisingly, no one appears to be claiming that 2016 will be easier than last year for cybersecurity professionals.
Cybersecurity predictions for 2016
The attack surface is now incredibly broad, but where are cybercriminals most likely to strike? This is what we think. Here are cybersecurity predictions for 2016.
IoT – expect attacks on the Internet of Things
Let’s start with a bold prediction. The IoT is likely to come under attack this year. I say bold, but that is only in terms of the timescale. IoT devices will be attacked, shut down, altered, remotely controlled, and used as a launchpad for attacks on other devices. If a device is constantly connected to the Internet, it will only be a matter of time before an attack takes place.
One problem with adding IoT technology is the manufacturers of the devices are not security experts. A washing machine that can be controlled via Wi-Fi or a Smartphone app, and can be switched on remotely while you are at work, has been designed first and foremost to wash clothes. It has then had IoT functionality bolted on. It has not been designed with security at the core of the design.
Surely a washing machine is not going to be used to attack a corporation you may say. Well, a Smart heating and air conditioning system was used to attack Target and gain access to the credit card numbers of its customers. Hackers are certainly looking at IoT devices and are probing for weaknesses. Security needs to be first rate, but unfortunately in many cases it is not.
Crypto-ransomware evolution will continue – Increase in ransomware attacks to be expected
Over the past 12 months crypto-ransomware attacks have increased significantly. Cybercriminals are now developing new malware capable of locking computers with powerful encryption.
The encryption cannot be cracked. The devices can only be unlocked using a security key. That key is held by the attackers. A ransom is demanded by cybercriminals and it must be paid before the key is released. Ransoms are demanded in Bitcoin because the currency is next to impossible to trace.
Developing crypto-ransomware is a lucrative business and that is unlikely to change any time soon. At present, ransomware is sent via mass spam email and the victims are not really targeted. The aim is to infect as many devices as possible. More infections equal more ransoms.
What we are likely to see over the course of the next 12 months is an increase in the ransom amount demanded and a more targeted approach adopted. Businesses are likely to be targeted and crypto-ransomware used to hold companies ransom. Companies are likely to be able to pay more than individuals.
We also expect ransomware to make the jump over to OS X, and to a lesser extent iOS. Cybercriminals would love to start charging Mac prices!
Apple owners to come under attack
That neatly leads us on to Apple. Users of Macs and iPhones have had it too good for too long. Hackers have not been too bothered about Mac users in the past, as there are greater rewards to be had from writing malware to target the masses. Consequently, the majority of malware targets Windows-based devices. Apple’s market share has been too small to warrant the development of Apple-specific malware. That is now changing.
Apple’s market share is increasing. As more people make the switch to Apple, it will be more lucrative for criminals to develop malware to target OS X devices. Over the course of the last year we have seen new malware created specifically for Apple devices. The volume is still small in comparison to malware that infects Windows-based devices, but we can expect Apple to come under attack in 2016.
Increase in memory resident malware
Hackers are getting better at obfuscation. They are developing ever more complex ways of hiding malware to evade detection. One of the main problems faced by malware authors comes from the fact that if a file is downloaded to a computer it can be found.
However, if malicious code is injected into the memory of a computer and no files downloaded, it is very difficult to detect. Memory-resident malware is more difficult for hackers to create, but many are now developing new fileless malware in order to evade detection for longer.
Until now memory-resident malware has been short-lived. It only survives until the device is rebooted. However, we are now seeing new forms that are simply reloaded into the memory when the computer is rebooted. We can expect to see even more memory-resident malware attacks in 2016 as the use of fileless malware grows.
Major healthcare industry attacks will take place
In 2015, cybercriminals targeted the healthcare industry with increased vigor. Massive data breaches were suffered, the likes of which the industry had never before seen. Anthem was attacked last year and 78.8 million healthcare records were stolen. An attack on Premera BlueCross exposed 11 million records, and Excellus suffered a 10-million record data breach. These massive cyberattacks used to be a rarity. In fact, up until 2014 the largest U.S. healthcare data breach affected just 4.9 million individuals.
The healthcare industry has been slow to implement new technology and many security weaknesses remain. They are now being exploited with increasing regularity. Since the value of data stored by health insurers and healthcare providers is so high, and the volumes of Social Security numbers, health data, and personal information so large, successful attacks can be extremely profitable. Where there is profit, and poor security there will be cyberattacks. These massive breaches will therefore continue in 2016.
Attacks on employees to increase in 2016
Employees are the weakest link in the security chain and hackers and cybercriminals are well aware of this. They target employees to gain access to corporate networks, with phishing one of the easiest ways to gain access to corporate data. These attacks have proved to be highly successful and have resulted in huge volumes of data being obtained by criminals. Some of the largest data breaches of the last two years have started with phishing campaigns. The attacks on Sony, Target, and Anthem for example.
Employers are getting better at blocking phishing emails and employees are now being trained to identify them, but these attacks will continue and will become more targeted and sophisticated.
As more employees work from home, we expect them to be targeted there instead of work. Their home computers and personal devices will be used to gain access to corporate networks. They tend to have more security weaknesses. Those weaknesses are likely to be exploited with increasing frequency.
Do you agree with our cybersecurity predictions for 2016? What do you think the biggest threat will be over the next 12 months?
