As cyber attack surface expands, consumers and companies face more risk than ever

Everyone, not just IT, must take responsibility for security and protect ‘crown jewels’

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Despite a mon­u­men­tal effort to detect and deter cyber crimes, new cyber expo­sures con­tin­ue to turn up in areas of the Inter­net most used by con­sumers and companies.

This has been true for a while now. The over­ar­ch­ing trend reflects the peren­ni­al cat-and-mouse chase in which hack­ers and scam­mers study and exploit gaps in Inter­net-cen­tric com­merce, while secu­ri­ty ven­dors react to changes in attack tac­tics and scram­ble to shore up defenses.

Relat­ed: Lever­ag­ing Twit­ter to dis­rupt websites

Still, the scale and scope at which the bad guys con­tin­ue to inno­vate, and thus keep them­selves sev­er­al steps ahead, is astound­ing. Prin­ci­pals from end­point threat intel­li­gence ven­dor Web­root and secu­ri­ty con­sul­tan­cy EY sat down with Third­Cer­tain­ty at the recent RSA secu­ri­ty con­fer­ence to drill down on a few trou­bling proof points:

Patrick Kennedy, Webroot Vice President for Enterprise Marketing & Analyst Relations
Patrick Kennedy, Web­root Vice Pres­i­dent for Enter­prise Mar­ket­ing & Ana­lyst Relations

Chameleon-like mal­ware. Mali­cious soft­ware has become “over­whelm­ing­ly poly­mor­phic,” and 2015 was a record year for mal­ware and mali­cious IP address­es, web­sites and mobile apps, Web­root Vice Pres­i­dent Patrick Kennedy tells ThirdCertainty.

In 97 per­cent of the new mal­ware that Web­root detect­ed in 2015, that spe­cif­ic sam­ple was seen on only one machine. The mal­ware down­loaded to an indi­vid­ual, then mor­phed “to some­thing slight­ly dif­fer­ent in an attempt to fool end­point secu­ri­ty prod­ucts” and got through as a new file no one has seen before, Kennedy says. In the past, mal­ware didn’t morph that quick­ly, he says.

There would be a big infec­tion of a par­tic­u­lar strain of mal­ware and, at some point, the secu­ri­ty provider would pub­lish a sig­na­ture that catch­es it. That piece of mal­ware wasn’t a prob­lem any­more because every­one was get­ting infect­ed with the same file. That’s not the case any­more and is now the excep­tion. For every per­son who down­loads that file now, the mal­ware changes a bit, so it’s a unique vari­ant of mal­ware for each indi­vid­ual endpoint.”

Kennedy says the mal­ware morphs every time it spreads—like a chameleon “that moves and changes very quickly.”

sh_web server_400Good Web servers gone bad. Web­root also report­ed an alarm­ing trend among IP address­es of Web servers that pre­vi­ous­ly showed no his­to­ry of mali­cious behav­ior. There was a big increase in the num­ber of such IP address­es that sud­den­ly were com­pro­mised and engaged in mali­cious behav­ior in 2015. More than 100,000 IP address­es dai­ly changed from a clean his­to­ry to engag­ing in mali­cious behavior—compared with 85,000 each day in 2014.

Mali­cious Web servers can boo­by-trap web­sites with dri­ve-by down­loads and malver­tis­ing to swift­ly infect and take con­trol of the com­put­ing devices of unwit­ting web­site vis­i­tors. Or they can serve as com­mand-and-con­trol cen­ters and stor­age facil­i­ties for all man­ner of cyber crim­i­nal activity.

Kennedy says there are sev­er­al rea­sons for the rapid increase in good Web servers turn­ing bad. “It’s sim­ply becom­ing eas­i­er to take over servers and com­pro­mise machines with the broad avail­abil­i­ty of toolk­its and bot­nets for hire,” he says. “And the tech­nolo­gies for detect­ing attacks is advanc­ing, so it has forced bad actors to raise their games as well.”

The Web­root report’s “over­all mes­sage,” Kennedy says, is that “the rate of change across the threat land­scape is con­tin­u­ing to accel­er­ate. What was harm­less five min­utes ago, a day or a week ago is not a reflec­tion of the threat it might pose right now.”

sh_domain nameUntrust­wor­thy URLs. Some 30 per­cent of mali­cious URLs—specific Web pages—were host­ed in the Unit­ed States—a high­er per­cent­age than any oth­er coun­try. Chi­na is sec­ond, host­ing 11 per­cent. “Seem­ing­ly trust­wor­thy” URLs get compromised—often with­out the web­site own­ers know­ing they have been com­pro­mised, Kennedy says.

Online greet­ing card URLs were among the most fre­quent­ly com­pro­mised Web pages. Oth­er URL cat­e­gories fre­quent­ly com­pro­mised includ­ed com­mon busi­ness sites, shop­ping and trav­el sites—basically, all the sites the pub­lic views.

As a busi­ness or an indi­vid­ual user, you may unsus­pect­ing­ly be going to sites that look and act very benign but have been com­pro­mised and present a secu­ri­ty risk,” Kennedy says.

In addi­tion to legit­i­mate web­sites host­ing dri­ve-by down­loads or serv­ing up malver­tise­ments, Web­root also found that the Unit­ed States “is, by far, the largest host of phish­ing sites, with 56 per­cent of sites with­in its borders.”

Tech­nol­o­gy com­pa­nies, includ­ing Google, Apple and Face­book, were tar­get­ed by more than twice as many phish­ing sites as finan­cial insti­tu­tions such as Pay­Pal, Wells Far­go and Bank of Amer­i­ca, the report revealed. The tech­nol­o­gy com­pa­nies are tar­get­ed, Web­root says, because the same login cre­den­tials are often used to access many oth­er web­sites, “result­ing in mul­ti­ple com­pro­mised accounts with each phish­ing victim.”

Hand holding money banknote for pay the key unlock critical data got malware ransomware virus computer form hacker on internet world map background. Vector illustration business technology data privacy and security concept.

Ran­somware surges. Ran­somware attacks have become more sophis­ti­cat­ed and a grow­ing nui­sance for orga­ni­za­tions, much more so than in the past few years, offi­cials of EY, a Unit­ed King­dom-based com­pa­ny that changed its name from Ernst & Young. Ran­somware is high­ly sophis­ti­cat­ed mal­ware that makes a user’s com­put­er files inac­ces­si­ble by lock­ing or encrypt­ing them, and then the user is asked to pay a ran­som to regain access to them.

EY recent­ly pro­vid­ed assis­tance to a glob­al com­pa­ny under attack for two weeks “with a new wave of ran­somware,” says Hen­ry Burgess, EY’s U.S. advi­so­ry ser­vices direc­tor. “They’re find­ing the anti-virus sig­na­tures can­not be updat­ed by the anti-virus sup­pli­ers as quick­ly as they need.”

Dur­ing a sev­en-day peri­od, the com­pa­ny con­tact­ed EY eight or nine times to deal with an attack that EY had to work on for about an hour each time to get under con­trol. It was “a pret­ty severe attack over a long peri­od of time and a lit­tle bit frus­trat­ing,” because the com­pa­ny “can’t keep up with it, and the ran­somware is chang­ing so quickly.”

Amit Jaju, EY’s exec­u­tive direc­tor of cyber foren­sics in Mum­bai, India, wrote in a com­pa­ny blog this year that “the ini­ti­a­tion process of a ran­somware is quite sim­i­lar to that of a typ­i­cal mal­ware,” but “the impact is much more ago­niz­ing for IT secu­ri­ty teams and businesses.”

Jaju said an esti­mat­ed 30 per­cent of ran­somware vic­tims pay hack­ers to regain their data.

Lis­ten to a pod­cast:  The grow­ing prob­lem of ransomware

ThirdCertainty Editor-in-Chief Byron Acohido (right) interviews Ken Allan, EY’s global information security leader (left), and Henry Burgess, EY's U.S. advisory services director, for a podcast during the recent RSA Conference in San Francisco.
Third­Cer­tain­ty Edi­tor-in-Chief Byron Aco­hi­do (right) inter­views Ken Allan, EY’s glob­al infor­ma­tion secu­ri­ty leader (left), and Hen­ry Burgess, EY’s U.S. advi­so­ry ser­vices direc­tor, for a pod­cast dur­ing the recent RSA Con­fer­ence in San Fran­cis­co.

Ran­somware is “an increas­ing threat” that’s “a form of van­dal­ism,” and it’s very dif­fi­cult to decide whether to pay a ran­som, says Ken Allan, EY’s glob­al infor­ma­tion secu­ri­ty leader. But ran­somware is only one kind of attack, and “much more atten­tion” needs to be paid to less obvi­ous cyber attacks, he says.

Such attacks can last for months, and crit­i­cal data can be tak­en out of an orga­ni­za­tion, Allan says. “That loss of data can fun­da­men­tal­ly impact the eco­nom­ic val­ue of the organization.”

Course of action. So what can com­pa­nies do? There are no “sil­ver-bul­let” solu­tions, and a com­bi­na­tion of tech­nolo­gies needs to be deployed, says Webroot’s Kennedy.

Small busi­ness­es should start by acknowl­edg­ing that “secu­ri­ty isn’t just an IT issue—it’s an every-employ­ee issue,” he says. Busi­ness­es must invest in train­ing and mak­ing employ­ees under­stand safe and risky online behav­ior, he says.

EY’s Allan advis­es orga­ni­za­tions to iden­ti­fy their most impor­tant data to protect.

Any orga­ni­za­tion has lots of information—not all is of equal impor­tance,” Allan says. “So under­stand­ing what we call the “crown jewels”—the crit­i­cal assets—is a nec­es­sary first step. Then you can start to think about how to pro­tect the assets you care about most.”

Accord­ing to EY’s 2016 Glob­al Foren­sic Data Ana­lyt­ics Sur­vey, which sur­veyed 665 exec­u­tives in nine indus­tries, cyber breach­es and insid­er threats—including mali­cious insid­ers steal­ing, manip­u­lat­ing or destroy­ing data—are the fastest-grow­ing risks their com­pa­nies face.

Near­ly 70 per­cent who respond­ed to the sur­vey, which was con­duct­ed between June and Sep­tem­ber 2015, said they need to do more to improve their cur­rent anti-fraud procedures.

More sto­ries about cyber exposures:
Mon­ey is the motive behind spike in DDoS attacks
Despite pre­cau­tions, DDoS attacks becom­ing more dire, damaging
Plot thick­ens: Sony said to retal­i­ate with DDoS counterstrikes
JPMor­gan breach hints at finan­cial sec­tor bombardment