As cyber attack surface expands, consumers and companies face more risk than ever
Everyone, not just IT, must take responsibility for security and protect ‘crown jewels’
By Byron Acohido and Gary Stoller, ThirdCertainty
Despite a monumental effort to detect and deter cyber crimes, new cyber exposures continue to turn up in areas of the Internet most used by consumers and companies.
This has been true for a while now. The overarching trend reflects the perennial cat-and-mouse chase in which hackers and scammers study and exploit gaps in Internet-centric commerce, while security vendors react to changes in attack tactics and scramble to shore up defenses.
Still, the scale and scope at which the bad guys continue to innovate, and thus keep themselves several steps ahead, is astounding. Principals from endpoint threat intelligence vendor Webroot and security consultancy EY sat down with ThirdCertainty at the recent RSA security conference to drill down on a few troubling proof points:
Chameleon-like malware. Malicious software has become “overwhelmingly polymorphic,” and 2015 was a record year for malware and malicious IP addresses, websites and mobile apps, Webroot Vice President Patrick Kennedy tells ThirdCertainty.
In 97 percent of the new malware that Webroot detected in 2015, that specific sample was seen on only one machine. The malware downloaded to an individual, then morphed “to something slightly different in an attempt to fool endpoint security products” and got through as a new file no one has seen before, Kennedy says. In the past, malware didn’t morph that quickly, he says.
“There would be a big infection of a particular strain of malware and, at some point, the security provider would publish a signature that catches it. That piece of malware wasn’t a problem anymore because everyone was getting infected with the same file. That’s not the case anymore and is now the exception. For every person who downloads that file now, the malware changes a bit, so it’s a unique variant of malware for each individual endpoint.”
Kennedy says the malware morphs every time it spreads—like a chameleon “that moves and changes very quickly.”
Good Web servers gone bad. Webroot also reported an alarming trend among IP addresses of Web servers that previously showed no history of malicious behavior. There was a big increase in the number of such IP addresses that suddenly were compromised and engaged in malicious behavior in 2015. More than 100,000 IP addresses daily changed from a clean history to engaging in malicious behavior—compared with 85,000 each day in 2014.
Malicious Web servers can booby-trap websites with drive-by downloads and malvertising to swiftly infect and take control of the computing devices of unwitting website visitors. Or they can serve as command-and-control centers and storage facilities for all manner of cyber criminal activity.
Kennedy says there are several reasons for the rapid increase in good Web servers turning bad. “It’s simply becoming easier to take over servers and compromise machines with the broad availability of toolkits and botnets for hire,” he says. “And the technologies for detecting attacks is advancing, so it has forced bad actors to raise their games as well.”
The Webroot report’s “overall message,” Kennedy says, is that “the rate of change across the threat landscape is continuing to accelerate. What was harmless five minutes ago, a day or a week ago is not a reflection of the threat it might pose right now.”
Untrustworthy URLs. Some 30 percent of malicious URLs—specific Web pages—were hosted in the United States—a higher percentage than any other country. China is second, hosting 11 percent. “Seemingly trustworthy” URLs get compromised—often without the website owners knowing they have been compromised, Kennedy says.
Online greeting card URLs were among the most frequently compromised Web pages. Other URL categories frequently compromised included common business sites, shopping and travel sites—basically, all the sites the public views.
“As a business or an individual user, you may unsuspectingly be going to sites that look and act very benign but have been compromised and present a security risk,” Kennedy says.
In addition to legitimate websites hosting drive-by downloads or serving up malvertisements, Webroot also found that the United States “is, by far, the largest host of phishing sites, with 56 percent of sites within its borders.”
Technology companies, including Google, Apple and Facebook, were targeted by more than twice as many phishing sites as financial institutions such as PayPal, Wells Fargo and Bank of America, the report revealed. The technology companies are targeted, Webroot says, because the same login credentials are often used to access many other websites, “resulting in multiple compromised accounts with each phishing victim.”
Ransomware surges. Ransomware attacks have become more sophisticated and a growing nuisance for organizations, much more so than in the past few years, officials of EY, a United Kingdom-based company that changed its name from Ernst & Young. Ransomware is highly sophisticated malware that makes a user’s computer files inaccessible by locking or encrypting them, and then the user is asked to pay a ransom to regain access to them.
EY recently provided assistance to a global company under attack for two weeks “with a new wave of ransomware,” says Henry Burgess, EY’s U.S. advisory services director. “They’re finding the anti-virus signatures cannot be updated by the anti-virus suppliers as quickly as they need.”
During a seven-day period, the company contacted EY eight or nine times to deal with an attack that EY had to work on for about an hour each time to get under control. It was “a pretty severe attack over a long period of time and a little bit frustrating,” because the company “can’t keep up with it, and the ransomware is changing so quickly.”
Amit Jaju, EY’s executive director of cyber forensics in Mumbai, India, wrote in a company blog this year that “the initiation process of a ransomware is quite similar to that of a typical malware,” but “the impact is much more agonizing for IT security teams and businesses.”
Jaju said an estimated 30 percent of ransomware victims pay hackers to regain their data.
Listen to a podcast: The growing problem of ransomware
Ransomware is “an increasing threat” that’s “a form of vandalism,” and it’s very difficult to decide whether to pay a ransom, says Ken Allan, EY’s global information security leader. But ransomware is only one kind of attack, and “much more attention” needs to be paid to less obvious cyber attacks, he says.
Such attacks can last for months, and critical data can be taken out of an organization, Allan says. “That loss of data can fundamentally impact the economic value of the organization.”
Course of action. So what can companies do? There are no “silver-bullet” solutions, and a combination of technologies needs to be deployed, says Webroot’s Kennedy.
Small businesses should start by acknowledging that “security isn’t just an IT issue—it’s an every-employee issue,” he says. Businesses must invest in training and making employees understand safe and risky online behavior, he says.
EY’s Allan advises organizations to identify their most important data to protect.
“Any organization has lots of information—not all is of equal importance,” Allan says. “So understanding what we call the “crown jewels”—the critical assets—is a necessary first step. Then you can start to think about how to protect the assets you care about most.”
According to EY’s 2016 Global Forensic Data Analytics Survey, which surveyed 665 executives in nine industries, cyber breaches and insider threats—including malicious insiders stealing, manipulating or destroying data—are the fastest-growing risks their companies face.
Nearly 70 percent who responded to the survey, which was conducted between June and September 2015, said they need to do more to improve their current anti-fraud procedures.
More stories about cyber exposures:
Money is the motive behind spike in DDoS attacks
Despite precautions, DDoS attacks becoming more dire, damaging
Plot thickens: Sony said to retaliate with DDoS counterstrikes
JPMorgan breach hints at financial sector bombardment