Thought leadership. Threat analysis. Cybersecurity news and alerts.
Top 3 Cyber Security Predictions in 2019
Cyber-attacks are becoming more common and have become a looming threat not just to large enterprises but also to small and medium-sized organizations.
Here are our top 3 cyber security predictions for the year 2019:
1. Cloud Attack Threat
There’s a looming threat in the cloud as this is where the data is heading.
A study conducted by LogicMonitor(PDF) predicted that majority of IT workloads will move to the cloud by 2020, with workloads running in public clouds will reach 41% in 2020, while workloads running on-premises will fall to 27% and the balance will run on private or hybrid clouds.
Another study conducted by Gartnerpredicted cloud computing to be a $300 billion business by 2021. According to Gartner, organizations increasingly adopt cloud services as these have been proven to provide speed, agility and cut cost that digital business requires.
There’s, however, a flipside to the positive contributions of cloud computing. The 2nd quarter of 2018 study conducted by Gartner revealed that organizations continue to struggle with cloud security, with an estimated $400 billion lost to cyber theft and fraud worldwide.
Expanding cloud services as part of an organization’s digital initiatives is indeed needed, but these initiatives should be matched with a sound cloud security strategy as cyber criminals know that there’s money in the cloud.
There are many attack surfaces in the cloud that attackers could easily exploit. For instance, in early 2018, RedLockreported that attackers illicitly used the cloud computing resources of Tesla to mine a cryptocurrency. According to Redlock, attackers were able to gain access to Tesla’s cloud computing resources as Tesla openly exposed its Kubernetes – an open-source platform for managing cloud workloads and services – without password protection. Tesla’s exposed Kubernetes, Redlock said, contained the credentials of Tesla’s Amazon Web Service account.
In cryptocurrency mining, those who allow their computers to be used for mining digital coins are financially compensated for the computer and electricity usage. Cryptocurrency mining is legal in most countries but legality ends when this is done without the knowledge and consent of the owner of the computing resource – a cyber crime called “cryptojacking”. Since the most popular cryptocurrency Bitcoin reached an all-time high price of nearly $20,000 in late 2017, there has been a dramatic rise of cryptojacking.
2. Botnet Threat
Connecting almost every computing devices, including servers and Internet of Things (IoT) devices such as routers and security cameras, exposes online resources such as websites to botnet attacks.
Botnet, which originates from the words “robot” and “network”, refers to a group of malware-infected computers that’s remotely controlled by an attacker or attackers to conduct malicious activities such as a distributed denial-of-service (DDoS) attack. In a DDoS attack, fake traffic originating from malware-infected devices is directed against a target website, rendering the target website inaccessible to legitimate users.
In recent years, cyber attackers have tweaked in a number of ways the source code of the infamous malicious software called “Mirai”. At its peak in 2016, the Mirai malware infected hundreds of thousands of IoT devices worldwide and turned them as a “network of robots” to conduct malicious activities, including DDoS attacks.
In October 2016, the Mirai botnet almost brought down the internet when it attacked Dyn, a domain name service (DNS) provider. As a result of the attack on Dyn, 80 popular websites, including Twitter, Amazon, Reddit, Spotify and Netflix temporarily became inaccessible to the public.
A notable Mirai variant was recently discovered by researchers at Netscout. While the original Mirai infected IoT devices and turned them as part of a botnet, the Mirai variant discovered by Netscout researchers infected enterprise Linux servers and turned these compromised servers as part of a botnet. Turning hundreds of thousands or millions of IoT devices and a handful of enterprise servers as part of a DDoS botnet could bring down the internet or render many websites inaccessible to the public.
It’s important to note that the Mirai and other Mirai variant infections are preventable. The original Mirai infected hundreds of thousands of IoT devices by simply logging to these devices using default or factory username and password combinations. A mere change of default or factory username and password renders the original Mirai useless.
The recent Mirai variant discovered by Netscout researchers, on the other hand, infiltrated servers that were unpatched and through brute-force – systematic attempt to guess the correct username and password combination. Patching, that is, the timely installation of a security update, and the use of complex passwords could render this recent Mirai variant useless.
3. Shortage of Cyber Security Skills
While it’s widely known that there’s a shortage of cyber security professionals, what isn’t known is how dire the situation is.
A study conducted by (ISC)2revealed that the shortage of cyber security professionals around the world has never been more acute, placing the shortage of cyber security professionals at 2.93 million, with roughly 500,000 of these positions located in North America, 2.15 million positions located in Asia-Pacific and the balance located in other parts of the world.
“The lack of skilled cybersecurity personnel is doing more than putting companies at risk; it’s affecting the job satisfaction of their existing staff,” the (ISC)2 report said.
Happy New Year and stay safe!
Email-Borne Threats Still Bypass Current Security System, Study Shows
Despite the advancement in current email security systems, a new study reveals that these security systems still miss a significant number of email-borne threats.
In the 3rd quarter of 2018, Mimecastretested 80 million emails that were considered “safe” by current email security systems. The Mimecast study found that out of the 80 million emails deemed to be “safe”, 42,350 emails were found to be impersonation attacks, 17,403 contained malicious software (malware) attachments, 16,581 emails contained dangerous file types and 205,363 malicious URLs were found.
Impersonation attacks refer to emails that attempt to impersonate a trusted individual or company in order to gain access to corporate finances or data.
Dangerous files, meanwhile, refer to files such as .jsp, .exe, .dll and .src – files that allow a program to run on a computer, exposing the computer to further cyber attacks. According to Mimecast, dangerous files bypassed current email security systems at an increased rate, showing a 25% increase from the last quarterly test.
How Prevalent Are Email-Borne Threats?
In the first half of 2018, over half-a-billion emails were analyzed by FireEye. It found that less than a third or 32% of email traffic was considered “clean” and delivered to an inbox. FireEye’s analysis found that 1 in every 101 emails had malicious intent.
FireEye further found that majority or 90% of the blocked emails contained no malware – 81% of which considered as phishing attacks and 19% considered as impersonation attacks.
Cyber criminals see the advantages of leveraging emails as a means to wage cyber-attacks as emails continue to be the preferred form of communication worldwide despite the growth of other technologies such as social networking, instant messaging and chat. Email also maintains its dominance as it’s an integral part of the overall internet experience. An email address is required if you want to use a social networking site or for your bank’s online service.
According to The Radicati Group(PDF), over half of the world population uses email in 2018, with the number of worldwide email users expected to top 3.8 billion in 2018 and expected to grow to over 4.2 billion by the end of 2022.
The following trends in email-borne threats were observed by FireEye and The Radicati Group:
The most common form of email-borne threat is the blended attack – a form of attack that combines an email and web access to deliver a malware to an
organization’s internal network. In blended attack, the email itself doesn’t contain a malware. The email only facilitates the delivery of the malware as it contains a link that when clicked goes directly to a malicious website and from there the malware is downloaded, then infecting the
organization’s internal network.
Impersonation Attacks Have Gone Mainstream
The cyber-attack called “business email compromise”, also known as BEC or CEO fraud, is an example of an impersonation attack.
In impersonation or BEC attack, an attacker or attackers send a bogus email purportedly from the CEO to a targeted employee, typically one who has access to company finances. Through the bogus email, the attackers request the targeted employee to make an urgent money transfer, usually to a trusted vendor’s new bank account.
Many profit and nonprofit organizations had been duped by BEC scammers in recent years. According to the Federal Bureau of Investigation (FBI), BEC scammers, between October 2013 and May 2018, defrauded different organizations worldwide of almost $12.5 million.
Email Attack Schedule
Malware-based attacks most likely occur during Mondays and Wednesdays. During Thursdays, malware-less attacks most likely happen. Impersonation attacks, meanwhile, most likely occur during Fridays.
One example of the malware-less email is the impersonation email, an email that spoofs domains or uses lookalike domains. Another example of a malware-less malicious email is the blended email, whereby the email contains a link to a malicious URL. An additional example of a malware-less malicious email is one that contains a dangerous file such as an .exe file.
One explanation why impersonation emails are sent during Fridays is that impersonation emails typically are bogus emails from an organization’s CEO. During Fridays, especially late Friday afternoon, it’s typically difficult to call or talk in person with the boss – a situation favored by scammers to buy time to trick a targeted employee.
How to Prevent Email Attacks?
Here are some security measures in order to block or detect email-borne threats:
In email-based attack, it only takes one click to infect your organization’s internal network. And your weakest link for this particular type of cyber-attack is your staff. Staff training isn’t just a one-shot deal. It needs to be continuous as well as effective.
It’s particularly important to train executives and employees dealing with finances to be vigilant against email-borne threats as they’re targeted by criminals, especially in BEC attacks. One way to train your organization's staff is by sending test emails to check their resilience against email-borne threats.
Use an Advanced Email Security Tools
Traditional email security tools only block emails that contain malware. An advanced email security tool, in addition to blocking emails laden with malware, blocks malicious emails containing spoofs domains, lookalike domains, emails containing malicious URLs and emails containing dangerous files.
Contact us today if you need assistance in protecting your organization’s network from email-borne threats.
Equifax Data Breach Was “Entirely Preventable”, Report Says
The U.S. House of Representatives Committee on Oversight has released a report that concludes that the massive Equifax data breach back in September 2017 was "entirely preventable".
On September 7, 2017, Equifax disclosed a massive data breach affecting 143 million consumers – majority of whom were from the U.S. and some from Canada and the U.K. – this number later rose to 148 million consumers.
Equifax is one of the largest consumer reporting agencies (CRAs) in the world. CRAs collect account information from various creditors, analyze this data to create credit scores and detailed reports, and then sell these to third parties. CRAs’ data collection activities make them a repository of large amount of personally identifiable information, which make them a high-value target for cyber criminals, this according to the report released by the U.S. House of Representatives Committee on Oversight(PDF).
Few weeks prior to the Equifax data breach, former Equifax Chief Executive Officer (CEO) Richard Smithsaid that Equifax was managing “almost 1,200 times” the amount of data held by the U.S. Library of Congress every day.
As a result of the massive data breach, Equifax held several of its officials accountable. Eight days after the data breach disclosure, the company’s Chief Information Officer and Chief Security Officer both took early retirements. Nineteen days after the data breach disclosure, the company’s then Chief Executive Officer Richard Smith left the company and 25 days after the breach, the company terminated its Senior Vice President and Chief Information Officer for Global Corporate Platforms.
Anatomy of the Equifax Data Breach
Based on the report released by the U.S. House of Representatives Committee on Oversight, the Equifax data breach was a result of a series of events that could have been prevented.
On March 7, 2017, Apache Software Foundation, an organization that oversees more than 350 leading open source projects, including Apache Struts, announced and patched on the same day the security vulnerability designated as CVE-2017-5638. This security vulnerability enables attackers to conduct remote code execution (RCE), a cyber attack in which the attacker takes over a computer by exploiting a vulnerability in the computer, regardless of where the computer is geographically located. A proof of conceptof CVE-2017-5638 attack scenario is publicly available on GitHub.
Apache Struts is a popular open source framework for creating web applications. Many of the world’s web applications use Apache Struts, including the web applications used by Equifax, financial institutions, government organizations and Fortune 100 companies. Equifax’s Automated Consumer Interview System (ACIS), a custom-built internet-facing consumer dispute portal, was running a version of Apache Struts containing the CVE-2017-5638 vulnerability.
According to the House Oversight Committee, 2 days after the release of the CVE-2017-5638 patch, Equifax’s Global Threat and Vulnerability Management (GTVM) team emailed over 400 Equifax employees who had Apache Struts running on their system to apply the necessary patch within 48 hours. The Equifax GTVM team also held a meeting about this vulnerability on March 16.
Despite the above-mentioned efforts, Equifax’s ACIS wasn't patched, leaving the company’s computer systems open to attacks. Just a few days after the release of the CVE-2017-5638 patch, that is, on May 13, 2017, attackers started their 76-day long cyber-attack on Equifax, the House Oversight Committee report said.
By exploiting the unpatched Apache Struts of the company’s ACIS, the report said, the attackers located a file containing unencrypted credentials, including usernames and passwords. These unencrypted credentials enabled the attackers to gain access to critical data outside Equifax’s ACIS, specifically access to the company’s 48 databases.
The report added that on these 48 databases, attackers accessed 265 times unencrypted personally identifiable information of Equifax’s consumers and said attackers transferred this data out of the company’s network. The report said Equifax wasn’t aware of this data transfer as the tool used to monitor ACIS network traffic had been inactive for 19 months as a result of an expired security certificate. It was only on July 29, 2017 that Equifax noticed the ACIS network traffic as this was the date that the company updated the expired certificate.
“Equifax failed to fully appreciate and mitigate its cybersecurity risks,” the House Oversight Committee report said. “Had the company taken action to address its observable security issues prior to this cyber attack, the data breach could have been prevented.”
Here are some of the cyber security measures that your organization can implement in order to prevent data breaches similar to the Equifax data breach:
Keep All Software Up-to-Date
Cyber attackers are quick to exploit publicly known security vulnerabilities. In the case of the Equifax data breach, attackers exploited a known security vulnerability on Apache Struts just a few days after Apache Software Foundation patched the vulnerability. It’s important to install critical patches in a timely manner so as not to leave your organization’s IT system vulnerable to cyber attacks.
Encrypt Critical Data
It’s a proactive approach to assume that one day your organization’s critical data could be accessed by an unauthorized party. It’s important to encrypt your organization’s critical data so that attackers won’t have a easy access to this high-value data. In encryption, data in plain text is converted into an unreadable form. The only way to read or unlock this encrypted data is via a decryption key – a time-consuming task on the part of the attackers. In the case of the Equifax data breach, the sensitive data of consumers wasn’t encrypted, making it easy for the attackers to locate the critical data.
Monitor Network Traffic
Monitoring your organization’s network traffic is one of the effective means of detecting intrusion. In the case of the Equifax data breach, at the time of the data breach, the company had no means to monitor its ACIS network traffic.
Look at deploying SIEM or MDRsolutions.
Network access during non-working hours and unusual volume of data transfer are signs of intrusion. A workable automated network monitoring tool is a must to protect your organization’s IT system.
What Can Organizations Learn from the Marriott Data Breach
The recent data breach disclosure by Marriott is an eye-opener to organizations, not only because of the extent of the breach – with up to half a billion guests affected, but also because of the length of time that the breach remained undetected – lasting nearly 4 years.
Marriott, currently the world's largest hotel chain, has over 6,700 properties in 129 countries and territories, including Canada. The company has attained the stature of being the world's largest hotel chain after it completed its acquisition of Starwood Hotels & Resorts Worldwide in September 2016.
Marriot, in a statement, said that from 2014 up to September 10, 2018, an “unauthorized party” accessed the Starwood guest reservation network affecting up to 500 million guests who made a reservation at Starwood properties. Out of the 500 million guests affected, the hotel chain said that data of 327 million of these guests was accessed without authority, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.
Financial data of an unspecified number of guests was also accessed by the unauthorized party, including payment card numbers and payment card expiration dates. While the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128), the hotel chain said it won’t discount the possibility that the unauthorized party decrypted the payment card numbers.
Marriott didn’t specify what month or exact date in 2014 that the data breach started. It can be recalled that prior to the completion of Marriott’s acquisition of Starwood, in November 2015, Starwooddisclosed its own data breach, affecting nearly 100 Starwood hotels in North America.
Sergio Rivera, President of Starwood Americas, in a statement, said that point of sale systems at certain Starwood hotels were infected with a malicious software (malware), enabling “unauthorized parties” to access payment card data of some of the hotel customers.
Lessons from Marriott Data Breach
Here are some cyber security lessons from the recent Marriott data breach:
Implement Network Segmentation
Marriott said that its own Marriott-branded hotels aren’t affected by the data breach at the Starwood guest reservation network as Marriott-branded hotels’ use a different network that wasn't breached.
Network segmentation is the practice of dividing a computer network into subnetworks, with each network having a different purpose or usage. Implementing network segmentation in your organization ensures that in case one of the networks is infected with a malware, the other subnetworks won’t be infected.
By implementing network segmentation, the data breach at the Starwood guest reservation network was contained to this network alone, preventing the spread of the intrusion to Marriott’s other properties, including Marriott-branded hotels.
Encrypt Important Data
While encryption alone isn’t enough to protect important data, encryption adds a security layer in data protection. Encryption also means that an unauthorized party has to undertake an extra step and extra time to get the decryption key to unlock the encrypted files.
In the case of the Marriott data breach, the only data that was encrypted was limited to payment card numbers. The hotel chain though doesn’t discount that the unauthorized party had gotten hold of the decryption key or keys to unlock the encrypted payment card numbers.
Encryption doesn’t have to be limited to payment card numbers. In the case of the Marriott data breach, important personally identifiable information, including passport numbers, wasn’t encrypted. What happened in the Marriott data breach was that instead of the company doing the encryption to add an additional layer of protection, the unauthorized party did the data encryption in order to avoid detection by any data-loss prevention tools.
Data decryption isn’t an easy thing to do. According to Marriott, while it discovered the data breach on September 8, 2018, it took the company until November 19, 2018 to decrypt the files encrypted by the unauthorized party.
Always Assume that an Intrusion Has Occurred
To date, the cause of the Marriott data breach is still unspecified. The hotel chain, however, identifies the culprit of the data breach as "unauthorized party", a phrase that could mean a malicious insider or a malicious outsider.
Network intrusion carried out by a malicious outsider could happen in many ways. This could happen via phishing attacks using malicious emails containing malicious links and malicious attachments or via unknown security vulnerabilities exploited by a malicious outsider.
Proactive organizations have adopted the assumption that their networks are vulnerable to intrusion. Many organizations today engage the services of “penetration testers”, also known as ethical hackers. These ethical hackers search for and exploit security vulnerabilities in web-based applications, networks and systems and report back to the organization for the organization to fix the security loopholes.
Monitoring any insider activities within the network is also important. Intrusion by a malicious insider should be assumed all the time. An insider has all the tools needed to abuse one’s access to the trove of data that your organization hold. Your organization must have an automated tool that flags unusual activities, such as abnormal working hours, abnormal access to voluminous data and most importantly unusual volume of data transfer.
Contact ustoday if you need assistance in protecting and detecting intrusions in your organization’s networks, resulting from the actions of a malicious insider or malicious outsider.
Steve E. Driz, I.S.P., ITCP