Thought leadership. threat analysis, news and alerts.
3 Most Common Web Application Security Vulnerabilities
Almost all organizations today have an online presence, mostly in the form of an official website. While these websites open a window of opportunities for organizations, these same websites are at times a bane to organizations as these are becoming attractive targets for cyber attackers.
What Are Web Application Security Vulnerabilities?
One of the ways by which cyber attackers wreak havoc on corporate websites is by exploiting the security vulnerabilities in web applications.
Web applications, also known as web apps, refer to software programs that run in a web browser. A web application can be as simple as a contact form on a website or a content management system like WordPress. Web application security vulnerabilities, meanwhile, refers to system flaw or security weakness in a web application.
Web applications are gateways to a trove of data that cyber attackers find attractive and easy to steal. Every time website visitors sign up for an account, enter their credentials or make a purchase via an official corporate website, all this data, including personally identifiable information, is stored on a server that sits behind that web application. Exploiting a security vulnerability in a web application allows attackers to access the data stored on that server.
Imperva, in its “State of Web Application Vulnerabilities in 2018”, reported that the overall number of new web application vulnerabilities in 2018 increased by 23%, that is, 17,308 web application vulnerabilities, compared to 2017 with only 14,082 web application vulnerabilities.
Most Common Web Application Security Vulnerabilities
Here are the 3 most common security vulnerabilities affecting web applications:
Based on Imperva’s data, the number one web application vulnerability in 2018 was injection, representing 19% of the web application vulnerabilities last year. In an injection attack, an attacker inserts or injects code into the original code of a web application, which alters the course of execution of the web app.
According to Imperva, the preferred method of attackers last year to inject code into web applications was remote command execution (RCE) with 1,980 vulnerabilities.
Remote command execution allows an attacker to remotely take over the server that sits behind a web application by injecting an arbitrary malicious code on the web app. The Equifax data breach that exposed highly sensitive data of millions of U.S. customers, as well as thousands of U.K. and Canadian consumers, is an example of a cyberattack that used the injection method, in particular, remote command execution.
Attackers gained access to the data of millions of Equifax’ customers by exploiting the vulnerability designated as CVE-2017-5638in the web application used by the company. At the time of the attack, Equifax then used an outdated Apache Struts, a popular open source framework for creating enterprise-grade web applications.
Despite the advisory from the Apache Software Foundation, the organization that oversees leading open source projects, including Apache Struts, to update the software to the latest version, Equifax failed to do so, leading the attackers to breach the sensitive data of millions of the company’s customers.
On March 7, 2017, the Apache Software Foundation issued a patch or security update for CVE-2017-5638 vulnerability. On May 13, 2017, just a few days after the CVE-2017-5638 patch was released, attackers started their 76-day long cyberattack on Equifax, this according to the findings of the U.S. House Oversight Committee.
2. Cross-Site Scripting
The second most common web application vulnerability is cross-site scripting. According to Imperva, cross-site scripting ranked as the second most common vulnerability in 2018, representing 14% of the web application vulnerabilities last year.
Cross-site scripting, also known as XSS, is a type of injection in which malicious code is inserted into a vulnerable web application. Unlike injection in general, cross-site scripting particularly targets web visitors.
In a cross-site scripting attack scenario, an attacker, for instance, embeds an HTML tag in an e-commerce website’s comments section, making the embedded tag a permanent fixture of a webpage, causing the browser to read the embedded tag together with the rest of the original code every time the page is opened, regardless of the fact that some site visitors don’t scroll down to the comments section.
The injected HTML tag in the comments section could activate a file, which is hosted on another site, allowing the attacker to steal visitors’ session cookies – information that web visitors have inputted into the site. With the stolen session cookies of site visitors, attackers could gain access to the visitors’ personal information and credit card data.
3. Vulnerabilities in Content Management Systems
Imperva’s State of Web Application Vulnerabilities in 2018 also showed attackers are focusing their attention to vulnerabilities in content management systems, in particular, WordPress.
Attackers are focusing their attention on WordPress as this content management system powers nearly one-third of the world’s website. Data from W3Techsshowed that as of late December, last year, WordPress usage account for 32.9% of the world’s websites, followed by Joomla and Drupal.
According to Imperva, the number of WordPress vulnerabilities increased in 2018 despite the slowed growth in new plugins. Imperva registered 542 WordPress vulnerabilities in 2018, the highest among the content management systems. The WordPressofficial website, meanwhile, reported that only 1,914 or 3% from the total 55,271 plugins were added in 2018.
Ninety-eight percent of WordPress vulnerabilities are related to plugins, Imperva reported. Plugins expand the features and functionalities of a website. WordPress plugins are, however, prone to vulnerabilities as with this content management system (being an open source software), anyone can create a plugin and publish it without security auditing to ensure that the plugins adhere to minimum security standards.
Web Application Attack Prevention
A web application firewall (WAF) is one of the best cybersecurity solutions that your organization can employ against web application vulnerabilities.
Trust the experienced team that protects hundreds of sites and applications. Protect your web application within 10-minutes and keep cybercriminals at bay. Get started today!
Look Back into the First Major Cyberattack: The Morris Worm
Thirty years ago, the Morris worm, dubbed as the first major cyberattack, was unleashed into the wild, crashing or slowing to a crawl 10% or 6,000 of the 60,000 computers then connected to the “Internet”.
What Is Morris Worm?
Morris worm is named after its creator Robert Tappan Morris. A worm, meanwhile, refers to a type of malicious software (malware) that has the ability to spread itself within networks without user interaction.
Courtdocuments showed that Morris, then a first-year graduate student at Cornell University's computer science Ph.D. program, released the worm on November 2, 1988 through a computer at the Massachusetts Institute of Technology (MIT), which Morris hacked using a Cornell University's computer.
Morris worm was released into the wild a year before the world wide web came into existence. The term “Internet” then referred to a U.S. computer network, composed of connected computers from prestigious colleges, research centers, governmental and military agencies.
In less than 24 hours on November 2, 1988, Morris worm infected the computers of institutions, including Harvard, Princeton, Stanford, Johns Hopkins, National Aeronautics and Space Administration (NASA) and the Lawrence Livermore National Laboratory.
While the worm didn’t destroy or damage files, infected computers slowed to a crawl or ceased functioning and emails were delayed for days. The estimated cost of dealing with the Morris worm at each installation ranged from $200 to over $53,000.
The worm infected computers running a specific version of the Unix operating system in 4 ways:
First, via a security vulnerability in “SEND MAIL”, a computer program that transfers and receives electronic mail;
Second, via a security vulnerability in the "finger demon", a computer program that allows extraction of limited information about the users of another computer;
Third, via "trusted hosts" feature that allows a user with certain privileges on one computer to have equivalent privileges on another computer without using a password; and
Fourth, via a program that guesses passwords using various combinations of letters tried out in rapid succession, hoping that one will be an authorized user's password. When the correct password is entered, the intruder is allowed whatever level of activity that the user is authorized to perform.
Morris designed the worm to stay hidden. The worm was designed in such a way that it won’t copy itself onto a computer that already had a copy. The worm was also designed in such a way that it would be killed when a computer was shut down.
Consequences of the Morris Worm
For unleashing the worm into the wild, Morris became the first person convicted for violating the U.S. Computer Fraud and Abuse Act, which outlaws unauthorized access to protected computers. He was sentenced to 3 years of probation, 400 hours of community service, a fine of $10,050 and the costs of his supervision.
The first major cyberattack perpetrated by the Morris worm showed how vulnerable interconnected computers had become. Just days after the Morris worm attack, the U.S. Government created the country’s first computer emergency response team under the direction of the Department of Defense. Developers also began creating intrusion detection software.
On the flip side, the Morris worm inspired a new breed of malicious hackers, plaguing the digital age. In recent memory, the worm that resembles the devastation caused by Morris worm is the WannaCry worm, commonly known as WannaCry ransomware.
In less than 24 hours on May 12, 2017, more than 300,000 computers in 150 countries were infected by WannaCry, each demanding a ransom payment. WannaCry is categorized as a worm as similar to the Morris worm as it has the ability to spread itself within networks without user interaction.
WannaCry specifically exploited the security vulnerability in Server Message Block Protocol (SMB protocol) in some versions of Microsoft Windows. SMB protocol allows users to access files, printers and other resources on a network.
Here are some cybersecurity measures to protect your organization’s computers or networks from worms similar to WannaCry and Morris worms:
Implement Network Segmentation
In network segmentation, vital computers that housed critical information and operations are separated or disconnected from computers connected to vulnerable systems like the public internet. Network segmentation ensures that when internet-facing computers are infected by a worm, these vital computers aren’t affected.
Keep All Software Up-to-Date
Make sure that software security updates are installed as timely as possible, not months or years after the release dates of the security updates.
Cyberattackers have automated the process of scanning the internet for finding vulnerable computers – those that fail to install security updates. This was the case for WannaCry victims as they failed to install the security update issued by Microsoft months before the WannaCry cyberattack.
Refrain from Using Legacy Hardware and Software
The term “legacy” refers to old and outdated computer hardware or software. Similar to computers that fail to timely install security updates, legacy hardware and software programs are similarly targetted by cyberattackers as these legacy hardware and software programs no longer receive security update from their vendors.
Some versions of the Microsoft Windows (Windows XP, Windows 8, and Windows Server 2003 operating systems) were targeted by WannaCry attackers as well as during the attack these software programs were no longer supported by Microsoft. A day after the WannaCry attack, however, Microsoft released security updates for Windows XP, Windows 8, and Windows Server 2003.
Protecting computers or networks from worms and other malicious software is important in order to prevent data breaches. Under Canada’s Digital Privacy Act, starting November 1 this year, private organizations are mandated to notify the Privacy Commissioner of Canada and the affected individual “as soon as feasible” in the event that a data breach poses a “real risk of significant harm” to any individual.
When you need help assessing and mitigating the cybersecurity risks, contact out team of expertsand minimize the likelihood of a data breach.
How to Prevent Departing Employees from Departing with Your Organization’s Data
The practice of departing employees departing with their employers’ data has recently been highlighted in the latest case that sprung from one of the biggest tech companies Apple.
A special agent at the Federal Bureau of Investigation (FBI) recently filed a criminal complaint before the US District Court for the Northern District of California against a former Apple employee, alleging that the former Apple employee who worked as a hardware engineer on the company’s autonomous vehicle development team stole trade secrets from the company.
According to the FBI special agent, because of the former employee's role on Apple’s autonomous vehicle development project, he was granted broad access to secure and confidential internal databases containing trade secrets and intellectual property for the project.
After returning from a paternity leave, the said employee, according to the FBI special agent, resigned saying that he plans to move back to his home country and he also plans to work with another company also working in the field of autonomous vehicle technology.
The said employee turned over all Apple-owned devices and Apple's security then disabled his remote network access, badge privileges, network access and other employee accesses.
The criminal complaint revealed that data from Apple’s security team showed that days prior to his resignation, the former Apple employee’s network activity increased exponentially compared to the prior two years of his employment. On the evening two days prior to his resignation, the employee was shown via CCTV footage entering the autonomous vehicle software and hardware labs and leaving the building less than an hour later carrying a large box.
The criminal complaint also disclosed that in an interview with Apple security attorney and Apple employee relations representative, the accused former employee of Apple admitted downloading data to a non-Apple device, one that's owned by his wife, because he has "interest in platforms and wanted to study the data on his own." The accused also admitted to FBI agents of taking files from Apple’s autonomous vehicle development project and transferring the files to a non-Apple digital device, owned by his wife.
Files recovered from the non-Apple device included a 25-page document containing schematics for one of the circuit boards that form Apple's proprietary infrastructure technology for its autonomous vehicle development project.
FBI agents arrested the said Apple's former employee at the San Jose International Airport as he was about to leave the country.
Prevalence of Departing Employees Stealing or Leaking Corporate Data
The case filed against a former Apple employee is just one of the many cases of departing employees departing with their employers’ data.
In 2014, a Federal Court of Australia found sufficient evidence that a former employee of Leica Geosystems Pty Ltd copied 190,000 files from the company’s computers the day before he resigned. The files copied by the former employee included numerous source codes representing the core of the company’s intellectual property. The Federal Court of Australia ordered the said employee to pay AUD$50,000 to his former employer as fine for his misconduct.
In 2015, an employee of BlueScope, after learning she was to be terminated, downloaded 40 gigabytes of company documents. The company filed legal actions in the Federal Court of Australia and Singapore to stop the information falling into the hands of its competitors. BlueScope and the former employee reached a confidential settlement. The Federal Court of Australia, meanwhile, permanently restrained the BlueScope’s former employee from using the data that’s in her possession.
A survey conducted by Biscom showed the prevalence of departing employees departing with their employers’ data. The Biscom survey showed the following alarming findings:
Data Leak Prevention
1. Limit Employee Access to Data
Only give employees access to data needed to get their jobs done. For instance, engineers don’t need access to CRM systems.
2. Encrypt Critical Corporate Data
Ensure that critical corporate data, whether data is in-transit, at-rest and in-use, must be encrypted. Encryption ensures that even when there’s data breach, the data will remain useless.
3. Establish Regular IT Audits
While automated, preventative controls are the best defense, no technology is perfect. Establishing regular IT audits performed by an independent third-party will help you detect any outliers and detect data leaks and internal fraud early on. Such audits generally include
4. Require Appropriate Authentication for Critical Content
Accessing critical content must require not just a username and password but also multi-factor authentication. When critical content is being accessed, it also helps that approval must be secured first or an alert must be given to a compliance officer.
5. Regularly Monitor Network Activities
Unusual volume of downloaded data and non-office hours data access are examples of network activities that should be monitored. Said network activities are red flags for unauthorized activities and should be checked.
6. Keep Critical Data Offline
Don't store information vital to your organization, especially trade secrets, on any device that connects to the internet.
7. In-Person Data Security and Privacy Training
One of the means, though not a cure-all approach, of preventing departing employees from stealing corporate data is by providing an in-person data security training the moment the employee is hired.
One training session isn't enough. It's best to regularly remind employees about safeguarding company’s data by implementing a regular, formal cybersecurity awareness training. In addition to the in-person data security and privacy training, a confidentially or non-disclosure provision has to be included in the employment contracts.
8. Don’t Give Employees Administrator Privileges
Don’t give employees administrator rights for the company-supplied computers or devices. Giving them administrator privileges allows them to install malicious software (malware) that could lead to unauthorized access to information vital to your organization.
When you need help with either establishing regular IT Audits or performing data leakage assessments, help is a phone call away. Contact us today and protect your business.
What is Remote Code Execution Attack & How to Prevent this Type of Cyberattack
Microsoft recently rolled out its latest security update, fixing 50 security vulnerabilities. Out of the 50 security vulnerabilities fixed by Microsoft in its June 12thsecurity update, 14 security vulnerabilities allow remote code execution.
What is Remote Code Execution?
Remote code execution (RCE) refers to the ability of a cyberattacker to access and make changes to a computer owned by another, without authority and regardless of where the computer is geographically located.
RCE allows an attacker to take over a computer or a server by running arbitrary malicious software (malware). "RCE (remote code execution) vulnerabilities are one of the most dangerous of its kind as attackers may execute malicious code in the vulnerable server," Impervasaid.
Remote Code Execution Example #1: Microsoft Excel Remote Code Execution Vulnerability
One example of a remote code execution vulnerability is the CVE-2018-8248vulnerability – one of the security vulnerabilities fixed by Microsoft in its June 12thsecurity update. The CVE-2018-8248 vulnerability, also known as “Microsoft Excel Remote Code Execution Vulnerability”, allows an attacker to run a malware on the vulnerable computer.
The CVE-2018-8248 attacker could take full control of the compromised computer if the owner of the compromised computer logs on to the computer with administrative user rights. In taking full control of the compromised computer, the attacker could view, change or delete data; install programs; or create new accounts with full user rights.
According to Microsoft, the delivery method in exploiting the CVE-2018-8248 vulnerability could be in the form of a malicious email with an attachment that contains a specially crafted file with an infected version of Microsoft Excel. Another delivery method in exploiting the CVE-2018-8248 vulnerability is in the form of a web-based attack scenario, whereby an attacker could host a website or compromised website that accepts or hosts user-provided content containing a specially crafted file designed to exploit the CVE-2018-8248 vulnerability.
In the 2 scenarios, malicious email and web-based attack, the attacker has to convince users to click on the attachment or a link to open the specially crafted file. To date, there’s no report that CVE-2018-8248 vulnerability has been exploited into the wild.
Remote Code Execution Example #2: Microsoft Windows SMB Vulnerability
On May 12, 2017, hundreds of thousands of computers worldwide were infected by WannaCry, a malware that encrypts computer files, locking out computer users and asks for ransom payment to decrypt or unlock the computer files.
WannaCry, as it turns out, is a malware that allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block (SMB) – a protocol used for sharing access to files, printers and other resources on a network.
Unlike other remote code execution attacks which leverage on malicious emails and web-based attacks as delivery methods, WannaCry’s delivery method was scanning the internet for vulnerable SMB ports and using one of the alleged U.S. National Security Agency (NSA) spying tools called “EternalBlue”, which takes advantage of the vulnerability in Microsoft’s SMB. Once an attacker detects SMB vulnerability, the DoublePulsar (another alleged NSA spying tool) is then used by an attacker to allow for the installation of the WannaCry malware.
EternalBlue and DoublePulsar are 2 of the spying tools allegedly used by the NSA that were leaked in April 2017 by a group of hackers who called themselves Shadow Brokers. According to Microsoft, the security vulnerabilities exposed by Shadow Brokers were fixed by the security update released by the company in March 2017 – a month before Shadow Brokers publicly released the alleged NSA spying tools.
Researchers at Renditionreported that in late April and the first few days of May 2017 – several days after Microsoft issued a security update fixing the security vulnerabilities exposed by Shadow Brokers, more than 148,000 computers were compromised by EternalBlue and DoublePulsar.
Hundreds of thousands of computers were infected by WannaCry as many compromised machines were used as servers and because of the worm or self-propagating capability of this malware. As a result, computers connected to the infected servers were also infected by the WannaCry malware.
Remote Code Execution Attacks and Cryptocurrency Mining
At the height of the cryptocurrency boom in December 2017, Imperva reported that cryptocurrency mining drove almost 90% of all remote code execution attacks.
Imperva said 88% of all remote code execution attacks in December 2017 sent a request to an external source to try to download a cryptocurrency mining malware.
“These attacks try to exploit vulnerabilities in the web application source code, mainly remote code execution vulnerabilities, in order to download and run different crypto-mining malware on the infected server,” Imperva said. “The malware usually uses all CPU computing power, preventing the CPU from doing other tasks and effectively denies service to the application’s users.”
Timely patching or timely installation of software update ranks as the top cybersecurity measure in preventing remote code execution attacks.
For instance, to prevent remote code execution via CVE-2018-8248 vulnerability, Microsoft’s June 12, 2018 security update has to be installed. In the case of WannaCry cyberattack, remote code execution via the exploitation of Microsoft Windows SMB vulnerability could have been prevented if only Microsoft’s March 2017 security update had been timely applied.
To prevent attackers trying to infect vulnerable servers with cryptocurrency mining malware, the initial attack must be blocked. As an initial attack, cybercriminals typically exploit remote code execution vulnerabilities to launch their malware, similar to what WannaCry attackers did.
If your organization is using computers or servers that are known to be using software that’s vulnerable to remote code execution, the latest vendor patch to mitigate this particular cyberattack should be timely applied.
As a rule of thumb, to significantly minimize the risk, your company must collect, analyze and act on the most recent threat intelligence. Your IT team must be equipped with the best tool to apply patches timely thus mitigating the risk of a data breach. Better yet, workstation and server patching can and should be automated to prevent remote code execution and other cyberattacks.
Are You Failing to Protect Yourself Against Fraud?
Online fraud is, sadly, a common danger.
More than 15 million people fell victim to it in 2016, and the risk is still very much present. Companies across all areas of industry must take steps to protect their finances, making any changes necessary to minimize threats.
Some of these may seem simple, while others appear a tad more complicated. As specialists in cybersecurity, we’re dedicated to helping businesses like yours stay safe against ever-more sophisticated tactics.
So, what changes can you make to your everyday operations to combat online fraud?
You Ignore the Warning Signs
Seeing new customers make large purchases can be an exciting time, but you need to be aware of some common warning signs.
Orders placed late at night could be a red flag, while large orders of products that can be resold easily are another fraud giveaway to watch out for.
Another red flag? Multiple attempts to buy an expensive item (or items) with the same payment method, but with minor differences in the expiration date or name.
Purchases made by buyers who have been repeat customers for a long time should be watched if they make an unusual change in their purchases, address, contact details, and order size.
Last but not least: be wary of customers buying goods with a domestic billing address but sending the purchases to international locations. This is especially true if multiple international addresses are used.
You Don’t Invest in the Best Security
In our experience, too many businesses – both big and small – invest too little into their cybersecurity. Even though businesses are expected to spend more than $100bn on online protectionin 2020, it’s still not uncommon to see companies letting themselves down.
It’s easy to assume you can handle your business’s online security when you first enter the market. After all, download some anti-virus software, get yourself a firewall – job done, right?
Sadly, it’s not so simple. Finding the budget for high-quality security protocols can be difficult, but it’s vital – you’re reinforcing your company’s infrastructure, protecting your assets, and minimizing further expense.
In other words: take the danger of online fraud seriously. Your customers and your employees are depending on you to keep their details, their salaries, and safer.
You Haven’t Educated Your Team
Your workforce has to be educated on the signs of online fraud, trained in criminals’ latest tactics and the techniques available to combat them.
After all, they’re the people keeping your operations running day in, day out. They’re handling customers’ purchases, processing transactions, communicating with buyers, using your databases, downloading resources, and more.
Uninformed staff may end up making mistakes that leave your business vulnerable, facing fraudulent activity, and ultimately at risk. When they have the information and the training, they can actually be a much-needed defense against cyber criminals preying on companies like yours.
Make sure you host regular meetings to train your employees on the cyber-security threats they are likely to encounter, and the warning signs they should watch out for. This doesn’t have to be at an expert level, as you don’t want to overwhelm or confuse them, but it should be enough to give them the confidence they need to perform at their best.
Your staff should know enough to identify possible fraudulent behavior, handle customers’ personal information properly, and avoid leaving your business exposed.
You Haven’t Implemented a Reliable Password Policy
Passwords have to be strong, hard to guess, and varied. Make sure your employees and your customers have the information and advice they need to avoid weak passwords.
We all have so many passwords to remember today. Many of us run numerous different aspects of our lives online, relying on online banking, online shopping, online communications … it’s easy to be complacent.
However, complacency leads you to use the same passwords again and again. Your customers may simply create an account and make purchases with your business, but inadvertently let someone else know what their password is.
This could lead to fraudulent purchases, and the customer might blame your company for failing to offer them sufficient advice on how to best create efficient passwords.
It’s vital, then, to provide helpful information at the sign-up stage, and a dedicated page on your site. Make sure they know not to use something simple and easy to find out, such as their child’s name or their birthday. Varying letter case, adding symbols and numbers, and combining words to make longer passwords can all be a big help.
Your employees should follow the same strategy. Using the same password in their work emails or accounts as their personal ones can make increase your business’s vulnerability.
You Don’t Run Background Checks on Your Employees
Hiring employees with a history of criminal activity or suspicious behavior in previous roles (leading to dismissals) can be an easy way to expose your business to fraud.
Running background checks may seem to be something of a hassle, but it’s well worth doing to protect your company. This should consist of criminal background checks, their education, and their past employment – you will have the information to identify who you have working for you.
Trust goes a long, long way in maintaining an efficient, satisfied workforce. If you know your team is unlikely to undertake fraudulent activity and put your company’s and your customers’ data at risk, you can focus on combating external dangers instead.
Employees will generally accept that these background checks are par for the course. Though it might seem intrusive, it’s for the good of your company, your clients, and your reputation.
Online fraud is an intimidating area and makes businesses of all sizes feel vulnerable. Taking the steps explored above is an effective start to a stronger infrastructure, but you should trust the professionals to reinforce (and maintain) your business’s cybersecurity program for maximum protection against threats.
Contact ustoday to assess your risks and protect your business.
Top 7 Cyber Security Tools for Your Business
With so much of our information online, everyone is vulnerable to hackers and cyber-thieves. When it comes to business, a cyber invasion is a constant threat.
Short term loss could be financial, intellectual property theft, data loss, or worse.
The real threat is the long term loss of trust and reputation damage that could take years to repair. If your clients' information is exposed, it will be hard for them to consider it safe to give you their business again.
Protect your business with these 7 cyber security tools.
7 Cyber Security Tools Your Business Must Be Using
In order to protect your business' digital information, you need a variety of cyber security tools in place.
For complete peace of mind, you'll want to work with a trusted cyber security partner. In the mean time, these tools are a great place to start.
1. Malware Scanners
Malware is short for malicious software. It is designed by hackers to gain access to a computer without the owner's knowledge.
You must have specific anti-malware cyber security tools in place to detect any hacker invasion.
There are a variety of malware scanners out there, many even available for free (with limited features).
Protect your business with automatic malware scanners in place.
2. Routine Patching
Patching is the process of installing a piece of software that repairs any security flaws. Updating an app is an example of patching.
Picture your business's digital infrastructure as a house. Each time you add a new application, piece of software, etc. it's like adding a new room to the house.
Software, apps, and the like are built by humans, meaning that there is room for human error. Human error is like an unlocked door or unfinished window in one of the new rooms.
This can leave a welcome mat out to cyber attackers. That's why your security plan needs to include routine assessments and patching.
3. Two-Factor Authentication
Use two-factor authentication to add a difficult-to-hack layer of security to your log in systems.
Examples include a verification code sent to a linked phone number or a piece of information only the user would know.
4. Restrictive Administrative Access
Add an additional security level for your most sensitive information and infrastructure by restricting who can access it.
Click here for more information on how to implement restrictive admin mode.
5. Network Segmentation
Divide your computer network into sub networks to improve security and performance.
This allows you to isolate the most sensitive data to a specific network to limit access and decrease congestion.
6. Vulnerability Scanning
There's no better way to access your security levels than a vulnerability scan.
Try our free vulnerability assessment to find weaknesses in your code and how to remedy them.
7. 24/7 Security Monitoring
Cyber security protection doesn't come in the form of a quick fix.
Continually protect your business' data with a 24/7 security monitoring system in place to catch attacks the minute they happen.
Protect Your Business for Peace of Mind
Cyber security tools are of the utmost importance for businesses and individuals alike.
Questions? Let us know if there is anything we can help you with. Our emergency response team is available 24/7 if you're currently dealing with a cyber attack. Contact us today.
New Bluetooth Malware Puts Billions of Devices at Risk
A new malicious software dubbed as “BlueBorne” puts billions of Bluetooth-enabled devices at risk.
Dr. Jaap Haartsen invented the Bluetooth while working at Ericsson in the 1990s. Bluetooth was named after the 10th-century king of Denmark King Harald Blåtand (blue-tooth in English), who famously united Scandinavia. Just as King Bluetooth united Scandinavia, Dr. Haartsen’s invention unites or connects devices.
Bluetooth is currently the most widely-used protocol for short-range communications. It's used in a wide range of devices, from personal computers to smart phones, consumer electronics devices (smart TVs, printers), medical and health devices, home automation and autonomous cars.
Bluetooth is now licensed, managed and maintained by the Bluetooth Special Interests Group (SIG). Tech giants Google, Microsoft, Apple, Intel and IBM are some of the group members.
How BlueBorne Works
1. BlueBorne attacks devices via Bluetooth.
The security research firm Armis first identified the BlueBorne malware. Researchers at the research firm found that BlueBorne malware specifically exploits the security flaw in Bluetooth-enabled devices running on Windows, Android, pre-version 10 of iOS and Linux operating systems, regardless of the Bluetooth version in use.
This means that every single computer, mobile device or IoT device running on one of the above-mentioned operating systems is at risk. There are currently 2 billion Android users, 500 million Windows 10 users, 1 billion Apple users, and 8 billion IoT users.
Affected devices include all Android phones, tablets and wearables (except those using only Bluetooth Low Energy), all Windows computers since Windows Vista and all Linux devices like Samsung Gear S3, Samsung Smart TVs and Samsung Family Hub.
2. BlueBorne spreads through the air.
BlueBorne is alarming as it operates through the air. Unlike traditional cyber attacks, no action is required from the victim to enable the BlueBorne attack – no need to download a malicious file or click on a link.
Once the malware detects the Bluetooth is active on a device that runs on Windows, Android, pre-version 10 of iOS or Linux operating system, it attacks it despite the fact that the targeted device isn’t paired with the attacker’s device or set on discoverable mode.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” Armis said.
To initiate BlueBorne, the attacker must be near the targeted user and the Bluetooth feature of the target user's device must be turned on. Billions of devices are at risk as Bluetooth is turned on by default on many devices. Many users also prefer to turn on Bluetooth most of the time to conveniently connect it to keyboards, headphones and other various IoT devices.
The airborne operation of BlueBorne is problematic in the following ways:
a) Highly Infectious
Spreading from one device to another through the air makes BlueBorne highly infectious since the Bluetooth process enjoys high privileges on all operating systems. Exploiting Bluetooth gives hackers full control over the device.
b) Bypasses Traditional Cyber Security Measures
As BlueBorne is spread through the air, it bypasses traditional cyber security measures. Typical security measures are defenseless against airborne attacks. BlueBorne attackers can bypass secure internal “air-gapped” networks – a security measure that isolates a computer or network and prevents it from establishing an external connection.
"These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," Yevgeny Dibrov, CEO of Armis, said in a statement. "The research illustrates the types of threats facing us in this new connected age."
3 Ways BlueBorne Attackers Could Exploit Your Device
1. Take Full Control of Your Device for Criminal Activities
BlueBorne attackers could remotely execute code on your vulnerable device, allowing the attackers to take full control over your device, access corporate networks, systems and data. With full access to your device, hackers could perform criminal activities, including ransomware and data theft.
2. Create Large Botnets Similar to the Mirai Botnet
Mirai botnet uses compromised IoT devices to carry out crippling Distributed Denial of Service attacks (DDoS) attacks. In 2016, crippling DDoS attacks were waged against the website of cyber security blogger Brian Krebs and a French web hosting company. BlueBorne attackers, for instance, could use your compromised device, together with other compromised devices, to execute DDoS against a particular website.
3. Perform Man-in-The-Middle Attack
BlueBorne attackers could perform a man-in-the-middle attack on your device.
Man-in-the-middle attack happens when attackers redirect the communication between two users to the attackers’ computer without the knowledge of the original two users.
“An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer,” Microsoft said in its September 12, 2017 security bulletin. “The attacker can then monitor and read the traffic before sending it on to the intended recipient.”
Microsoft calls this Bluetooth vulnerability as "Microsoft Bluetooth Driver Spoofing Vulnerability".
How to Prevent BlueBorne Attacks
1. Turn Bluetooth Off
The safest way to prevent a BlueBorne attack is by turning off the Bluetooth feature on your device. This malware can access your device only when it’s in the active mode. If it’s turned off, the malware can’t successfully infiltrate your device.
2. Update Your Operating System
It’s advisable to keep your operating system up-to-date. Not all operating systems though have patched or issued a security update that fixes BlueBorne vulnerability.
According to Armis, it informed Google about the BlueBorne issue on April 19, 2017. Google released a public security update and security bulletin on September 4th, 2017.
Microsoft was informed by Armis about the BlueBorne issue on April 19, 2017. Microsoft released security updates on July 11, 2017.
Apple was informed about BlueBorne on August 9, 2017. Apple corrected this vulnerability with its latest iOS and tvOS.
Linux was informed by Armis on August 15 and 17, 2017 and on September 5, 2017. As of September 12, 2017, Armis said, Linux hasn't yet issued a public security update to patch the BlueBorne malware.
Is Cyber Insurance for Small and Medium Businesses Worth the Cost?
More than one-third or 36% of Canadian firms don’t have cyber security insurance, this according to a survey conducted by research and consultancy firm Ovum for Silicon Valley analytics firm FICO.
This number, however, is relatively high compared to the global average (40%) and the percentage of firms in the U.S. that have no cyber security insurance (50%).
Reasons Why Some Organizations Hesitate to Get Cyber Security Insurance
Here are some of the reasons why some organizations hesitate to get cyber security insurance:
1. Organizations Often Don’t Understand Cyber Risks or Their Insurance Options
In the report "Demystifying cyber insurance coverage: Clearing obstacles in a problematic but promising growth market", researchers from the Deloitte Center for Financial Services found that many organizations – including large, medium and small businesses – often aren’t aware of the cyber risks confronting them, let alone the insurance coverage options available to them.
2. Lack of Understanding as to What Type of Cyber Risk Is and Isn’t Covered under Existing Insurance Policies
For the Canadian firms that have cyber security insurance in the FICO survey, only 18% said their cyber security insurance covers all likely risks.
In the case of The Brick Warehouse LP v Chubb Insurance Company of Canada, the Court of Queen’s Bench of Alberta decided on June 29, 2017 that Brick isn’t entitled to recover its loss from insurer Chubb. The case arises from a social engineering cyber fraud scheme. In 2010, the accounting department of Brick received bogus calls and emails from an individual claiming to be a representative of Toshiba, one of Brick’s suppliers. The imposter asked a Brick employee that payment to supposedly Toshiba should be changed to a new bank account. A total of $338,322.22 was transferred into the “new” account.
Brick filed a claim with its insurer Chubb asserting that under its cyber security insurance policy Chubb will pay for direct loss resulting from funds transfer fraud by a third party.
“Certainly, the emails with the fraudulent instructions were from a third party,” the Court of Queen’s Bench of Alberta said. “The actual transfer instructions; however, were issued by a Brick employee. There was no one forcing the employee to issue the instructions, there were no threats of violence or other harm. The employee was simply a pawn in the fraudster’s scheme. Therefore, the transfer was not done by a third party.”
According to the Deloitte report, cyber security insurance policy terms and conditions in Canada have yet to be battle-tested as case law isn’t clear. The Brick Warehouse LP v Chubb Insurance Company of Canada is the first case decided by a Canadian court with respect to cyber crime insurance coverage.
3. Concern about Cyber Security Insurance Value
The Deloitte report showed that many organizations still wonder whether the cyber security insurance coverage being offered by insurers is sufficient for the risks they face.
The Deloitte report revealed that current cyber insurance policies are often capped with relatively low limits for the risks being covered, which may be discouraging more organizations in getting cyber insurance. The report added that cyber insurance coverage for emerging cyber risks may not yet be widely available or affordable.
Twenty percent of the FICO survey respondents felt that the premiums calculated based on their business don’t accurately reflect their risk profile.
4. Lack of Standardization around Cyber Insurance Offerings
Given that the cyber insurance market is relatively new, insurance coverage terms, conditions and exclusions are still not standardized.
The 2016 SANS Institute and Advisen, Ltd. study (PDF) found that information security officers of organizations and insurance professionals don’t speak the same language when defining and quantifying cyber risks, resulting in different expectations, actions and justification for outcomes. The 2017 “Cyber Insurance Market Watch Survey” (PDF) by the Council of Insurance Agents & Brokers found that cyber insurance companies have their own policy language which makes it difficult to compare coverage and terms.
More than a quarter or 26% of the FICO survey respondents felt that the introduction of an established industry standard to benchmark cyber security risk would be beneficial.
Importance of Getting Cyber Security Insurance
"While digitisation is revolutionising business models and transforming daily lives, it is also making the global economy more vulnerable to cyber-attacks,” Lloyd's and Cyence said in the report "Counting the cost Cyber exposure decoded".
“Without cyber-risk insurance, organizations are leaving themselves in a very vulnerable position,” said Kevin Deveau, vice president and managing director of FICO Canada. “It’s important for businesses to assess the strength of their cybersecurity defences and to make sure they are covered if they are faced with a data breach.”
Legislation is expected to drive demand for cyber insurance cover, particularly surrounding data and privacy.
In Europe, the implementation of the EU law General Data Protection Regulation (GDPR) in 2018 is expected to drive the demand for cyber insurance as the EU law introduces new fines for failing to adequately protect sensitive data and mandating companies to notify the authorities and the individuals affected by the data breach.
According to Lloyd's and Cyence, “Demand for cyber insurance is also anticipated to increase penetration in Europe as a result of the General Data Protection Regulation coming into force next year, with the threat of penalties for breaches driving coverage.”
In Canada, the upcoming implementation of the Digital Privacy Act is expected to drive the demand for cyber insurance. It amends Canada’s Personal Information Protection and Electronic Documents Act. The Digital Privacy Act became a law in June 2015. The law’s implementation is held in abeyance until the government issues the implementing regulations.
The 2015 law requires organizations to report any significant, potentially harmful security breach of personal information to Canada’s Privacy Commissioner and to immediately inform the affected individuals and organizations. Non-compliance of the notification requirements may lead to fines of up to $100,000 per violation.
“The ripple effect of a breach can be felt throughout the organization for a very long time, especially now that Canada’s Digital Privacy Act will require organizations to report any breaches to regulators and customers,” the vice president and managing director of FICO Canada said.
Counting the Cost of a Cyber Attack: Litigation Cost
In the last 12 months, Canada has seen high-profile data breach class action lawsuit settlements. These data breach lawsuit settlements highlight the added cost of a cyber attack: cost of defense and a judgment or settlement.
Case #1: Lozanski v. The Home Depot
The Lozanski v. The Home Depot case rose from the data breach at Home Depot of Canada between the period of April 11, 2014 and September 13, 2014. Between this period, Home Depot’s payment card system was hacked by criminal intruders using custom-built malicious software.
After detecting the data breach on September 9, 2014, Home Depot notified the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner of British Columbia and the Commission d'accès à l'information du Québec about the data breach.
On September 16, 2014, Home Depot published notices of the data breach in The Globe and Mail and in La Presse. In the newspaper notices, the company confirmed the data breach. In the said newspaper notices, the company announced that it eliminated the malicious software that was responsible for the data breach. It also announced in the same newspaper notices that customers affected by the data breach will get free credit monitoring and identity theft insurance.
On September 21, 2014, Home Depot emailed its more than 500,000 Canadian customers, notifying them that payment card information of some customers might have been compromised. On November 6, 2014, the company also emailed 58,605 Canadian customers, advising them that their email addresses may have been stolen in the data breach.
A class action was filed against Home Depot as a result of the data breach. On April 25, 2016, the parties signed a settlement agreement. The agreement specifies two major points: 1) Home Depot denies any wrongdoing; and 2) The class action members will release their claims against Home Depot.
On August 29, 2016, Justice Perell of the Ontario Superior Court of Justice approved the Home Depot settlement agreement, awarding the data breach victims the total amount of $400,000 and approving the counsel fee of $120,000 despite the following findings:
“The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification.”
Case #2: Drew v. Walmart Canada
Ms. Drew in the Drew v. Walmart Canada case was a client of Walmart’s online photo center website. She provided Walmart’s photo center website her name, address, telephone number and credit card information.
On July 15, 2015 and October 30, 2015, Walmart informed Ms. Drew via email that “third parties” were able to access Walmart’s customers’ personal and financial information. As a result of the data breach, Ms. Drew initiated a class action against Walmart.
While Walmart made no admission of liability, in a settlement agreement, it agreed to the following:
Justice Perell of the Ontario Superior Court of Justice in the decision dated May 30, 2017 approved the above-mentioned costs that Walmart agreed to shoulder in the settlement agreement.
Landmark Case: Jones v. Tsige
While the Jones v. Tsige can’t be categorized as a high profile case, the ruling of this case may have sparked other litigation cases as a result of invasions of privacy. The Jones v. Tsige case, decided by the Ontario Court of Appeal in 2012, resulted in “a number of awards have been made in other cases based on common law and statutory tort claims for invasions of privacy, including situations where there was no economic harm,” lawyer Alex Cameron said in the article "Cybersecurity in Canada: Trends and Legal Risks 2017” published on the Ontario Bar Association website.
In the Jones v. Tsige case, the defendant used her workplace computer to access at least 174 times the private banking records of her spouse's ex-wife. The Ontario Court of Appeal ruled that even if the dependent didn’t publish, distribute or record the private banking records, she’s still liable for “moral” damages amounting to $10,000.
“The defendant committed the tort of intrusion upon seclusion when she repeatedly examined the plaintiff's private bank records,” Ontario Court of Appeal said. “Proof of harm to a recognized economic interest is not an element of the cause of action.”
Imran Ahmad, partner at Miller Thomson LLP, in the paper “Cybersecurity in Canada: What to Expect in 2017” (PDF) wrote, “At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cybersecurity and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel.” Imran added, “We anticipate this trend to continue and to see the existing torts being further tested by the courts.”
Cases under Canada’s Digital Privacy Act
According to privacy lawyers David Fraser and David Wallace, violations under the Digital Privacy Act “once they take effect, can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally.”
The Digital Privacy Act amends Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, Canadian organizations are required to notify individuals and organizations of all breaches of security safeguards that create a “real risk of significant harm” and to report the incident to the Office of the Privacy Commissioner of Canada.
5 Ways a Cyber Security Consultant Can Help Your Business
Businesses are constantly burdened with the risk of security breeches. Learn how working with a cyber security consultant can alleviate those headaches.
Think only large corporations get targeted? Think again.
In 43% of cyber security events, a small business was actually targeted.
In the event of a cyber attack, your small to medium sized business (SME) could experience multi-million dollar losses in financial, operational and data breaches, as well as, reputation damage. The average SME -- even one with insurance -- would take quite a blow from this type of attack.
A cyber security consultant can help you both prevent attacks and better manage attacks that occur to protect you and your customers.
Let's explore how.
Supplementing In-House Capabilities
The skill and scope of cyber attacks is ever-increasing. Even organized crime is getting in on the action.
As regulators work to keep pace with burgeoning events, even a dedicated department, team or individual may struggle to keep up. They may be bogged down with operations.
A cyber security consultant stays up-to-date. They can get a panoramic view of your organization and its vulnerabilities. They can help keep your business safer.
A cyber security consultant will go in depth to identify weaknesses in your systems and processes.
Have you safely integrated cloud storage into your systems? How strong are your encryptions? Can transferred data be intercepted?
And potentially the most elusive of all must be addressed. How are you protecting yourself in the event of inevitable human error?
Despite your best efforts to keep systems secure, could you see any of these scenarios happening in your organization? Someone:
A consultant can help you prevent attacks, including those that result from human error or ill-intent.
Data breaches happen. This may be the last thing you want to hear a consultant say. But we'd be dishonest if we said otherwise. And we're not telling you anything that you don't know already.
The difference between $10 thousand in losses and $200 million is largely based on how your organization has invested in the risk management of security breaches.
Through risk management you can put systems in place to spot an attack sooner and limit its scope. Without a consultant, you may not be doing all you should to mitigate damage.
Cyber security consultants help you protect your customers/clients. Without them, you don't have a business.
By taking the additional steps of bringing in cyber security consultants, you demonstrate that you care about protecting those who've helped you become what you are today.
That's good for business and your customers.
Cyber security consultants know how to handle the heat of an event. They're accessible and ready to help you execute your plan to mitigate damage, comply with regulation and keep your company safe.
Get the Right Cyber Security Consultant
A consultant will help you fill in the gaps in your own security plan and develop a plan to both prevent attacks and reduce damage. For more information on how our cyber security consultants can help your company, contact us today.
Steve E. Driz