Page 1

Security Needs More Attention

A White Paper Courtesy of Brains II Canada, Inc.

Security Needs  More  Attention     Like  the  vast  majority  of  our  customers,  we’re  focused  on  doing  business,  providing   service  to  our  customers  and  keeping  everything  moving  along  smoothly.    At  a   recent  Senior  Leadership  Meeting,  a  couple  of  my  team  asked  questions  about  how   they  could  be  receiving  emails  from  themselves  that  they  never  sent.     A  quick  check  of  the  detailed  email  message  headers  indicated  that  they  never  did   send  the  emails,  but  to  the  general  eye  it  looked  like  they  did.    How  is  this  possible?     We  live  in  an  electronic  world  where  we  become  desensitized  to  the  ubiquity  of   electronic  transport.    As  we  approach  the  traditional  holiday  season,  it’s  important   to  know  that  this  is  also  the  high  season  for  electronic  attack.    Whether  these  attacks   come  from  individuals,  organizations  or  even  foreign  government  agencies  is  less   relevant  to  us  as  business  operators  and  employees,  but  what  we  must  increase  our   vigilance  on  is  that  it  does  happen.     How  could  someone  else  send  email  as  you?    It’s  unfortunately  a  reality  that  email   lists  are  stolen,  and  in  fact  this  kind  of  hack  occurs  daily.    If  you’ve  ever  sent  an  email   to  one  of  the  “free”  email  services,  including  those  provided  by  Internet  Service   Providers,  you  should  assume  that  your  email  address  and  all  those  that  service  has   corresponded  with  have  been  stolen.     You  already  knew  this.    You’ve  received  the  same  emails  I  have.    We  both  share  that   friend  in  Nigeria  who  just  needs  a  bit  of  help  getting  his  money  out  of  the  country.     That  this  mail  scam  still  works,  (it  runs  typically  three  days  a  week),  indicates  that   there  is  still  a  percentage  of  recipients  who  get  fooled.    Email  fraud  needs  less  than   ½  of  1  percent  response  to  make  it  worth  doing.    The  emails  get  sent  through   rotating  senders  and  reflectors  to  the  addresses  that  were  lifted  from  websites  and   community  sites.    Buying  an  email  list  is  easy.    All  it  takes  is  some  Bitcoin  and  about   5  minutes.      That  will  get  you  millions  of  addresses.       It’s  not  just  about  bad  email  with  virus  attachments.    It’s  about  malware  embedded   in  messages.    It’s  malware  in  websites.    It’s  malware  that  you  actually  allow  in.    It’s   not  managing  employee  use  of  Social  Media.    Can  you  trust  the  websites  that  your   employees  visit?    Probably  not.    Do  you  know  about  the  Facebook  Like  button  trap?       Most  businesspeople  don’t.     It  gets  worse.    While  many  organizations  employ  anti-­‐virus  technology,  they  fail  to   implement  multi-­‐dimensional  security.    They  choose  not  to  invest  in  comprehensive   anti-­‐spam,  intrusion  prevention,  web  threat  detection  and  reputation  based  defence    



mechanisms, most  often  because  a  good  reason  has  not  been  provided    We  changed   our  implementation  just  after  I  started  by  replacing  aged  technology  that  was  no   longer  providing  good  protection.    When  we  bought  the  tech  it  was  state  of  the  art.     Hackers  and  Crackers  don’t  sit  back,  they  continuously  and  aggressively  probe  and   find  new  ways  around  your  protection.    If  you  don’t  have  this  level  of  protection,   don’t  raise  your  hand,  but  do  feel  free  to  give  me  a  call  and  I  will  try  to  help  you   understand  the  risk  /  reward.    By  the  way,  Brains  II  Canada,  Inc.  doesn’t  sell  this   gear.      There’s  no  hidden  motive  for  me  to  talk  to  you.     I  want  to  leave  you  with  some  really  terrifying  information.    I  did  not  come  up  with   this  data  myself  and  I  will  fully  credit  the  organizations  that  did.  

Virus Management  

If your  only  security  stratagem  is  anti-­‐virus,  you’re  in  deep  trouble.      Alone,  AV  is   about  as  effective  as  crawling  under  your  desk  or  duck  and  cover  are  at  surviving  a   nuclear  bomb.     Panda  Security  reports  that  over  32%  of  computers  in  production  are  presently   infected  by  viruses.    Many  of  them  have  anti-­‐virus  applications  installed,  but  the   patterns  are  not  kept  up  to  date  and  /  or  do  not  have  scheduled  virus  detections  run.     Most  current  viruses  are  architected  with  a  dormancy  /  code  switch  window.    This   means  that  the  virus  does  not  look  like  a  virus  and  waits  once  activated  to  go  live.    If   this  sounds  like  a  time  bomb,  you  understand  perfectly.     Other,  3.28  

Spyware/Adware, 5.72  

Worm, 6.44  

Virus, 8  

Trojan, 76.56  



Panda discovered  that  computers  in  China  and  South  Korea  topped  the  infected  list,   and  in  the  west,  Canada  leads  with  approximately  27%  being  infected.    That  tells  us   that  Canadian  business  is  doing  a  poor  job  at  protecting  itself.     There’s  a  common  misperception  that  viruses  are  no  longer  a  major  threat  vector.     Panda  says  that  they  discover  74,000  new  variants  EVERY  SINGLE  DAY.         Very  recently  a  serious  data  corruption  virus  was  delivered  to  Canadian  ISP   subscribers  in  the  guise  of  a  What’s  Up?  Voicemail  delivered  as  email.    This   particular  virus  was  very  difficult  to  eradicate  once  activated,  in  many  cases   requiring  low  level  formats  of  the  infected  hard  drive  to  not  only  erase  data  but   remove  all  partition  information.  

Websites According  to  White  Hat  Security,  86.4%  of  websites  had  at  least  one  readily   exploitable  vulnerability  in  the  last  calendar  year.    It  took  193  days  on  average  to   remediate  the  vulnerability  following  discovery  and  still  only  61%  of  sites  were   successfully  corrected.    Please  note  that  this  only  refers  to  sites  where  they   discovered  the  attack.    It  says  nothing  about  the  sites  where  the  attack  goes   undetected.     The  most  common  attack  involves  cross-­‐site  scripting.    If  you  aren’t  a  web   developer,  this  likely  sounds  like  goop  to  you.    Ask  your  web  pros  if  your  site   employs  Javascript.    If  the  answer  is  yes,  your  next  questions  should  be  a)  what   protections  do  we  have  in  place  and  b)  when  did  you  last  check  them?    Sit  down   before  you  ask,  I  don’t  want  you  to  be  hurt  when  you  keel  over  after  hearing  the   answer.     Which  sites  have  the  highest  number  of  vulnerabilities?    Those  maintained  or  about   IT.      Don’t  think  about  it,  it  brings  on  migraines.    The  people  managing  your  web   presence  MUST  have  an  Information  Security  background.    Government  and  Gaming   sites  fix  vulnerabilities  fastest.    Healthcare,  Education  and  Insurance  have  the  worst   records  of  effective  remediation.     The  problems  are  not  restricted  to  compromised  sites.    Websense  reports  that  the   number  of  malicious  sites  increased  by  600%  in  2012,  and  85%  of  the  malicious   sites  were  also  embedded  (unknowingly)  in  legitimate  websites.    One  of  our  own   employees  visited  a  “safe”  site  (there  is  really  no  such  thing)  and  unleashed  a  virus   that  was  so  new,  even  the  security  team  at  Symantec  denoted  it  as  brand  new  and   issued  a  same  day  fix  after  we  uploaded  the  files  to  them.     As  we  look  at  more  social  sites,  there  is  an  increasing  amount  of  providers  of  URL   shortening.    We  used  to  think  of  this  as  being  the  province  of  but  there  are  now  



hundreds of  shorteners  and  because  they  all  work  on  a  redirect  basis,  you  have  no   idea  what  you  are  going  to  get.       The  #1  web  based  threat  is  called  Malicious  URL.    Yup,  that’s  its  REAL  NAME.    And  it   is  responsible  for  over  87%  of  web  attacks.    If  you  aren’t  using  URL  filtering  and   validation,  you’ve  been  hit  already.     So  where  does  all  the  bad  code  getting  on  to  our  networks  come  from.     Unfortunately  it  comes  from  countries  where  security  is  not  well  managed  and  a   high  percentage  of  users  become  infected  and  then  act  as  Bots  for  the  distribution  of   malware.    They  are  probably  not  bad  people,  but  the  infections  route  back  to  them.    


80% of  the  email  on  the  net  is  illegitimate.    That’s  down  from  the  prior  year  where  it   was  87%.    That  said,  the  perception  that  you  have  to  click  on  a  link  or  even  open  the   email  to  unleash  the  malware  to  propagate  it  is  completely  wrong.    You  have  to  stop   the  bad  email  before  it  crosses  the  DMZ  into  your  network.    If  you  don’t,  you’re   going  to  get  hit.     Where  do  you  think  most  malware  is  hosted?    Most  people  get  this  wrong.    Here’s   the  real  Top  Ten  list.    The  data  comes  from  Kaspersky  and  others.     Ranking   Country   Percentage   Hosting   1   United  States   25.5%   2   Russian  Federation   19.6%   3   Netherlands   16.8%   4   Germany   11.4%   5   United  Kingdom   5.6%   6   Ukraine   4.4%   7   France   3.5%   8   China   2.0%   9   British  Virgin  Islands   1.6%   10   Canada   1.2%     Surprised?    You  cannot  believe  all  the  government  obfuscation.    BTW  Canada  is   ranked  #2  in  the  world  as  a  source  of  SPAM  email.    This  means  that  Canadian  sites   are  either  the  primary  source,  or  (the  majority)  have  been  compromised  by   malware  to  become  spam  reflectors.     Email  and  web  threats  average  1.72  attacks  per  user  per  week.    Because  you  don’t   see  this  volume  of  attack,  does  not  mean  you  are  safe.    More  likely  is  you’re  being  hit   and  don’t  even  know  it.  



Social Media  

Marketing wants  you  to  be  on  social  media.    It’s  “employee-­‐supportive”  to  allow   employees  to  access  Facebook,  Twitter  et.  Al.  from  business  resources.    “We  can  live   with  small  productivity  loss  in  exchange  for  happy  people.”    You’ve  probably  figured   out  by  now  that  I  believe  that  these  decisions  are  a  security  hole  you  could  pilot  an   aircraft  carrier  through.    Sideways.     Social  media  is  the  favoured  home  of  shortened  URLs.    Websense  has  documented   that  over  32%  of  these  shortened  “personal”  links  are  in  fact  malicious  URLs.     Social  media  is  also  the  largest  mechanism  for  data  loss  /  data  theft.    Unknowing,  or   uncaring  users  post  private  business  information,  alongside  their  own  personal   private  information  without  thinking  or  considering  the  risk.         Social  media  sites  are  trusted  by  the  people  that  use  them.    They  are  also  the  largest   source  of  what  we  call  a  “drive-­‐by  download”  where  malware  is  downloaded   without  the  user  knowing  simply  by  accessing  a  page.    The  other  big  threat  is   “clickjacking”  where  a  legitimate  click  also  drives  malware  events.    CSIAC  has  done  a   very  good  article  on  Social  Media  threats.     The  other  real  issue  with  this  “granted  trust”  is  that  lies  are  accepted.    There’s  no   way  to  know  that  the  person  or  organization  being  communicated  with  is  actually   who  they  say  they  are.    If  you  actually  read  the  lengthy  and  obtuse  Terms  of  Service,   there’s  no  guarantee  of  integrity  and  you’ve  agreed  to  hold  the  service  completely   harmless  of  any  wrongdoing  simply  be  signing  in.     I’m  not  saying  block  the  use  of  Social  Media,  but  if  you  allow  it  from  business   networks  (even  on  personally  owned  devices)  without  a  security  policy  that  your   employees  have  signed  up  for,  you’ve  already  compromised  your  company’s   security.  

Mobility We  all  love  mobility.    It  is  literally  life  changing.    It’s  also  the  most  popular  threat   vector  for  external  attackers  because  in  general,  users  behave  with  no  regard  for   security  when  working  on  mobile  devices.     Factsmark  documents  that  82%  of  malicious  applications  leverage  SMS  messages.     They  also  report  that  if  an  app  “requests”  to  install  another  app,  you  have  a  very   high  probability  that  this  is  malicious.     Android  is  the  most  widely  distributed  mobile  OS.    It  also  hosts  over  85%  of  the   world’s  mobile  malware.    IOS  is  a  closed  system  and  while  it  too  has  been  hacked,   the  difference  in  vector  strength  between  IOS  and  Android  is  enormous,  to  the   detriment  of  those  selecting  Android  for  a  business  OS.    According  to  Bluebox  



Security a  vulnerability  was  discovered  in  June  of  2013,  that  could  make  99%  of   Android  devices  compromised.    According  to  Kaspersky  98%  of  mobile  malware  is   on  Android.  

Application and  OS  Based  Attacks  

The number  one  threat  vector  for  application  based  attack  is  via  Java  at  50%.     Second  are  compromised  PDFs  at  28%.    Most  people  think  that  the  #1  vector  is   Windows  itself  but  this  is  not  true.    Even  the  vaunted  (and  misrepresented)   Macintosh  platform  has  been  attacked  and  infected.     However  if  you  are  still  running  Windows  XP,  remember  that  Microsoft  isn’t  fixing   this  anymore  and  of  Windows  based  attacks,  63%  target  Windows  XP.    Windows  7  is   much  more  secure,  with  a  successful  attack  percentage  of  only  7%  according  to   Kaspersky.  


We’ve all  heard  of,  and  likely  experienced  phishing  attacks.    These  look  like   messages  from  legitimate  hosts  requesting  you  to  sign  in  or  otherwise  provide   information.    They  can  stand  out  because  you  might  receive  a  personalized  message   from  an  organization  that  you  don’t  do  business  with.      Spear-­‐phishing  is  different.     It  is  completely  targeted.      Intelligence  is  gathered  in  advance  and  your  firm  or   people  within  your  firm  are  the  only  recipients.    This  dramatically  increases  the   probability  of  success.    Many  large  sitedowns  are  a  direct  result  of  spear-­‐phishing.     Simple  rule  –  don’t  click  links  in  email.    Ever.  

Personally Identifiable  Information   I’m  not  a  privacy  lawyer.    Keep  yourself  safe.    Don’t  keep  other’s  PII  except  where   absolutely  necessary.    Do  not  keep  credit  cards  on  file.    There’s  enough  trouble  with   credit  card  theft  without  your  business  getting  dragged  into  things.    In  2012,  the   processing  service  provider  Global  Payments  (you’ve  shoved  your  card  into  one  of   their  machines  in  the  last  two  weeks,  I  promise)  was  hacked  and  card  numbers   belonging  to  cardholders  from  Visa,  Mastercard,  American  Express  and  Discover   were  stolen.    Adobe  Systems  was  breached  this  past  fall  and  24M  customer  records   were  stolen.    Don’t  be  the  next  one  breached.  

The Problem  is  Real   It’s  common  for  security  professionals  (and  I  count  myself  in  that  group)  to  issue   these  kind  of  missives  at  the  start  of  a  calendar  year.    I  believe  that  this  is  an  ongoing   conversation,  and  the  sad  reality  is  that  I  see  the  same  issues  every  single  year.  



What Can  You  Do  

If you  are  a  business  operator,  educate  your  employees.    If  you  are  an  employee,   educate  yourself  and  if  you  aren’t  hearing  this  from  your  leadership,  send  it  along   because  there  is  a  problem.    Ostrich-­‐disease  is  rampant  in  this  space  and  only   through  education  can  we  help  stem  the  tide.    To  a  large  extent,  this  is  like  the  alarm   business.      You  won’t  stop  a  committed  attacker,  but  if  you  make  things  very   difficult,  the  attacker  may  move  on  to  easier  pickings.    You  don’t  have  to  like  that   model,  but  it  absolutely  works.    Ultimately  the  decision  on  security  is  yours.  

Ten Tips  For  Better  Information  Security   1. 2. 3. 4. 5. 6. 7.

Employ a  Defence  in  Depth  Strategy  –  Perimeter  to  Local   Educate  Users   Migrate  from  Firewalls  to  Multi-­‐Defence  Platforms   Remind  Users   Use  Perimeter  Based  and  Local  AV  –  update  daily  –  scan  weekly   Test  Users   Establish  policies  for  Social  Media  use  at  work  and  get  employees  to  sign  off   on  them   8. Conduct  Threat  Tests  Quarterly   9. Train  IT  professionals  in  Information  Security   10. Hold  Business  Unit  Leaders  and  Managers  accountable  for  security  

All  the  information  presented  in  this  white  paper  is  publicly  available.    Readers  are   encouraged  to  make  their  own  decisions  about  its  impact  and  even  its  veracity.    I’m   convinced,  you  don’t  have  to  be.     All  product  names  mentioned  are  trademarks  or  registered  trademarks  of  their   respective  companies.    

About the  Author   Ross  Chevalier  is  President  of  Brains  II  Canada,  Inc.      He  holds  the  CISSP  designation   and  is  the  original  founder  of  Internet  Safety  for  Kids  Canada  (now  rolled  into  KINSA   –  Kid’s  Internet  Safety  Alliance).    He  has  been  a  speaker  on  the  subject  of   information  security  to  thousands  of  participants  across  North  America.    He  can  be   reached  at  905.969.2022  



Security needs more attention  
Read more
Read more
Similar to
Popular now
Just for you