Security Needs More Attention
A White Paper Courtesy of Brains II Canada, Inc.
Security Needs More Attention Like the vast majority of our customers, we’re focused on doing business, providing service to our customers and keeping everything moving along smoothly. At a recent Senior Leadership Meeting, a couple of my team asked questions about how they could be receiving emails from themselves that they never sent. A quick check of the detailed email message headers indicated that they never did send the emails, but to the general eye it looked like they did. How is this possible? We live in an electronic world where we become desensitized to the ubiquity of electronic transport. As we approach the traditional holiday season, it’s important to know that this is also the high season for electronic attack. Whether these attacks come from individuals, organizations or even foreign government agencies is less relevant to us as business operators and employees, but what we must increase our vigilance on is that it does happen. How could someone else send email as you? It’s unfortunately a reality that email lists are stolen, and in fact this kind of hack occurs daily. If you’ve ever sent an email to one of the “free” email services, including those provided by Internet Service Providers, you should assume that your email address and all those that service has corresponded with have been stolen. You already knew this. You’ve received the same emails I have. We both share that friend in Nigeria who just needs a bit of help getting his money out of the country. That this mail scam still works, (it runs typically three days a week), indicates that there is still a percentage of recipients who get fooled. Email fraud needs less than ½ of 1 percent response to make it worth doing. The emails get sent through rotating senders and reflectors to the addresses that were lifted from websites and community sites. Buying an email list is easy. All it takes is some Bitcoin and about 5 minutes. That will get you millions of addresses. It’s not just about bad email with virus attachments. It’s about malware embedded in messages. It’s malware in websites. It’s malware that you actually allow in. It’s not managing employee use of Social Media. Can you trust the websites that your employees visit? Probably not. Do you know about the Facebook Like button trap? Most businesspeople don’t. It gets worse. While many organizations employ anti-‐virus technology, they fail to implement multi-‐dimensional security. They choose not to invest in comprehensive anti-‐spam, intrusion prevention, web threat detection and reputation based defence
mechanisms, most often because a good reason has not been provided We changed our implementation just after I started by replacing aged technology that was no longer providing good protection. When we bought the tech it was state of the art. Hackers and Crackers don’t sit back, they continuously and aggressively probe and find new ways around your protection. If you don’t have this level of protection, don’t raise your hand, but do feel free to give me a call and I will try to help you understand the risk / reward. By the way, Brains II Canada, Inc. doesn’t sell this gear. There’s no hidden motive for me to talk to you. I want to leave you with some really terrifying information. I did not come up with this data myself and I will fully credit the organizations that did.
If your only security stratagem is anti-‐virus, you’re in deep trouble. Alone, AV is about as effective as crawling under your desk or duck and cover are at surviving a nuclear bomb. Panda Security reports that over 32% of computers in production are presently infected by viruses. Many of them have anti-‐virus applications installed, but the patterns are not kept up to date and / or do not have scheduled virus detections run. Most current viruses are architected with a dormancy / code switch window. This means that the virus does not look like a virus and waits once activated to go live. If this sounds like a time bomb, you understand perfectly. Other, 3.28
Panda discovered that computers in China and South Korea topped the infected list, and in the west, Canada leads with approximately 27% being infected. That tells us that Canadian business is doing a poor job at protecting itself. There’s a common misperception that viruses are no longer a major threat vector. Panda says that they discover 74,000 new variants EVERY SINGLE DAY. Very recently a serious data corruption virus was delivered to Canadian ISP subscribers in the guise of a What’s Up? Voicemail delivered as email. This particular virus was very difficult to eradicate once activated, in many cases requiring low level formats of the infected hard drive to not only erase data but remove all partition information.
hundreds of shorteners and because they all work on a redirect basis, you have no idea what you are going to get. The #1 web based threat is called Malicious URL. Yup, that’s its REAL NAME. And it is responsible for over 87% of web attacks. If you aren’t using URL filtering and validation, you’ve been hit already. So where does all the bad code getting on to our networks come from. Unfortunately it comes from countries where security is not well managed and a high percentage of users become infected and then act as Bots for the distribution of malware. They are probably not bad people, but the infections route back to them.
80% of the email on the net is illegitimate. That’s down from the prior year where it was 87%. That said, the perception that you have to click on a link or even open the email to unleash the malware to propagate it is completely wrong. You have to stop the bad email before it crosses the DMZ into your network. If you don’t, you’re going to get hit. Where do you think most malware is hosted? Most people get this wrong. Here’s the real Top Ten list. The data comes from Kaspersky and others. Ranking Country Percentage Hosting 1 United States 25.5% 2 Russian Federation 19.6% 3 Netherlands 16.8% 4 Germany 11.4% 5 United Kingdom 5.6% 6 Ukraine 4.4% 7 France 3.5% 8 China 2.0% 9 British Virgin Islands 1.6% 10 Canada 1.2% Surprised? You cannot believe all the government obfuscation. BTW Canada is ranked #2 in the world as a source of SPAM email. This means that Canadian sites are either the primary source, or (the majority) have been compromised by malware to become spam reflectors. Email and web threats average 1.72 attacks per user per week. Because you don’t see this volume of attack, does not mean you are safe. More likely is you’re being hit and don’t even know it.
Marketing wants you to be on social media. It’s “employee-‐supportive” to allow employees to access Facebook, Twitter et. Al. from business resources. “We can live with small productivity loss in exchange for happy people.” You’ve probably figured out by now that I believe that these decisions are a security hole you could pilot an aircraft carrier through. Sideways. Social media is the favoured home of shortened URLs. Websense has documented that over 32% of these shortened “personal” links are in fact malicious URLs. Social media is also the largest mechanism for data loss / data theft. Unknowing, or uncaring users post private business information, alongside their own personal private information without thinking or considering the risk. Social media sites are trusted by the people that use them. They are also the largest source of what we call a “drive-‐by download” where malware is downloaded without the user knowing simply by accessing a page. The other big threat is “clickjacking” where a legitimate click also drives malware events. CSIAC has done a very good article on Social Media threats. The other real issue with this “granted trust” is that lies are accepted. There’s no way to know that the person or organization being communicated with is actually who they say they are. If you actually read the lengthy and obtuse Terms of Service, there’s no guarantee of integrity and you’ve agreed to hold the service completely harmless of any wrongdoing simply be signing in. I’m not saying block the use of Social Media, but if you allow it from business networks (even on personally owned devices) without a security policy that your employees have signed up for, you’ve already compromised your company’s security.
Mobility We all love mobility. It is literally life changing. It’s also the most popular threat vector for external attackers because in general, users behave with no regard for security when working on mobile devices. Factsmark documents that 82% of malicious applications leverage SMS messages. They also report that if an app “requests” to install another app, you have a very high probability that this is malicious. Android is the most widely distributed mobile OS. It also hosts over 85% of the world’s mobile malware. IOS is a closed system and while it too has been hacked, the difference in vector strength between IOS and Android is enormous, to the detriment of those selecting Android for a business OS. According to Bluebox
Security a vulnerability was discovered in June of 2013, that could make 99% of Android devices compromised. According to Kaspersky 98% of mobile malware is on Android.
Application and OS Based Attacks
The number one threat vector for application based attack is via Java at 50%. Second are compromised PDFs at 28%. Most people think that the #1 vector is Windows itself but this is not true. Even the vaunted (and misrepresented) Macintosh platform has been attacked and infected. However if you are still running Windows XP, remember that Microsoft isn’t fixing this anymore and of Windows based attacks, 63% target Windows XP. Windows 7 is much more secure, with a successful attack percentage of only 7% according to Kaspersky.
We’ve all heard of, and likely experienced phishing attacks. These look like messages from legitimate hosts requesting you to sign in or otherwise provide information. They can stand out because you might receive a personalized message from an organization that you don’t do business with. Spear-‐phishing is different. It is completely targeted. Intelligence is gathered in advance and your firm or people within your firm are the only recipients. This dramatically increases the probability of success. Many large sitedowns are a direct result of spear-‐phishing. Simple rule – don’t click links in email. Ever.
Personally Identifiable Information I’m not a privacy lawyer. Keep yourself safe. Don’t keep other’s PII except where absolutely necessary. Do not keep credit cards on file. There’s enough trouble with credit card theft without your business getting dragged into things. In 2012, the processing service provider Global Payments (you’ve shoved your card into one of their machines in the last two weeks, I promise) was hacked and card numbers belonging to cardholders from Visa, Mastercard, American Express and Discover were stolen. Adobe Systems was breached this past fall and 24M customer records were stolen. Don’t be the next one breached.
The Problem is Real It’s common for security professionals (and I count myself in that group) to issue these kind of missives at the start of a calendar year. I believe that this is an ongoing conversation, and the sad reality is that I see the same issues every single year.
What Can You Do
If you are a business operator, educate your employees. If you are an employee, educate yourself and if you aren’t hearing this from your leadership, send it along because there is a problem. Ostrich-‐disease is rampant in this space and only through education can we help stem the tide. To a large extent, this is like the alarm business. You won’t stop a committed attacker, but if you make things very difficult, the attacker may move on to easier pickings. You don’t have to like that model, but it absolutely works. Ultimately the decision on security is yours.
Ten Tips For Better Information Security 1. 2. 3. 4. 5. 6. 7.
Employ a Defence in Depth Strategy – Perimeter to Local Educate Users Migrate from Firewalls to Multi-‐Defence Platforms Remind Users Use Perimeter Based and Local AV – update daily – scan weekly Test Users Establish policies for Social Media use at work and get employees to sign off on them 8. Conduct Threat Tests Quarterly 9. Train IT professionals in Information Security 10. Hold Business Unit Leaders and Managers accountable for security
All the information presented in this white paper is publicly available. Readers are encouraged to make their own decisions about its impact and even its veracity. I’m convinced, you don’t have to be. All product names mentioned are trademarks or registered trademarks of their respective companies.
About the Author Ross Chevalier is President of Brains II Canada, Inc. He holds the CISSP designation and is the original founder of Internet Safety for Kids Canada (now rolled into KINSA – Kid’s Internet Safety Alliance). He has been a speaker on the subject of information security to thousands of participants across North America. He can be reached at 905.969.2022