Month: September 2017
Businesses today need to implement layered defenses to prevent malware and ransomware from being installed on their networks. A web filtering solution should be one of those defenses. At its most basic, a web filter will block access to websites known to contain malware, exploit kits, or be used for phishing.
While web filters are commonly used as an additional security measure to block malware, one of the most important reasons for implementing a web filter is to prevent employees from accessing inappropriate or illegal website content and to prevent productivity draining online activities. In some cases, employers choose to severely restrict Internet access by only allowing employees to access to whitelisted sites – websites that need to be accessed for work purposes.
Regardless of the level of control you want to apply, it is usual for different controls to be needed for different individuals or groups of employees. For example, social media sites could be blocked for the entire organizations, but not for the marketing department, which would need to access corporate social media accounts.
While it is possible to place restrictions on different computers using a virtual local area network (VLAN), using a VLAN for content control lacks flexibility. If a device is on a VLAN that prohibits Internet access entirely, there may be instances when Internet access is temporarily required.
Integrating a Web Filter with LDAP
A better, more flexible solution is to base content filtering controls on the user, or user group. Integrating a web filter with LDAP allows filtering controls to be easily applied for different users, rather than limiting controls to a particular device.
In a call center, a telemarketer could logon using their LDAP information and have one set of filtering controls, whereas a manager could logon to the same device and have far greater permissions. The use of LDAP also allows detailed reports to be generated on which users and devices have accessed certain websites or website content. If DHCP is used on workstation and mobile devices, it may only be possible to view access logs up to a day old. Integrating a web filter with LDAP will make it much easier to generate reports when performing audits of Internet use.
Oftentimes, employees will be assigned to more than one LDAP group, so while it is possible to assign web filtering controls to specific groups, rules can be set to cater for members of more than one group, such as using the most or least restrictive content filtering settings when a user is in multiple LDAP groups. Not everyone will have a LDAP account. When guests require Internet access, a default configuration can be set. If users need to take their devices off site, content filtering by IP address or VLAN would not be possible. In such cases, a client-based solution is used to capture the LDAP session. This is important for K12 Schools that issue laptops for students to take home.
Using a web filtering solution that integrates with LDAP makes content filtering much easier to manage. WebTitan integrates with LDAP allowing you to easily apply content filtering controls by user or user group, with a range of APIs also provided to integrate with Active Directory, NetIQ and other deployment, billing and management tools.
If you want to start filtering the Internet and controlling the content that your users can access, contact TitanHQ today for further information, to schedule a product demonstration, and take advantage of our free trial.
This week, news has emerged about a serious Deloitte data breach that allegedly resulted in ‘several gigabytes’ of sensitive emails sent to and from the accountancy firm’s clients being obtained by hackers.
Deloitte is one of the big four accountancy firms and provides auditing and tax consultancy services to some of the world’s biggest companies, including many banks, pharmaceutical firms, and government agencies. Deloitte also offers cybersecurity consultancy services and is one of the most widely respected firms, and was rated as the top cybersecurity consultancy firm in the world in 2012.
According to a report in The Guardian, the Deloitte data breach was detected in March, but was only announced this week. Hackers are believed to have access to the firm’s Azure cloud account for months, with the initial breach believed to have occurred in October last year. The Azure account was used to store company emails.
Access to the cloud was gained by hacking an administrator account, which was protected with a password, although allegedly did not have two-factor authentication in place.
Deloitte has confirmed it has suffered a data breach, although few details have been released about the nature of the breach other than Deloitte saying only a small number of its clients have been impacted. Deloitte also issued a statement saying, “no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.” The Guardian reported that just six of the company’s clients had been impacted, although Deloitte has not publicly confirmed how many clients were notified of the breach.
Deloitte hired a leading cybersecurity firm to perform a forensic analysis to determine the actions taken by the attacker(s), which information was accessed, and what clients were impacted. That analysis revealed the types of information compromised included email communications including file attachments, architectural diagrams for its clients, health information, and in some cases, sensitive security and design details. Usernames, passwords, IP addresses, and personal data of the firm’s clients were also believed to have been obtained by the attacker(s).
The cloud account allegedly contained as many as 5 million emails, although Deloitte believes only a small percentage of those emails were accessed during the time the attacker(s) had access to the account. While that is the official line, some sources close to the investigation suggest the Deloitte data breach is being downplayed. Brian Krebs wrote in a blog post that he has been informed that the attackers gained access to the firm’s entire store of emails and that all administrator accounts at the company had been compromised.
That source also said Deloitte performed a company-wide reset of its email passwords on October 17, 2016, suggesting a potential breach was suspected at the time. The source, who was close to the investigation, said several gigabytes of data had been exfiltrated from the cloud account to a server in the United Kingdom.
Investigations are continuing into a massive Sonic data breach that has potentially impacted millions of its customers.
Sonic, an Oklahoma City-based restaurant chain with more than 3,600 franchise restaurants in the United States, was alerted to a potential breach by its card payment processor after a pattern of fraudulent purchases was identified and linked to the restaurant chain.
The Sonic data breach was first reported by Brian Krebs, who linked the listing of a batch of 5 million credit and debit card numbers on the cybercrime marketplace Joker’s Stash to a potential breach at Sonic.
Krebs reported that two individuals who had agreed to purchase credit card numbers from the seller both said the cards had previously been used in Sonic locations. After contacting Sonic to report the potential breach, Krebs was notified that the restaurant chain was investigating a potential breach.
Sonic has issued a statement saying it is working with law enforcement and has hired a third-party forensics firm to confirm whether its systems have been hacked, and if so, to determine the nature and scope of the breach.
At present it is unclear how many of the restaurants chain’s locations have been impacted or the number of customer’s that have had their card details stolen. While the batch of credit and debit card numbers listed for sale indicates the breach victim count could be as high as 5 million, it has yet to be established whether all of those card numbers came from the Sonic data breach. It is possible the list could be an amalgamation of data from several breaches.
The Sonic data breach has potential to be one of the largest POS data breaches to affect the hospitality industry, and is the latest in a string of cyberattacks on restaurants. Earlier this year Chipotle Mexican Grill experienced a breach that affected most of the chain’s restaurants. Arby’s and the Select restaurant chain have also announced major data breaches. Last year, a major breach of card details was reported by Wendy’s which affected more than 1,000 of its restaurants.
Restaurant chain data breaches typically involve malware installed on point-of-sale systems that collects and exfiltrates card details. The malware infections often go unnoticed for weeks or months. It is only when card processors notice trends in credit card fraud and alert specific restaurants or restaurant chains that the breach is identified. The malicious actors behind these breaches often hold on to the stolen data until a sufficiently large batch of card numbers have been obtained, before listing the data for sale on darknet marketplaces.
In this case, the card numbers from the Sonic data breach were selling for between $25 and $50 depending on the type of card. This is much higher than the usual cost of stolen card numbers, indicating the card details have come from a recent data breach with most of the cards yet to be cancelled.
Hackers can gain access to POS systems via email phishing attacks, by exploiting vulnerabilities using exploit kits, direct attacks on unpatched and out-of-date operating systems, brute force RDP attacks, or by infiltrating the systems of vendors that have legitimate access to restaurant networks. It was the latter that enabled hackers to gain access to Target’s system and steal credit card details of 40 million customers. The same was true of the Wendy’s breach. Hackers obtained the credentials of some of its service providers and were able to login and install malware.
Restaurants can reduce the risk of data breaches by complying with the Payment Card Industry’s Data Security Standard (PCI DSS), a list of 12 requirements spread across six control objectives. Those requirements include the use of spam filtering, web filtering solutions, and securing the Wi-Fi environment – the latter two can both be achieved by implementing WebTitan.
There has been a rapid evolution of ransomware over the past two years. New variants of ransomware are now being released on an almost daily basis, and the past two years have seen a massive explosion in new ransomware families. Between 2015 and 2016, Proofpoint determined there had been a 600% increase in ransomware families and Symantec identified 100 totally new ransomware families in 2016.
The development of new ransomware variants has largely been automated, allowing developers to massively increase the number of threats, making it much harder for the developers of traditional, signature-based security solutions such as antivirus and antimalware software to maintain pace.
The latest ransomware variants use a wide variety of techniques to evade detection, with advanced obfuscation methods making detection even more problematic.
Ransomware is also becoming much more sophisticated, causing even greater problems for victims. Ransomware is now able to delete Windows Shadow Volume copies, hampering recovery. Ransomware can interfere with file activity logging, making an infection difficult to detect until it is too late. Ransomware can encrypt files on removable drives – including backups – and spread laterally on a network, encrypting files on network shares and multiple end points.
Not only have the ransomware variants become more sophisticated, so too have the methods for distributing the malicious code. Highly sophisticated spam campaigns use a variety of social engineering techniques to fool end users into visiting malicious links and opening infected email attachments. Droppers with heavily obfuscated code are used to download the malicious payload and a considerable amount of effort is put into crafting highly convincing emails to maximize the probability of an end user taking the desired action.
Then, there is ransomware-as-a-service – the use of affiliates to spread ransomware in exchange for a cut of the profits. Ransomware kits are now supplied, complete with intuitive web based interfaces and instructions for crafting ransomware campaigns. Today, it is not even necessary to have any technical skill to conduct a ransomware campaign.
The profits from ransomware are also considerable. In 2016, the FBI estimated profits from ransomware would exceed $1 billion. With such high returns, it is no surprise that ransomware has become the number one malware threat for businesses.
The Evolution of Ransomware – Notorious Ransomware Variants from the Past Two Years
- Locky: Deletes volume shadow copies from the compromised system, thereby preventing the user from restoring files without paying the ransom.
- Jigsaw: An extremely aggressive ransomware variant that deletes encrypted files every hour until the ransom is paid, with total file deletion in 72 hours.
- Petya: Rather than encrypting files, Petya changes and encrypts the master boot record, preventing files from being accessed. Petya is also capable of installing other malware payloads.
- NotPetya: A wiper that appears to be ransomware, although NotPetya permanently changes the master boot record making file recovery impossible.
- CryptMix: Attackers claim they will donate the ransom payments to a children’s charity, in an effort to get victims to pay up. There is no evidence ransom payments are directed to worthy causes.
- Cerber: Now used to target users of cloud-based Office 365, who are less likely to have backed up their data. Some Cerber variants speak to their victims and tell them their files have been encrypted.
- KeRanger: One of the first ransomware strains to target Mac OS X applications.
- Gryphon: Spread via remote desktop protocol (RDP) using brute force tactics to guess weak passwords.
- TorrentLocker: A ransomware variant being used to target SMBs, spread via spam email attachments claiming to be job applications
- HDDCryptor: A ransomware variant that targets network shares, file, printers, serial ports, and external drives. HDDCryptor locks the entire hard disk
- CryptMIC: A ransomware variant that does not change file extensions, making it harder for victims to identify the threat
- ZCryptor: Ransomware with worm-like capabilities, able to rapidly spread across a network and infect multiple networked devices and external drives
- WannaCrypt: A 2017 ransomware variant with worm-like capabilities, able to spread rapidly to infect all vulnerable computers on a network.
Ransomware is most commonly spread via spam email, exploit kits and by remotely exploiting vulnerabilities. To protect against ransomware you need an advanced spam filter, a web filter such as WebTitan to block access to sites containing exploit kits, and you need to ensure software and operating systems are kept 100% up to date.
In the event that you are infected with ransomware, you must be able to recover files from a backup. Use the 321 approach to ensure you can recover files without paying the ransom – Make three backup copies, on two different media, with one copy stored securely off site. Also make sure backups are tested to ensure files can be restored in an emergency.
Cybercriminals have realized they can greatly increase the number of infections – and profits – by adopting an affiliate model – termed ransomware-as-a-service. The affiliate model works well for online retailers, who can generate sales from customers they would be unlikely to reach if they worked on their own. The same applies to ransomware developers.
Affiliates are recruited to distribute ransomware in exchange for a cut of the profits. Ransomware developers can recruit would-be cybercriminals to send out their malicious code in targeted attacks around the world, extending their reach considerably. The greater the number of affiliates, the wider ransomware can be spread and the more payments are received. The returns are substantial for relatively little effort.
In addition to developing the ransomware, kits have been created that make it simple for affiliates to launch their own campaigns. No technical skill is required, affiliates simply enter in their own parameters via an online interface and they can start conducting their own campaigns. Affiliates just need to know how to distribute the ransomware. Full instructions are usually provided.
With an army of spammers sending out the ransomware, the number of devices infected has soared. In 2017, Cerber became the most widely used ransomware variant, even surpassing Locky. The secret of the success was adopting the ransomware-as-a-service model.
For the most part, ransomware is a numbers game. The more individuals that are actively distributing ransomware, the greater the number of infections. With the threat of email and web-based attacks growing, businesses must invest in new technologies to counter the threat.
There are two key solutions that should be adopted by all businesses to improve protections against ransomware. A spam filter is a must – a fact not lost on the majority of businesses. However, even though email is the primary vector used to spread ransomware and malware, there are still businesses that have not yet purchased a spam filtering solution.
A recent survey by PhishMe indicates only 85% of businesses are using spam filtering technology to block phishing emails. That means 15% of businesses have yet to implement this most fundamental of ransomware defenses.
The second key solution is a web filter. Web filters allow employers to carefully control the websites that their employees can access, including blocking websites known to host malware. If an email makes it past a spam filter and an employee clicks on a malicious hyperlink, a web filter can prevent the malicious site from being accessed. A web filter also offers protection from malvertising – malicious adverts that direct users to phishing websites and sites hosting exploit kits.
Of course, technology can only go so far. Even layered defenses can be breached, which is why employees need to be taught how to identify potentially malicious emails. Employees should receive regular security awareness training and be encouraged to report potentially malicious emails. When those emails are reported, IT teams can add the malicious links to the web filter to prevent other individuals in the organization from visiting the malicious websites.
For further information on spam and web filtering, contact the TitanHQ today.