Our news section dedicated to cybersecurity advice is regularly updated with news about the latest online threats and most recently-discovered security vulnerabilities – and advice on how to deal with them.
MSPs will particularly find our cybersecurity advice security of value, as it addresses many of the online security issues that clients may have heard about and developed concerns about their own cybersecurity defenses.
MSPs can reassure clients that the risk of systems and networks being infected by an online threat – or security vulnerabilities in their software being exploited by a hacker – can be nullified with a web filtering solution from TitanHQ.
Regardless of whether you run a hotel, coffee shop or retail outlet, Internet access is expected by customers, but make sure you secure guest WiFi for business visitors. Providing business visitors and customers with access to the Internet brings many benefits, but if you do not secure guest WiFi for business visitors you will be exposing yourself – and them – to considerable risk. If you offer secure guest WiFI access, all users will be protected from malware, ransomware, and phishing when connected to the network. That can be a good selling point for businesses. It also shows you care about your customers.
Why Is Providing Internet Access so Important?
In 2013, one study revealed that 80% of customers in retail outlets felt the provision of free WiFi access would influence their purchasing decisions. If retailers provide guest WiFi access, they are likely to encourage more potential customers into their stores and get more sales opportunities.
With more people purchasing online, businesses need to adapt. Customers want to be able to check online before making a purchase or signing up for a service, such as reading online reviews. Fail to offer Internet access and customers are more likely to leave and make a purchase at another time. Chances are that sale will be made elsewhere. Keep them in your store and allow them to access the internet and your chances of achieving a sale will be increased. Of course, if you are unable to compete with online retailers – Amazon for example – you could provide free WiFi but block access to that website.
Why is Secure Guest WiFi for Business So Important?
There are considerable benefits to be gained from offering customers free Internet access. It is what customers want, it provides businesses with an opportunity to communicate with customers, it allows businesses to collect contact details for future marketing programs, and by monitoring the use of the Internet in store, businesses can gain valuable customer insights and find out more about the interests of their customers. Businesses should note however that the General Data Protection Regulation (GDPR) requires consent to be obtained before any personal information is collected and used.
Giving customers and guests access to the Internet opens a business up to considerable risks. If those risks are not mitigated, guest WiFi access can prove incredibly costly. You may have trained your employees to be security aware and have introduced policies covering allowable Internet usage, but guests, customers and other visitors are likely to have different views about the content that can be accessed on your WiFi network.
Guests and customers could take advantage of a lack of restrictions to access inappropriate material such as pornography. Individuals could engage in morally or ethically questionable activities on a business network or even illegal activity such as copyright infringing downloads. They may also accidentally install malware or ransomware or visit phishing websites.
Secure guest WiFi for business means protecting yourself and your customers and guest users. Secure guest WiFi for business visitors and it will ensure they are protected when connected to your network. You will be able to block man-in-the-middle attacks, malware downloads and protect against phishing attacks. By providing secure guest internet access, you will also be able to reduce legal liability.
5 Things to Consider About Secure Guest WiFi for Business Customers
If you are going to open up your network to guests, security cannot be an afterthought. Secure guest WiFi for business is a must. Before providing WiFi access, be sure to consider the points below:
Segmenting your network is important for two reasons. Secure guest WiFi for business means visitors should not be able to gain access to parts of the network used by your employees. Your business guest wireless network should be kept totally separate from the internal network used by your employees. Guest users should not be able to logon and see your network assets and confidential files and resources. Use a network firewall or create a separate VLAN for guest use and use a software firewall to protect servers and workstations from traffic from the guest network. Secondly, in the event of a malware or ransomware infection, if you segregate your network, it will greatly limit the harm caused.
Always Change Default Passwords and SSIDs
This is one of the most basic security practices, yet because of that it is easy to forget. The Internet is littered with reports of data breaches that have occurred as a result of the failure to change default passwords. All network peripherals should have strong, unique passwords set.
It is also important to change your SSID for your WiFi network. The SSID should reflect the name of your business and it should be quite clear to your customers which is your network. Fail to do this and you make it too easy for malicious individuals to set up “evil twin” access points and lure guests onto those rogue access points and conduct man-in-the-middle attacks. You can post the SSID and password internally to make it easy for legitimate users to gain access to your network. Be sure to change your password regularly.
Keep your Firmware Updated!
Firmware updates are issued for a reason. They correct vulnerabilities that could easily be exploited by cybercriminals to gain access to your devices and network. If those vulnerabilities are exploited, configurations can be changed for a variety of nefarious purposes. You should have policies in place that require firmware updates to be installed promptly, with checks performed monthly to ensure that all devices have been updated and no firmware updates have been missed.
Encrypt Your Wireless Signals
You want to make it as easy as possible for your guest WiFi network to be accessed by your customers and visitors, but don’t make it too easy for hackers to spy on individuals connected to the network. Make sure you encrypt your wireless network with WPA2/WPA3 encryption.
If your router does not support WPA2 as a minimum it is time to upgrade your router’s firmware or, if that is not possible, you should buy a modern router that supports WPA3 encryption. If you fail to encrypt your WiFi, it is too easy for your bandwidth to be stolen and for data to be intercepted.
Secure Guest WiFi for Business Means Content Filtering
Secure guest WiFi for business means adding controls to limit the content that can be accessed on your WiFi network.
You should block access to adult content – which includes pornography, gambling sites, and dating sites, and also web content that is ethically or morally questionable or illegal.
A web filtering solution will also protect your customers from accidental malware and ransomware downloads and is an important anti-phishing control.
Consider using a cloud-based web filter as these require no additional hardware to be purchased. They can also be configured and maintained remotely and will not require software or firmware upgrades. In contrast to appliance-based web filters, cloud-based filters are more scalable and are more adaptable to the changing needs of your business.
Wireless Guest Network Best Practices
There are many benefits to be gained from setting up a wireless guest network but doing so introduces risks. If those risks are not managed, guest users could gain access to network resources and view or steal sensitive information. Malware may be accidentally or deliberately installed, and vulnerabilities could be introduced that could expose the network to hackers. Fortunately, following some simple wireless guest network best practices will ensure risks are mitigated and your wireless network is made as – or more – secure that your wired network.
Separate your wireless guest network from the business network – Set up a second SSID specifically for guests to use. It should not be possible for guest users to access your internal WiFi network.
Choose the SSID wisely – Choose a name that does not advertise the fact that the network belongs to your business if you want to make it harder for hackers to attack your WiFi network.
Set a secure password for guests to use – Make sure the default password is changed to ensure only authorized guests can access the network.
If possible, ensure each guest user can be identified on the network. Use a management solution that collects guest credentials as this will allow you to monitor guest behavior and gain valuable insights into how your customers are using the network. Be aware there are restrictions under GDPR and CCPA that require you to obtain consent to collect personal data and explain why the data is being collected.
Communicate your Internet usage policies to guests so they know what is allowed and prohibited while connected to your WiFi network
Use the most advanced encryption available – All modern routers and access points support WPA2 encryption. Make sure this is enabled – or WPA3 if it is supported. Avoid using WPS as it is vulnerable to brute force attempts to guess the password.
Disable admin access on wireless networks – if a hacker succeeds in gaining access to your WiFi network, this will limit the harm that can be caused.
Implement a web filtering solution – A web filter should be configured to prevent users from accessing inappropriate and malicious websites while connected to the WiFi network
WebTitan Cloud for WiFi – Secure Guest WiFi for Business Users
TitanHQ has made it easy to secure guest WiFi for business users. WebTitan Cloud for WiFi is a 100% cloud-based web filter that allows businesses to carefully control the categories of web content that can be accessed by guest users.
WebTitan Cloud for WiFi allows businesses to block access to 53 different predefined categories of web content, including pornography, gambling, dating, news, and social media websites. Within those 53 categories are more than 500 million websites in 200 languages that have been assessed for content and categorized. A cloud-based lookup also ensures accurate and flexible filtering based on page content.
Secure guest WiFi for business means effective malware, ransomware, and phishing protection. With WebTitan Cloud for WiFi deployed, access to compromised websites, phishing sites, and other malicious websites will be blocked.
Flexible policy creation means control over the filter can be delegated for different departments, and controls can be applied for different types of users. Cloud Keys can also be created to allow specific users to bypass policy rules.
A full suite of reports ensures detailed information is always available, with email notifications alerting administrators to attempted policy violations and a real-time browsing view is available.
If you want to take control of your WiFi network or are an MSP looking for an easy-to-use multi-tenant solution to allow you to provide a web filtering service to your clients, WebTitan Cloud for WiFi is a quick, easy to use, and low cost way of providing secure guest WiFi for business users.
Contact TitanHQ today for further information on WiFI guest network security and to find out how WebTItan can protect your business. Our knowledgeable sales staff will be able to advise you on the best way to improve guest WiFi security and will help you choose the best deployment option. If you want to see WebTitan in action before you make a purchase decision, our sales staff will be happy to schedule a product demonstration and help set up a free trial of the solution.
The Kaseya Connect Europe User Conference will be taking place on October 3, 2017 in Amsterdam, Netherlands with the company recently having announced its line-up of speakers and exhibiting partners for the event.
The Kaseya Connect Europe User Conferences are hugely popular. The events provide an excellent networking and learning opportunity with attendees able to see technical presentations with hands on demonstrations to improve usage of Kaseya solutions and find out more about the latest product releases.
Attendees benefit from expert advice, gain strategic insights and receive useful practical knowledge from industry experts and thought leaders and have the opportunity of taking part in product training and other instructional sessions to help them get the most out of their business, optimize their technical operations and boost revenues.
The upcoming Kaseya Connect Europe User Conference will include a business track to help MSPs monetize their business, increase their service stack and boost revenues.
Sue Gilkes, faculty member of CompTIA and founder and managing director of Your Impact Ltd, will be providing her insights into how MSPs can grow their business and improve revenues, while Transmentum’s Adam Harris – Author of “Check-In Strategy Journal” – will be delivering a keynote speech – “7 Sales Strategies to Take Away and Implement Immediately” – a must attend session for all MSPs.
Next year, the General Data Protection Regulation (GDPR) will come into effect in May. MSPs need to start preparing to ensure the deadline for compliance is met. With the deadline just a few months away, a session will be focused on helping MSPs prepare.
TitanHQ is pleased to announce it is an Emerald Sponsor for the event and will be demonstrating its WebTitan and SpamTitan solutions for MSPs.
WebTitan is an innovative web filtering solution ideal for MSPs. The solution can easily be added to MSPs service stacks allowing them to improve the cybersecurity defenses of their clients. WebTitan is a DNS-based web filtering solution that blocks a wide range of online threats and allows users to carefully control the web content that can be accessed via their wired and wireless networks.
SpamTitan is a leading spam filtering solution that blocks more than 99.9% of spam and malicious emails to keep end users protected from phishing attacks, malware and ransomware infections.
Both solutions are provided as white labels with a range of hosting options, including hosting within an MSPs own environment.
Following the massive global ransomware attacks of recent months, businesses are demanding additional protections, with both solutions offering MSPs a golden opportunity to generate regular additional monthly revenue with minimal management time.
“It’s exciting to bring together hundreds of our European customers and partners for this conference, and provide them with convenient access to educational sessions, networking opportunities and insightful discussions from industry leader, said Sabine Link, vice president, customer success for Kaseya” Through this event, we can deliver a unique experience for our European users that will empower them with the knowledge they need to achieve the results they desire.”
The event is free of charge for MSP executives, regardless of whether they are already Kaseya users. However, registration is required in advance of the event. If you are interested in attending the Kaseya Connect Europe User Conference in October, you can register for the conference here.
The recent ransomware attack on University College London has been discovered to have occurred as a result of an end user visiting a website hosting the Astrim exploit kit. Exploit kits are used to probe for vulnerabilities and exploit flaws to download malware.
Most ransomware attacks occur via email. Phishing emails are sent in the millions with many of those emails reaching end users’ inboxes. Ransomware is downloaded when infected email attachments are opened or malicious links are clicked. Organizations can reduce the threat of ransomware attacks by implementing an advanced spam filtering solution to prevent those malicious emails from being delivered.
However, spam filtering would not have stopped the University College London ransomware attack – one of many ransomware attacks on universities in recent months.
In order for an exploit kit to work, traffic must be sent to malicious websites hosting the kit. While spam email can be used to direct end users to exploit kits, the gang behind this attack was not using spam email.
The gang behind the Astrim exploit kit – AdGholas – has been using malvertising to direct traffic to sites hosting the EK. Malvertising is the name for malicious adverts that have been loaded onto third party ad networks. Those adverts are displayed to web users on sites that sign up with those advertising networks. Many high traffic sites display third party adverts, including some of the most popular sites on the Internet. The risk of employees visiting a website with malicious adverts is therefore considerable.
Exploit kit attacks are far less common than in 2015 and 2016. There was a major decline in the use of exploit kits such as Magnitude, Nuclear and Neutrino last year. However, this year has seen an increase in use of the Rig exploit kit to download malware and the Astrim exploit kit is also attempting to fill the void. Trend Micro reports that the Astrim exploit kit has been updated on numerous occasions in 2017 and is very much active.
The risk of exploit kit attacks is ever present and recent ransomware and malware attacks have shown that defenses need to be augmented to block malicious file downloads.
An exploit kit can only download malware on vulnerable systems. If web browsers, plugins and software are patched promptly, even if employees visit malicious websites, ransomware and malware cannot be downloaded.
However, keeping on top of patching is a difficult task given how many updates are now being released. Along with proactive patching policies, organizations should consider implementing a web filtering solution. A web filter can be configured to block third party adverts as well as preventing employees from visiting sites known to contain exploit kits.
With exploit kit attacks rising once again, now is the time to start augmenting defenses against web-based attacks. In the case of University College London, a fast recovery was possible as data were recoverable from backups, but that may not always be the case. That has been clearly highlighted by a recent ransomware attack on the South Korean hosting firm Nayana. The firm had made backups, but they too were encrypted by ransomware. The firm ended up paying a ransom in excess of $1 million to recover its files.
Awareness of the additional security provided by HTTPS websites is increasing, but so too are HTTPS phishing websites. Cybercriminals are taking advantage of consumer trust of websites that encrypt connections with web browsers.
The risks of disclosing sensitive information such as credit card numbers on HTTP sites has been widely reported, with more sites now using the Hypertext Transfer Protocol Secure (HTTPS) to prevent man-in-the-middle attacks and improve security for website visitors. However, just because a website starts with HTTPS does not mean that website is safe.
HTTPS phishing websites also secure the connection. Divulging login credentials or other sensitive information on those sites will place that information in the hands of criminals.
A recent report from Netcraft shows more phishing websites are now using HTTPS to communicate, with the percentage of HTTPS phishing websites jumping from 5% to 15% since the start of 2017.
Internet users are now being warned if they are visiting a website that does not encrypt connections. Google Chrome and Firefox browsers have recently started displaying warnings on sites that are not secure.
The problem is that many users automatically assume that if a website starts with HTTPS it is safe and secure when that is far from the case.
Even if a website is genuine and encrypts communications, that does not mean the website cannot be compromised. If a hacker gained access to a website with a SSL certificate it would be possible to add pages that phish for sensitive information. The website would still display the green lock symbol and start with HTTPS.
HTTPS phishing websites may also have valid digital certificates meaning even Firefox and Google Chrome browsers will not flag the sites as potentially malicious. Those sites may also include the brand names of legitimate websites such as Facebook, Amazon, or PayPal. In the case of the latter, a recent report from the SSL Store revealed that there were 15,270 websites that contained the word PayPal which had been issued with SSL certificates.
The rise in HTTPS phishing websites shows that simply checking the protocol used by the site is no guarantee that the site is not malicious. Care must be taken when accessing any website, regardless of the protocol used by the site.
Businesses can improve protection by implementing a web filtering solution capable of reading encrypted web traffic. This will help to ensure employees are prevented from visiting malicious websites on their work computers, regardless of the protocol used by the sites.
WebTitan not only allows organizations to block websites by category, content or keyword, the web filtering solution also decrypts, reads, and then re-encrypts connections and will block phishing and other malicious websites. By inspecting HTTPS websites, WebTitan will also ensure access to any secure website is blocked if the site or webpage violates user-set rules on website content.
A Mac malware warning has been issued for any individual who recently downloaded Handbrake for Mac. A server was compromised and a remote access Trojan was bundled with the Handbrake Apple Disk Image file.
A credential-stealing Remote Access Trojan was discovered to have been bundled with the Handbrake video transcoder app for the MacOS, with Handbrake for Mac downloads between May 2 and May 6, 2017 potentially also installing the MacOS Proton RAT.
A Mac malware warning has been issued for all users who recently downloaded the app. It is strongly recommended that any individual who downloaded the app between the above dates verifies that they have not been infected. According to a statement issued by the developers of the app, individuals have a 50/50 change of infection if they downloaded the app between the above dates.
Cybercriminals were able to compromise a server and bundle the malware with the app, with all users who used the download.handbrake.fr mirror potentially infected.
Apple has now updated its OSX’s XProtect to detect and remove the infection although individuals at risk should check to see if their device has been infected. Infection can be detected by looking for the Activity_agent process in the OSX Activity Monitor. If the process is running, the device has been infected with the Trojan.
Any user infected with the malware will need to change all passwords stored in the MacOS keychain. Any password stored in a browser will also need to be changed, as it is probable it has also been compromised.
The Trojan can be easily removed by opening the Terminal and entering the following commands before removing all instances of the Handbrake app:
if ~/Library/VideoFrameworks/ contains proton.zip, remove the folder
The MacOS Proton RAT was first identified earlier this year. It is capable of logging keystrokes to steal passwords, can execute shell commands as root, steal files, take screenshots of the desktop and access the webcam. Once installed, it will run every time the user logs on.
Only Handbrake for Mac downloads were affected. Any user who recently upgraded through the Handbrake update mechanism will not be affected, as checks are performed to prevent the downloading of malicious files.
The compromised server has now been shut down to prevent any further malware downloads. At this stage it is unclear how access to the server was gained and how the Handbrake Apple Disk Image file was replaced with a malicious version.
A patch has been rushed and released to address a serious Microsoft Malware Protection Engine bug, termed ‘Crazy Bad’ by the researchers who discovered the flaw. If exploited, the vulnerability would allow threat actors to turn the malware protection software against itself.
If the Microsoft Malware Protection Engine bug is exploited, Microsoft’s malware protection engine could be used to install malware rather than remove it. Instead of searching for infected files that have been downloaded, the system would be downloading malware and infecting end users.
The Microsoft Malware Protection Engine bug affects a number of anti-malware software products including Windows Defender, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, Windows Intune Endpoint Protection and Microsoft Forefront Endpoint Protection.
The remotely exploitable bug could allow a system to be completely compromised, giving attackers full access to an infected computer or server, since the software and all associated processes run at LocalSystem privilege level.
The flaw was discovered by Natalie Silvanovich and Tavis Ormandy of Google Project Zero who alerted Microsoft three days ago. Ormandy said the flaw was “The worst in recent memory.” Microsoft worked fast to patch the flaw and an update was pushed out yesterday.
While extremely serious, Microsoft does not believe any malicious actors have taken advantage of the flaw, although all unpatched systems are at risk. Threat actors could take advantage of the Microsoft Malware Protection Engine bug in a number of ways, including sending specially crafted email messages. The Project Zero researchers note that simply sending a malicious email would be enough to allow the bug to be exploited. It would not be necessary for the user to open the email or an infected email attachment. The researchers explained that “writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc) is enough to access functionality in mpengine.” Alternatively, the flaw could be exploited by visiting a malicious website if a link was sent via email or through instant messaging.
The patch for the vulnerability (CVE-2017-0290) will be installed automatically if users have auto-update turned on. System administrators who have set updates to manual should ensure the patch is applied as soon as possible to prevent the flaw from being exploited. The current, patched Malware Protection Engine is version 1.1.13704.0.
On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.
GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.
The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.
How Will GDPR Protect Consumers?
One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data. Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.
GDPR gives consumers the right to:
Find out how their data will be used
Discover how data were obtained if informed consent was not provided
Access personal data
Find out how long data will be stored
Correct errors in stored data
Move data to a different processor
Restrict or prohibit the processing of data
Find out with whom data have been or will be shared
Have data permanently erased
Avoid being evaluated on the basis of automated processing
Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.
While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.
What Data are Covered by GDPR?
Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.
Data Security Standards Necessary for GDPR Compliance
GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.
GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.
Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”
Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.
Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.
Data Breach Notification Requirements of GDPR
Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.
Preparing for GDPR
Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.
Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.
Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.
What are The Penalties for Non-Compliance with GDPR?
Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.
If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.
Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.
Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.
Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.
How Can TitanHQ Help with GDPR Compliance?
TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.
TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.
SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.
WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads. The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.
ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.
For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.
Do you have any machines running on unsupported operating systems? Is all of your software up to date with all of the latest patches applied? If you are not patching promptly or are still running outdated, unsupported operating systems or software, you are taking unnecessary risks and are leaving your network open to attack.
Hackers are constantly trawling the Internet looking for vulnerable systems to attack. Even if you are only running Windows XP or Vista on one networked machine, it could allow a hacker to exploit vulnerabilities and gain access to part or all of your network.
An alarming number of businesses are still running outdated software and are not patching promptly. For instance, 7.4% of businesses are still using Windows XP, even though Microsoft stopped issuing patches three years ago.
Hackers are discovering new vulnerabilities in software and operating systems faster than the software manufacturers can address those flaws. Zero-day vulnerabilities are regularly discovered and exploits developed to take advantage of the flaws and gain access to business networks. When a software developer stops issuing updates, the list of potential vulnerabilities that can be exploited grows fast.
Take Windows for example. Each set of updates released by Microsoft every Patch Tuesday contains patches to remediate several critical vulnerabilities that could be exploited to run code or access a system and gain user privileges. While exploits may not currently exist for those flaws at the time the patches are released, that is not the case for long. Hackers can look at the updates and reverse engineer patches to discover the vulnerabilities. Exploits can then be developed to attack unpatched machines.
Take the recent set of updates addressed by Microsoft in its March Patch Tuesday update as an example. Microsoft silently patched a slew of flaws for which exploits had been developed. Four days later, exploit tools from The Equation Group were dumped online by Shadow Brokers. Those tools could be used to exploit the flaws addressed by Microsoft a few days previously.
The exploit tools can be used to attack unpatched machines, but the patches were only issued to address flaws in supported versions of Windows. Many of those exploit tools can be used to attack unsupported Windows versions such as XP and Vista.
One of those tools, called Eternalromance, will likely work on all previous versions of Windows back to Windows XP. EasyPi, Eclipsedwing, Emeraldthread, eraticgopher and esteemaudit have all been confirmed to work on Windows XP.
Those are just the exploit tools recently discovered by The Equation Group. They represent just a small percentage of the exploits that exist for flaws in older, unpatched Windows versions. In addition to exploits for Windows flaws, there are exploits for many software programs.
There will always be zero day exploits that can be used to attack businesses, but running outdated software and unsupported operating systems makes it too easy for hackers.
Businesses of all sizes must therefore ensure that they have good patch management policies covering all software and operating systems and all devices. However, since unsupported operating systems will never be patched, continued use of those products represents a very large and unnecessary risk.
The cost of a ransomware attack is far higher than the amount demanded by cybercriminals to unlock encrypted files. The final cost of a ransomware attack is likely to be many times the cost of the ransom payment, in fact, the ransom payment – if it is made – could be one of the lower costs that must be covered.
Typically, cybercriminals charge between $400 and $1,000 per infected computer to supply the keys to decrypt data. If one member of staff is fooled into clicking on an infected email attachment or downloading ransomware by another means, fast action by the IT team can contain the infection. However, infections can quickly spread to other networked devices and entire networks can have files encrypted, crippling an organization.
Over the past 12 months, ransomware attacks have increased in number and severity. New ransomware variants are constantly being developed. There are now more than 600 separate ransomware families, each containing many different ransomware variants.
Over the past year there has also been an increase in ransomware-as-a-service (RaaS). RaaS involves developing a customizable ransomware which is rented out to affiliates. Any individual, even someone with scant technical ability, can pay for RaaS and conduct ransomware campaigns. Access to the ransomware may be as little as $50, with the affiliate then given a cut of the profits. There has been no shortage of takers.
Figures from FireEye suggest ransomware attacks increased by 35% in 2016. Figures from the FBI released in March 2016 suggested ransomware had already netted cybercriminals $209 million. Herjavec Group estimated that ransomware profits would top $1 billion in 2016; a considerable rise from the $24 million gathered during the previous calendar year. Figures from Action Fraud indicate ransom payments in the United Kingdom topped £4.5 million last year.
While ransom demands for individual infections can be well below $1,000, all too often ransomware spreads to multiple computers and consequently, the ransom increases considerably. Cybercriminals are also able to gather information about a victim and set ransoms based on ability to pay.
In June 2016, the University of Calgary paid $16,000 to recover its email system. In February last year, Hollywood Presbyterian Medical Center (HPMC) paid a ransom payment of $17,000 to unlock its system. A ransom demand in excess of $28,000 was demanded from MIRCORP following an infection in June 2016. The MUNI metro ransomware attack in San Francisco saw a ransom demand of $73,000 issued!
Figures from Malwarebytes suggest globally, almost 40% of businesses experienced a ransomware attack in the previous year. Ransomware is big business and the costs are considerable.
What is the Cost of a Ransomware Attack?
Ransomware infections can cause considerable financial damage. The cost of a ransomware attack extends far beyond the cost of a ransom payment. The Malwarebytes study suggests more than one third of businesses attacked with ransomware had lost revenue as a result, while 20% were forced to stop business completely.
The FBI and law enforcement agencies strongly advise against paying a ransom as this only encourages further criminal activity. Organizations that are unprepared or are unable to recover data from backups may have little choice but to pay the ransom to recover data essential for business.
However, the true cost of a ransomware attack is far higher than any ransom payment. The HMPC ransomware infection resulted in systems being out of action for 10 days, causing considerable disruption to hospital operations.
System downtime is one of the biggest costs. Even if backup files exist, accessing those files can take time, as can restoring systems and data. Even if a ransom is paid, downtime during recovery is considerable. One study by Intermedia suggests 32% of companies that experienced a ransomware attack suffered system downtime for at least five days.
A study by Imperva on 170 security professionals indicates downtime is the biggest cost of a ransomware attack. 59% of respondents said the inability to access computer systems was the largest cost of a ransomware attack. 29% said the cost of system downtime would be between $5,000 and $20,000 per day, while 27% estimated costs to be in excess of $20,000 per day.
One often forgotten cost of a ransomware attack is notifying affected individuals that their data may have been compromised. Healthcare organizations must also notify individuals if their protected health information (PHI) is encrypted by ransomware under HIPAA Rules.
Major attacks that potentially impact tens of thousands of patients could cost tens of thousands of dollars in mailing and printing costs alone. Credit monitoring and identity theft protection services may also be warranted for all affected individuals.
Many affected individuals may even choose to take their business elsewhere after being notified that their sensitive information may have been accessed by cybercriminals.
Following a ransomware attack, a full system analysis must be conducted to ensure no backdoors have been installed and all traces of malware have been removed. Additional protections then need to be put in place to ensure that future attacks do not occur.
The true cost of a ransomware attack is therefore considerable. The final cost of a ransomware attack could be several hundred thousand dollars or more.
It is therefore essential that businesses of all sizes have appropriate protections in place to prevent ransomware attacks and limit their severity if they do occur.
To find out more about some of the key protections that you can put in place to improve your resilience against ransomware attacks, contact the TitanHQ team today.
In all likelihood, 2016 will be forever remembered as The Year of Ransomware, in the same way that 2014 was the year of the healthcare data breach.
2016 Will be Remembered as The Year of Ransomware
Ransomware first appeared in the late 1980’s, although at the time, cybercriminals did not fully embrace it. Instead, they favored viruses, worms, and other forms of malware. That’s not to say that ransomware was not used, only that there were more lucrative ways for cybercriminals to make money.
That all started to change in 2015, when the popularity of cryptomalware was fully realized. By 2016, many actors had got in on the act and the number of ransomware variants started to soar, as did attacks on healthcare providers, educational institutions, government departments, businesses, and even law enforcement agencies. In 2016, it appeared that no one was immune to attack. Many organizations were simply not prepared to deal with the threat.
Early in the year it became clear that healthcare organizations were starting to be targeted for the first time. In February, one of the most notable ransomware attacks of the year occurred. Hollywood Presbyterian Medical Center in Hollywood, CA., was attacked and its computers were taken out of action for well over a week while the medical center grappled with the infection. The decision was taken to pay the ransom demand of $17,000 to obtain the key to decrypt its data.
Not long afterwards, MedStar Health suffered a massive infection involving many of the computers used by the hospital system. In that case, the $19,000 ransom was not paid. Instead, encrypted data were recovered from backups, although the disruption caused was considerable. 10 hospitals and more than 250 outpatient centers had their computers shut down as a result of the infection and many operations and appointments had to be cancelled.
In the first quarter of 2016 alone, the FBI reported that more than $206 million in ransom payments had been made by companies and organizations in the United States. To put that figure in perspective, just $24 million had been paid in the whole of 2015 – That represents a 771% increase in ransom payments and only three months had passed. The year of ransomware had barely even begun!
Biggest Ransomware Threats in 2016
TeslaCrypt was one of the biggest ransomware threats at the start of the year, although the emergence of Locky ransomware in February saw it become an even bigger threat. It soon became the ransomware variant of choice. Locky was used in attacks in 114 countries around the world last year, and cybercriminals continue to tweak it and release new variants. Locky has yet to be cracked by security researchers. Then came Cerber, CryptXXX, Petya (which was defeated in April), and Dogspectus for smartphones, to name just a few.
By the summer, The Guardian newspaper reported that 40% of UK businesses had been attacked with ransomware, although the majority of ransomware attacks were concentrated in the United States. By the autumn, more than 200 ransomware families had been discovered, each containing many variants.
Reports of attacks continued to flood in over the course of the year, with ransomware arguably the biggest cybersecurity threat seen in recent years.
2016 was certainly The Year of Ransomware, but 2017 doesn’t look like it will get any easier for security professionals. In fact, 2017 is likely to be even worse. Some experts have predicted that ransomware revenues will reach $5 billion in 2017.
You can find out more interesting – and horrifying – ransomware statistics by clicking the image below to view the TitanHQ ransomware infographic. The ransomware infographic also includes information on the protections that should be put in place to prevent ransomware attacks and the encryption of sensitive data.
Consumers and businesses need to take steps to protect their computers from malware infections, but should there be more malware protection at the ISP level?
Businesses and personal computer users are being infected with malware at an alarming rate, yet those infections often go unnoticed. All too often malware is silently downloaded onto computers as a result of visiting a malicious website.
Websites containing exploit kits probe for vulnerabilities in browsers and plugins. If a vulnerability is discovered it is exploited and malware is downloaded. Malware can also easily be installed as a result of receiving a spam email – if a link is clicked that directs the email recipient to a malicious website or if an infected email attachment is opened.
Cybercriminals have got much better at silently installing malware. The techniques now being used see attackers install malware without triggering any alerts from anti-virus software. In the case of exploit kits, zero-day vulnerabilities are often exploited before anti-virus vendors have discovered the flaws.
While malware infections may not be detected by end users or system administrators, that does not necessarily mean that those infections are not detected. Internet Service Providers – ISPs – are in a good position to identify malware infections from Internet traffic and an increasing number are now scanning for potential malware infections.
ISPs are able to detect computers that are being used for malicious activities such as denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks, and doing so is a relatively easy process.
Malware Protection at the ISP Level
Malware protection at the ISP level involves implementing controls to prevent malware infections and notifying consumers when malicious activity is detected.
ISPs can easily check for potential malicious activity on IP addresses, although blocking those IP addresses is not the answer. While some computers are undoubtedly knowingly used for malicious purposes, in many cases the users of the computers are unaware that their device has been compromised.
ISPs can however alert individuals to a potential malware infection when suspicious activity is identified. Warning emails can be sent to end users to advise them that their computer is potentially infected with malware. Those individuals can be sent a standard email template that contains instructions on how to check for a malware infection.
An increasing number of ISPs are now performing these checks and are notifying their customers of suspicious activity. Many ISPs in Europe provide this cybersecurity checking service and Level 3 Communications is one such ISP that is taking the lead.
The ISP is assessing Internet traffic and is identifying potentially malicious activity associated with certain IP addresses. So far, the ISP has created a database containing around 178 million IP addresses that are likely being used for malicious activity. Many of those IP addresses are static and are part of a botnet. Level3 Communications has estimated that around 60% of those IP addresses have been added to a botnet and 22% of the suspicious IP addresses are believed to be used to send out phishing email campaigns.
The content of Internet traffic is not investigated, although the ISP has been able to determine the IP addresses being used and those which are being sent messages and Internet traffic. While the IP addresses are known, the individuals that use those IP addresses are not. In order to notify individuals of potential infections, Level3 Communications is working with hosting providers. Once the individuals are identified they are contacted and advised of a potential malware infection.
The war on cybercrime requires a collaborative effort between law enforcement, governments, ISPs, and consumers. Only when all of those parties are involved will it be possible to curb cybercrime. Consumers can take steps to prevent infection, as can businesses, but when those measures are bypassed, ISPs can play their part.
If all ISPs were to conduct these checks and send out alerts, malware infections could be tackled and life would be made much harder for cybercriminals.
ISP Web Filtering for WiFi Networks – Protecting Consumers from Malware Infections
Notifying consumers about malware infections is one thing that should be considered, but malware protection at the ISP level should be implemented to prevent consumers and businesses from being infected in the first place.
ISPs can implement web filtering controls to block the accessing of illegal website content such as child pornography. The same technology can also be used to block websites known to contain malware. Broadband providers can implement these controls to protect consumers, and providers of public Internet can use web filtering for WiFi networks.
WiFi filters have already been implemented on the London Underground to prevent users from accessing pornography. Those controls can be extended to block websites known to be malicious. In the UK, Sky WiFi networks use filtering controls to block certain malicious and inappropriate website content from being accessed to better protect consumers. Effective malware protection at the ISP level not only keeps consumers protected, it is also a great selling point in a highly competitive market.
If you are an ISP and are not yet using filtering controls to protect your customers, speak to TitanHQ today and find out more about malware protection at the ISP level and how low-cost web filtering controls can be implemented to keep customers better protected.
The past few months have seen an increase in phishing attacks on law firms. Cybercriminals are attacking law firms to gain access to the highly confidential data held by attorneys and solicitors. Healthcare industry attacks are often conducted to obtain sensitive patient data that can be used for identity theft and tax fraud. Phishing attacks on law firms on the other hand are conducted to steal data for insider trading. Data are also stolen to allow cybercriminals to blackmail law firms.
Law firms are threatened with reputation-killing publication of highly sensitive client data if sizeable payments are not made. Since law firms hold secret documents, including potentially damaging information on their clients, it is not only the law firm that can be blackmailed. Clients are also contacted and threatened. The profits that can be made from insider trading are enormous. The data held by law firms is incredibly valuable. It is therefore no surprise that phishing attacks on law firms are increasing. Cybercriminals see law firms as perfect targets.
Last year, more than 50 law firms were targeted by Russian hackers using a spear phishing campaign. The aim of that attack was to gather information that could be used for insider trading. The group, called Oleras, attacked some of the best-known law firms operating in the United States, including Cravath Swaine & Moor LLP and Gotshal and Manges LLP.
However, while those attacks were damaging, they arguably caused less harm than the Panama Papers Breach – The largest law firm data breach of the year. That attack resulted in an astonishing 2.6 Terabytes of data being stolen by the attackers – Documents that revealed highly sensitive banking activities of criminals, politicians, athletes and businessmen and women. More than 214,000 companies had data revealed as a result of that law firm data breach.
While law firms must ensure that firewalls are in place along with a host of other cybersecurity protections to prevent their systems from being hacked, all too often data breaches start with phishing attacks on law firms. A simple email containing a link to a website is sent to attorneys’ and solicitors’ inboxes. The links are clicked and users are fooled into revealing login credentials to networks and email accounts. The credentials are captured and used to gain access to sensitive data.
Website filtering for law firms is now as essential a protection as the use of antivirus software. Antivirus software may be able to detect attempted malware installations – although it is becoming less effective in that regard – although it will do little to prevent phishing attacks.
A web filter protects law firms by preventing users from visiting malicious links in emails. A website filtering solution also prevents end users from downloading malware, or accessing websites known to carry a high risk of infection with ransomware or malware. A web filter also prevents law firm staff from accidentally visiting phishing websites when browsing the Internet. Along with a robust spam filtering solution to prevent phishing emails from being delivered, law firms can make their networks and email accounts much more secure.
Further information on recent phishing attacks on law firms, along with steps that can be taken to prevent security breaches, can be found by clicking the image below. Clicking the image will direct you to a useful phishing infographic on this website.
You have secured your servers, you have end point protection, but have you ensured your organization is protected against printer hacking? According to one hacker, as many as 300,000 organizations have left a gaping hole in their security defenses as a result of leaving their printers open to the Internet and failing to even use any form of authentication.
Your Printer Has Been Owned!
The hacker decided to draw attention to the problem, not by publishing details of the flaws, but by attacking around 150,000 companies. The attack was rather benign. The hacker did not attempt to gain access to network resources or install malware. He just sent rogue jobs to the printers.
The printouts said “Your printer has been owned.” The hacker also claimed the printers had been added to ’a flaming botnet’ as a result of the lack of security in place. Some of the messages sent are not appropriate for reproduction. A common message was ‘everyone likes a meme, fix your bull***t.’
The claims were not true, but the hacker did prove a point. Printer hacking is a very real threat and future attacks may be much more malicious in nature. If printers are left open to the Internet with no authentication required, they could be subjected to DoS attacks. Companies would be left unable to print. Printers could also be added to botnets. Those would be best-case scenarios of course. Printer hacking could cause much more serious harm.
Hackers could take advantage of flaws and run arbitrary code. Printers could be used as a launchpad to gain access to corporate networks, sabotage systems, install malware and ransomware, and stealing corporate secrets and sensitive customer and patient data.
Following the printer cyberattack, the ‘victims’ took to social media to report the incidents. Some reported that corporate network printers were affected, others claimed their POS system printers had been owned. In the case of the former, the cyberattack could potentially have resulted in a network compromise. In the case of the latter, credit and debit card-stealing malware could have been installed.
The hacker in question claims he is a UK student with an interest in security research. He says he has access to RCE flaws that would enable him to take control of more than 300,000 printers. In this experiment, he took advantage of the lack of authentication controls on communications port 9100. The attacks involved the RAW protocol, Internet Printing Protocol (IPP) and the Line Printer Daemon (LPD).
Many of the printers susceptible to printer hacking are used by universities and other higher education establishments. In a separate ‘attack’ a different hacker also proved a point about the lack of security controls, the ease of finding computers to attack, and just how easy it was to send rogue output to printers. He chose to send anti-sematic print jobs to printers at universities in the United States for maximum coverage. After the attacks, reports started flooding social media from students at Yale, UC Berkeley, DePaul University and UMass Amherst.
Printer Hacking Mitigation Required
The two hacks come just a few days after security researchers in Germany announced they had discovered vulnerabilities in printer manufacturers by some of the big names in computer hardware, such as Samsung, HP, Dell and Lexmark. More than 20 models of printer were discovered to contain flaws that could be easily exploited. Undoubtedly many more printers are vulnerable.
If printers are left exposed and can be accessed by anyone over the Internet, it will only be a matter of time before a malicious attack occurs. Protecting against printer hacking is therefore essential. To do this, printers should be set up on a virtual private network (VPN) and organizations should make 100% sure that their printers cannot be accessed through public IP addresses. That would require access controls to be applied to routers to whitelist certain IP ranges.
A restaurant WiFi filtering service can help to keep customers safe when they use the Internet by blocking access to websites known to contain malware. A restaurant WiFi filtering service will also ensure that patrons can only view website content that is suitable for families.
WiFi networks are often abused and used by some individuals to view pornography or other material that has no place in a restaurant. If one diner chooses to view such material on a personal device while in a restaurant, other diners may catch glimpses of the screen – That hardly makes for a pleasant dining experience.
However, there is another important reason why a restaurant WiFi filtering service should be used. Diners can be protected from a range of web-borne threats while using free wi-Fi networks, but also the computer systems of the restaurant.
Each year, many restaurants discover that their computers and networks have been infected with malware. Malware infections are often random; however, restaurants are now being targeted by cybercriminals. If a hacker can gain access to a restaurant’s computer network and succeeds in loading malware onto its POS system, every customer who pays for a meal with their debit or credit card could have their credentials sent to the hacker.
Restaurants, especially restaurant chains, are targeted for this very reason. One infected POS system will give a cybercriminal a steady source of credit card numbers. Each year, there are many examples of restaurants that have been attacked in this manner. One of the latest restaurant chains to be attacked was Popeye’s Louisiana Kitchen – A multinational chain of fried chicken and fast food restaurants.
Popeyes recently discovered a cyberattack that resulted in malware being installed on its systems. The attack started on or around May 5, 2016 and continued undiscovered until August 18, 2016. During that time, certain customers who paid for their meals on their credit and debit cards had their card numbers stolen by the malware and passed on to the attackers.
Popeyes only discovered the cyberattack when it received notification from its credit card processor of suspicious activity on customers’ accounts. CCC Restaurant Enterprises, which operates Popeyes, retained a forensic expert to analyze its systems for signs of its systems having been compromised. That analysis revealed a malware infection. The information stealing malware was passing credentials to the attacker and those details were being used to defraud customers. Ten restaurants in the chain were known to have been affected. Those restaurants were located in Georgia, North Carolina, and Texas. The malware infection has now been removed and customers are no longer at risk, although the cyberattack undoubtedly caused reputation damage for the chain.
Malware can be installed via a number of different vectors. Vulnerabilities can be exploited in servers and software. It is therefore essential to ensure that all software is patched and kept up to date. Attacks can occur via email, with malicious links and attachments sent to employees. A cloud-based anti spam service can block those emails and prevent infection. Attacks can also take place over the Internet. The number of malicious websites now produced every day has reached record levels and the threat level is critical.
A restaurant WiFi filtering service will not protect against every possible type of attack but it does offer excellent protection against web-borne threats. A web filtering service can also prevent users from visiting malicious links sent in spam and phishing emails, blocking users’ attempts to click the links. A restaurant WiFi filtering service will also ensure family-friendly Internet access is provided to customers. Something that is increasingly important for parents when choosing a restaurant.
To find out more about how a restaurant WiFi filtering service can be implemented, the wide range of benefits that such a service offers, and for details of how you can trial the WebTitan restaurant WiFI filtering service for 30 days without charge, contact the TitanHQ team today.
The increase in cyberattacks and proliferation of web-borne threats has made web filtering for Managed Service Providers one of the most important, and profitable, opportunities for MSPs. However, not all MSPs have started offering a web filtering service to their clients, even though web filtering is now an essential cybersecurity defense
Why is web filtering for Managed Service Providers now so important? Listed below – and in a useful infographic – are some of the reasons why businesses need to control the websites that can be visited by their employees and why web filtering for Managed Service Providers is an important addition to any MSPs service stack.
Cybercriminals Have Switched from Email to the Web to Spread Malware
Email remains one of the most likely routes that malware can be installed. Malicious email volume is growing and in Q3, 2016, Proofpoint discovered 96.8% of malicious attachments were used to download Locky ransomware. Blocking malicious spam email messages is therefore an essential element of any organization’s cybersecurity defense strategy. However, times are a changing. The threat from web-borne attacks has increased significantly in the past few years.
Cybercriminals are well aware that most organizations now use a spam filter to block malicious messages and that they now conduct end user training to warn employees of the risks of opening email attachments or clicking on hyperlinks sent by strangers.
However, far fewer businesses have implemented a solution that blocks web-borne threats. Consequently, cybercriminals have changed their focus from email to the Internet.
The shift to the web means cybercriminals can reach a much bigger target audience and can spread malware and ransomware more effectively. The extent of this paradigm shift is deeply concerning.
Now, more than 80% of malware is web-related and spread via malicious web adverts, hijacked websites, and websites that have been created with the sole purpose of infecting visitors with malware.
As TitanHQ CTO Neil Farrell points out, “the average business user now encounters 3 malicious links per day.” Those links are rarely identified as malicious and the malware downloads that result from visiting malicious websites go undetected.
Web-Borne Threats have Increased Substantially in Recent Years
Cybercriminals use exploit kits – malicious software that probes for vulnerabilities in browsers – on hijacked webpages and purpose designed, malware-laced websites. Zero-day vulnerabilities are frequently identified in web browsers, browser plugins, and extensions and these flaws can be exploited and leveraged to download malware and ransomware. Each time a new flaw is identified, it is rapidly added to a swathe of exploit kits.
Anti-virus software is capable of detecting a high percentage of malware and preventing the malicious software from being installed on computers; however, new forms of malware are being released at an unprecedented rate. A new malware is now released every 4 seconds. Naturally, there is a lag between the release of new malware and the addition of its signature into antivirus software companies’ virus definition lists. Visits to malicious websites all too often result in malware installations that go undetected.
Malicious websites are constantly being created. Google reports that since July 2013, 113,132 new phishing websites have been created and it is businesses that are being targeted. TitanHQ now adds over 60,000 new malware-spreading websites to its blocklists every single day.
Companies that fail to block these web-borne threats face a high risk of their computers and networks being infected with malware. Figures from IDC show that 30% of companies employing more than 500 staff have experienced malware infections as a result of end users surfing the Internet.
New Threats are Constantly Being Developed
Malware is used to log keystrokes to obtain login credentials for further, more sophisticated attacks. Banking credentials are stolen and fraudulent transfers are made. Businesses also have to contend with the current ransomware epidemic. 40% of businesses have now been attacked with ransomware.
Malware and ransomware infections do not just occur via obscure websites that few employees visit. Hugely popular news sites such as the New York Times and the BBC have been discovered to display adverts containing malicious code. Social media websites are also a major risk. 24% of organizations have been infected with malware via Facebook and 7% via LinkedIn/Twitter, according to a recent study by Osterman Research.
These and other serious threats, along with the extent to which infections are occurring, have been summarized in a new infographic that can be accessed by clicking on the image below:
WebTitan Cloud – Web Filtering for Managed Service Providers
Fortunately, there is an easy solution to prevent web-borne attacks: WebTitan Cloud. WebTitan Cloud is a 100% cloud-based web filtering solution that can be used to prevent end users from visiting websites known to contain malware. WebTitan can be configured to block malicious adverts and can prevent end users from being directed to malware-infected websites if malicious links are clicked.
Given the range of threats and the extent to which cybercriminals are using the web, it is now essential for organizations to add web filtering to their cybersecurity defenses. Consequently, web filtering for Managed Services Providers presents a huge opportunity for growth. TitanHQ has seen a significant increase in uptake of its web filtering for Managed Service Providers in recent months as MSPs have started to appreciate the huge potential web filtering for Managed Services Providers has to improve bottom lines.
WebTitan can be rapidly added to an MSPs service stack and is an easy sell to clients. WebTitan can be deployed remotely and rapidly installed and configured. The solution is automatically updated, requires little to no IT support, is technology agnostic, and therefore so has an extremely low management overhead. The solution also has excellent scalability and can be used to protect any number of end users.
MSPs can be provided with a white-label version of WebTitan Cloud ready for branding and WebTitan Cloud can even be hosted within an MSPs own environment. Perhaps most important for MSPs is the high margin recurring SaaS model. That means high recurring revenues for MSPs and better bottom lines.
Contact TitanHQ today to find out more about web filtering for Managed Service Providers, for full technical specifications, and to discover just how easy it is to add WebTitan to your service stack and start boosting profits.
Many employers are not entirely happy with employees using social media sites in the workplace, and with good reason: There are many risks of social media in business and the costs can be considerable.
Social Media Use Can be a Huge Drain on Productivity
When employees are spending time updating their Facebook accounts or checking Twitter they are not working. All those minutes spent on social media platforms really do add up. Social media site use can be a major drain on productivity.
If every employee in an organisation spends an hour a day on social media sites, the losses are considerable. Unfortunately, many employees spend much more than an hour a day on the sites.
Salary.com reports that around 4% of employees waste more than half of each day on non-work related tasks. For a company employing 1,000 members of staff, that equates to more than 160 hours lost each day, not including the hour or two spent on social media sites by the remaining 96% of the workforce.
Social media site use is not all bad, in fact, the use of the sites can be good for productivity. Employees cannot be expected to work solidly for 8 or more hours each day; at least not 8 highly productive hours. If employees enjoy some ‘Facetime’ every hour or two, it can help them to recharge so they are more productive when they return to their work duties.
The problem for employers is how to control the use of Facebook in the workplace and ensure that social media site use is kept within acceptable limits. Taking 5 minutes off every hour or two is one thing. Taking longer can have a seriously negative impact. Unfortunately, relying on employees to self-moderate their use of social media sites may not be the best way to ensure that Internet use is not abused.
The Cost of Social Media Use Can Be Severe
Productivity losses can have a serious negative impact on profits, but there are far biggest costs to employers from social media site use. In fact, the risks of social media in business are considerable.
The cost from lost productivity can be bad, but nowhere near as bad as the cost of a malware or ransomware infection. Social media sites are commonly used by hackers to infect computers. Just visiting a malicious Facebook or Twitter link can result in a malware or ransomware infection. The cost of resolving those infections can be astronomical. The more time employees spend on non-work related Internet activities, the greater the risk of a malware infection.
Is there a genuine risk? According to PC Magazine, the risks are very real. There is a 40% chance of infection with malicious code within 10 minutes of going online and a 94% chance of encountering malicious code within an hour.
Controlling employees’ use of the Internet can not only result in huge increases in productivity, Internet control can help to reduce the risk of malware and ransomware infections. Further, by limiting the sites that can be accessed by employees, organizations can greatly reduce legal liability.
Fortunately, there is a simple, cost-effective, and reliable solution that allows organisations to effectively manage the risks of social media in business: WebTitan.
Managing the Risks of Social Media in Business
WebTitan is an innovative web filtering solution that allows organizations to accurately enforce Internet usage policies. Employers can block inappropriate content to effectively reduce legal liability, block or limit the use of social media sites to improve productivity, and prevent users from encountering malicious code that could give cybercriminals a foothold in the network.
If you have yet to implement a web filtering solution to control Internet use in the workplace or you are unhappy with the cost or performance of your current web filtering product, contact TitanHQ today and find out more about the difference WebTitan can make to your bottom line.
To find out more about the risks of social media in business and why it is now so important to manage social media use in the workplace, click the image below to view our informative infographic.
One of the questions most frequently asked of the WebTitan customer support team is how to block Facebook chat at work without blocking access to Facebook entirely.
Why Block Facebook Chat at Work?
There are many reasons why an organization would want to prevent employees from accessing Facebook. Social media websites can be a drain on productivity. Some employees may spend hours of each day accessing and updating their Facebook account, which is time spent not working.
However, an employee cannot remain productive for a full eight hours each day. By allowing access to Facebook – and other social media sites – employers can actually increase productivity, providing social media site use is kept within acceptable limits.
If employees take short breaks throughout the day and access Facebook for a few minutes every hour, they are likely to be more productive. Morale can also be improved with a little social media site use.
However, there is the question of security to consider and Facebook chat is a particular cause for concern. Many organisations believe Facebook Chat is a security risk. Use of Facebook chat can increase the risk of malware infections. The chat function also lacks the security standards demanded by many organizations and makes it too easy for employees to share sensitive corporate data. Use of Facebook chat is also difficult to police.
How to Block Facebook Chat Without Blocking Facebook Access
With WebTitan Cloud it is easy to block Facebook chat at work without blocking Facebook access entirely. The process takes just a few seconds and is detailed in the video presentation below (and described underneath.)
To block Facebook chat at work, open your WebTitan Cloud administration panel and navigate to “Filtering URL keywords.”
To block Facebook chat you need to add in two blacklisted keywords. Enter in the first keyword:
Then set filter options to ‘find keyword in entire URL’
The second keyword that must be blocked is:
As before, set filter options to ‘find keyword in entire URL’
These two files are used by Facebook chat and if the files are blocked, the Facebook chat will not function, although the Facebook website will still be accessible.
In order for URL keywords to work correctly it is necessary to have the SSL certificate pushed out to the browsers. Further information on how to do this via GPO or manually can be found in the help section on the WebTitan website.
Are you taking steps to prevent drive-by malware downloads? Have you implemented controls to reduce your attack surface and prevent your employees from inadvertently downloading malware onto your network?
Malvertising – A Major Security Risk that Should be Managed
Malvertising is the term used for the practice of displaying malicious adverts to website visitors. The malicious adverts are displayed via third party advertising networks which are present on a wide range of legitimate websites. Malicious adverts have been displayed to visitors to many of the top 500 global websites.
The New York Times website was discovered to be displaying malvertising via a third party ad networks. Those adverts redirected visitors to websites where ransomware was downloaded. The UK’s BBC website was similarly discovered to be displaying malicious adverts that resulted in ransomware downloads.
Other high profile sites found to be displaying malvertising include AOL, the NFL website, Realtor, theweathernetwork, newsweek, infolinks, answers.com, and thehill, amongst many many others.
Proofpoint recently announced it has succeeded in shutting down the AdGholas malvertising operation. This large-scale operation was reported to have resulted in malicious adverts being displayed to between 1 million and 5 million individuals per day. Researchers at Proofpoint estimated that between 10% and 20% of computers that loaded the malicious adverts were redirected to websites containing exploit kits. Exploit kits probe for security vulnerabilities in web browsers. If vulnerabilities are discovered, malware is silently downloaded onto the site visitor’s computer. Of course this was just one malvertising operation out of many.
Cost of Malware and Ransomware Infections
Many ransomware variants are capable of moving laterally within a network and replicating. One download may see multiple computers infected. Each infected device is encrypted with a separate key and a separate ransom demand is issued for each infection.
Organizations experiencing multiple infections can be issued with ransom demands of tens of thousands of dollars. In January, Hollywood Presbyterian Medical Center was forced to pay $17,000 for the decryption keys to unlock its computers.
The threat from malware can be far more serious. Malware such as keyloggers can be used to obtain login credentials to corporate bank accounts, allowing criminals to make fraudulent transfers and empty company accounts. Malware can install backdoors that can be used to steal patient data from healthcare organizations. Failing to prevent drive-by malware downloads can prove very costly indeed. Recently, the Ponemon Institute calculated the average healthcare data breach cost to be $4 million. The cost per compromised healthcare record was calculated to be $158.
Prevent Drive-by Malware Downloads
To prevent drive-by malware downloads you need to employ a range of tactics. Good patch management policies can help to ensure that devices are not left vulnerable. Software, browsers, and browser plugins should be kept up to date and patches applied promptly. Plugins and software commonly exploited by cybercriminals include Java, Adobe Flash, and PDF reader, as well as out of date web browsers.
Organizations can prevent employees from being directed to malicious websites by using a web filtering solution. A web filter can be configured to block websites known to contain malware or host exploit kits. A web filter can be used to block third party advertising from being displayed. Block the ad networks, and you will ensure that malvertising is not displayed.
You should also implement Acceptable Usage Policies (AUPs) to limit the websites that employees can visit. A web filtering solution can help in this regard. Employees can be instructed not to visit certain categories of websites which are known to carry a higher than average risk, but a web filter can be used to enforce those policies. By blocking access to gambling websites, pornography, sites containing illegal website content, and other risky websites such as p2p file sharing sites, risk can be greatly reduced.
A web filtering solution cannot prevent all data breaches and malware attacks, but it is a vital element of cybersecurity defenses that should not be ignored. It is one of the most important controls to employ to prevent drive-by malware downloads.
Another day passes and another ransomware variant emerges, although the recently discovered Ranscam ransomware takes nastiness to another level. Ranscam ransomware may not be particularly sophisticated, but what it lacks in complexity it more than makes up for in maliciousness.
The typical crypto-ransomware infection involves the encryption of a victim’s files, which is accompanied by a ransom note – often placed on the desktop. The ransomware note explains that the victim’s files have been encrypted and that in order to recover those files a ransom must be paid, usually in Bitcoin.
Since many victims will be unaware how to obtain Bitcoin, instructions are provided about how to do this and all the necessary information is given to allow the victim to make the payment and obtain the decryption key to unlock their files.
There is usually a time-frame for making payment. Usually the actors behind the campaign threaten to permanently delete the decryption key if payment is not received within a specific time frame. Sometimes the ransom payment increases if payment is delayed.
Ranscam Ransomware will not Allow Victims to Recover Their Files
Rather than encrypting files and deleting the decryption key, Ranscam ransomware threatens to delete the victim’s files.
The ransomware note claims the victim’s files have been encrypted and moved to a hidden partition on their hard drive, which prevents the files from being located or accessed. The payment requested by the actors behind this scam is 0.2 Bitcoin – Around $133 at today’s exchange rate.
While the ransom note claims that the victim’s files will be moved back to their original location and will be decrypted instantly once payment is received, this is not the case.
Unfortunately for the victims, but the time the ransom note is displayed, the victim’s files have already been deleted. Paying the ransom will not result in the encrypted files being recovered. A decryption key will not be provided because there isn’t one.
Researchers at Talos – who discovered the Ranscam ransomware variant – noted that the ransomware authors have no way of verifying if payment has been made. The ransomware only simulates the verification process. There is also no process built into the ransomware that will allow a victim’s files to be recovered.
Backup Your Files or Be Prepared to Lose Them
Many ransomware authors have a vested interest in ensuring that a victim’s files can be recovered. If word spreads that there is no chance of recovering encrypted files, any individual who has had their computer infected will not pay the ransom demand. Locky, CryptoWall, and Samsa ransomware may be malicious, but at least the thieves are honorable and make good on their promise. If they didn’t, discovering that files had a locky extension would be a guarantee that those files would be permanently lost.
There are new ransomware variants being released on an almost daily basis. Many of the new variants are simplistic and lack the complexity to even allow files to be recovered. The discovery of Ranscam ransomware clearly shows why it is essential to make sure that critical files are regularly backed up. Without a viable backup, there is no guarantee that files can be recovered and you – or your organization – will be at the mercy of attackers. Not all will be willing – or able to – recover encrypted files.
Researchers at FireEye have reported that the Angler Exploit Kit has been updated and that it is now capable of bypassing Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) protection – the first time this behavior has been observed in the wild.
Angler Exploit Kit Could be Used to Deliver any Malicious Payload
The Angler exploit kit is being used to exploit vulnerabilities in Silverlight and Adobe Flash plug-ins. If vulnerabilities are found, Angler downloads its malicious payload: TeslaCrypt ransomware. Teslacrypt was closed down a few weeks ago and the authors released a universal decryption key that can unlock all infections. Anti-virus firms have since developed tools that can be used to remove TeslaCrypt infections. However, it is probable that the Angler exploit kit will be updated to deliver other malicious payloads for which there is no known fix. Many distributors of TeslaCrypt have already transitioned to CryptXXX.
Currently EMET protections are only being bypassed on devices running Windows 7, although it is probable that attackers will soon develop EMET bypasses that work on more recent versions of Windows. That said, updating to later versions of Windows will help organizations improve their security posture. If an upgrade is not possible or practical, sys admins should ensure that patches are applied promptly. If possible, ActiveX should also be disabled as should Flash and Silverlight plugins. Uninstalling unnecessary software and disabling plugins will reduce the attack surface.
EMET was developed to prevent malicious actors from exploiting memory corruption vulnerabilities, and while this has proved effective at some preventing attacks, the bypass shows that Microsoft’s protection is not 100% effective. While EMET can be used to reduce the risk of ransomware and other malware infections, system admins should not rely on EMET alone. Multi-layered security defenses should be employed to keep networks protected, as this bypass clearly shows. It is still essential to use anti-virus and anti-malware software and to keep definitions up to date.
While efforts can be made to prevent exploit kits from taking advantage of vulnerabilities in plugins, enterprises can reduce risk further by stopping end users from visiting websites known to host exploit kits. By implementing a web filtering solution and restricting access to certain categories of website, enterprises can greatly enhance their security posture.
There are a number of companies that offer web filtering services for MSPs; however, while many managed service providers are happy to provide web filtering to their clients if the service is requested, web filtering is not generally offered to clients as part of an MSP’s range of standard Internet services. Yet, by leveraging web filtering services for MSPs it is possible to substantially increase profits for very little effort.
Web filtering services for MSPs have been developed to be easy to implement, easy to sell to clients, and straightforward to manage, so why are more MSPs not offering web filtering to their clients as part of their Internet services?
Some MSPs may feel that there is not much of a market for web filtering. Draconian Internet usage policies may ensure that Internet access is not abused, yet highly restrictive Internet policies can have a negative impact on staff morale and productivity. Most employees can be trusted to get all of their daily tasks completed, while still occasionally checking Facebook, purchasing something on Amazon, and viewing the occasional YouTube video.
However, providing totally free access to the Internet is unwise. Not preventing employees from accessing illegal and inappropriate website content can cause employers many problems. Some of those problems can prove very costly to resolve. Any organization that has not chosen to filter the Internet – even to a minimal degree – may not be aware of the risks. If MSPs explain these risks, they are likely to find many of their clients will want to sign up for web filtering services.
What are the Main Benefits of Using Web Filtering Services?
There are two main reasons for using a web filter to control Internet content:
Reducing the Risk of Malware Infections
As we have seen in recent months, there is a clear and present danger of a serious malware infection. Cyberattacks are taking place with increasing regularity, new malware is being released at alarming rates, and cybercriminals have embraced ransomware and are using it to extort money out of businesses.
IT teams struggle to implement patches promptly, leaving their networks at risk of attack. This is mainly due to the frequency at which patches are released. Keeping all software – including web browsers and plugins – 100% up to date, 100% of the time is an uphill struggle.
If end users visit malicious websites containing exploit kits, malware and ransomware can be easily loaded onto networks. Issuing staff members with acceptable use policies (AUPs) can reduce the probability of end users visiting high-risk websites, while policies can help to reduce the risk from shadow IT installations, but unless those policies are enforced there is a risk that some employees will break the rules.
Numerous organizations have experienced phishing attacks even when training has been provided on how to identify phishing emails. Unfortunately, scammers are getting much better at crafting highly convincing emails to fool users into visiting websites containing exploit kits that can download malware.
Business email compromise scams have been increasing in recent months, prompting the FBI to issue warnings due to the high risk of attack. Scammers are impersonating CEOs, CISOs, and executives to get end users to visit websites and divulge their login credentials or download malware.
With so many Internet threats to deal with, policies are no longer enough to keep organizations’ networks free from malicious software and infections can prove very costly to resolve.
Controlling Personal Use of the Internet
Many companies take a relaxed attitude to personal Internet use, provided it is kept within certain limits. This is arguably the best option for employers and employees. Blocking personal access to the Internet can have a negative effect on staff morale, and all employees will need to use the Internet from time to time for personal reasons.
That said, there will always be some members of staff that choose to abuse their Internet access and this can lead to serious problems for employers. Not only is there a risk of malware infections, abuse of the Internet can have legal implications for employers. The use of illegal file sharing websites for copyright-infringing downloads, the accessing of illegal website content such as child pornography, or even the viewing of legal pornography in the workplace can cause many HR issues.
Of course, web filtering is not only about blocking access. It allows companies to monitor use of the Internet and identify employees who are breaking the rules before serious HR or legal issues arise. Web filtering also allows organizations to place limits on online activities at certain times of the day to ensure the workforce remains productive and bandwidth is not wasted.
Summary of the Benefits of Filtering the Internet
Blocks malware, ransomware, botnets, adware, and spyware installations
Prevents the accessing of illegal website content
Stops the downloading and installation of shadow IT
Prevents bandwidth wastage
Allows employers to monitor employees’ Internet usage
Prevents many HR issues
Helps organizations to comply with industry regulations
Can help to increase employee productivity
Benefits of Web Filtering Services for MSPs
Protects clients from Internet threats
Easily increases client revenue
Helps MSP’s to attract more clients and win new business
Allows MSPs to provide a more comprehensive range of Internet services
Web Filtering Services for MSPs can be Easily Incorporated into Existing Service Packages
Web filtering services for MSPs no longer require expensive appliances to be purchased, and it is not necessary to use local IT support teams to visit clients to install and configure web filters. In fact, it is not even necessary to install software on clients’ devices or servers at all. Clients can have their Internet filtered within 5 minutes of them saying yes to a sales representative if cloud-based web filtering services are used.
Cloud-based web filtering services for MSPs require clients to make a small change to their DNS settings, something that even the most technically inept employee could be talked through over the phone. By pointing the DNS to the service provider’s servers, the Internet can be filtered quickly and painlessly.
Web filtering services for MSPs can be easily offered to clients alongside managed service providers’ solutions. WebTitan Cloud – and WebTitan Cloud for WiFi – are offered as web filtering services for MSPs without any branding. MSPS are able to add their own logos and corporate color schemes, tailor block pages, and customize reports with their own branding. If required, MSPs can also host the solution within their own infrastructure or use a private cloud for clients.
The management overhead is low and the configuration of new accounts is quick and easy. New client accounts can be set up in approximately 20 minutes. Even reporting is taken care of with a full suite of pre-configured, schedulable reports, including instant email alerts.
The cost for the client is low with only a small spend required per user, per year, and the margins offered by TitanHQ on web filtering services for MSPs are generous. This allows MSPs to easily increase profits, in some cases, by tens of thousands of dollars.
If you want to attract new business, increase client spending, and easily increase profits, web filtering services for MSPs could well be the answer.
For further information on our web filtering services for MSPs, including a product demonstration and details of pricing, contact our sales team today.
This week, a new critical Symantec vulnerability has been discovered that enables an attacker to trigger a memory buffer overflow, allowing root-level control over a system to be gained without any user interaction. The cross-platform security vulnerability affects many Symantec and Norton anti-virus software releases.
Critical Vulnerability in Symantec AVE Scan Engine is “As Bad as it Can Possibly Get”
The critical fault has been found in the core scanning engine used in both Norton and Symantec anti-virus software, including Norton antivirus, and Symantec’s Scan Engine, Endpoint Antivirus, and Email Security, although other products may also be affected. The vulnerability affects Windows, Mac, Linux, and UNIX platforms.
Since the scan engine intercepts all system input and output, the vulnerability could be exploited by an attacker by simply sending a file attachment to a user’s inbox. The user would not even be required to open the file in order for the vulnerability to be exploited.
The vulnerability could therefore allow an attacker to take full control of the device on which the software has been installed with no user interaction necessary. The vulnerability has been described as “as bad as it can possibly get” by Tavis Ormandy – the researcher at Google Project Zero who discovered the security flaw.
Ormandy said that if the vulnerability is exploited it causes kernel memory corruption on Windows because “the scan engine is loaded into the kernel (wtf!!!).” It must be said, unpacking malware in the kernel was perhaps not the best decision. Ormandy also discovered a number of other remote code execution security vulnerabilities in Symantec products.
The new critical Symantec vulnerability has now been addressed – AVE version 20220.127.116.11 – although the remaining vulnerabilities have yet to be remediated. Users of Symantec and Norton branded products will have to wait until a patch is made available.
According to an advisory issued by Symantec, the critical vulnerability affects the AVE scanning engine and occurs “when parsing malformed portable-executable header files.” If one of these malformed portable-executable header files is downloaded in an application or document, or if a malicious website is visited which downloads one of these files onto the device, the flaw could be exploited. The flaw could also be exploited if an attacker sends one of these files to the user as an email attachment, or even if a link is sent in an email. The parsing of the malformed file would be triggered.
Symantec reported that “Sufficiently malformed, the code executed at the kernel-level with system/root privileges causing a memory access violation.”
The critical Symantec vulnerability needs to be remediated as soon as possible. If you run Symantec anti-virus software and your system is not set to update automatically, it is essential to perform a manual Symantec LiveUpdate to address the issue. A patch is expected to be released in the next few days to address the other serious vulnerabilities discovered by Ormandy.
Last week, the website of a major toy manufacturer was discovered to have been compromised and was being used to infect visitors with ransomware. The website of Maisto was loaded with the Angler exploit kit that probed visitors’ browsers for exploitable vulnerabilities. When vulnerabilities were discovered, they were exploited and ransomware was downloaded onto visitors’ devices. In this case, the ransomware used was CryptXXX.
Many ransomware infections require a system rebuild and restoration of data from a backup. If a viable backup does not exist there is no alternative but to pat the attackers for an encryption. Fortunately, in this case there is an easy fix for a CryptXXX infection. The ransomware-encrypted files can be decrypted for free according to Kaspersky Lab. However, there are many malicious strains of ransomware that are not so easy to remove.
While decrypting files locked by CryptXXX is possible, that is not the only malicious action performed by the ransomware. CryptXXX is also an information stealer and can record logins to FTP clients, email clients, and steal other data stored in browsers. It can even steal bitcoins from local wallets.
CryptXXX is now being used in at least two major exploit kit attack campaigns according to researchers from Palo Alto Networks. While Locky ransomware was extensively used in March this year – deployed using the Nuclear exploit kit – the attackers appear to have switched to the Angler exploit kit and the Bedep/CryptXXX combo.
How to Block Exploit Kits from Downloading Malware
To protect end users’ devices and networks from malware downloads and to block exploit kits, system administrators must ensure that all browser plugins are kept up to date. Exploit kits take advantage in security vulnerabilities in a wide range of plugins, although commonly vulnerabilities in Flash and Java are exploited. These two browser plugins are used on millions of machines, and new zero-day vulnerabilities are frequently discovered in both platforms. Cybercriminals are quick to take advantage. As soon as a new vulnerability is identified it is rapidly added to exploit kits. Any machine that contains an out-of-date plug in is at risk of attack.
It takes time for patches to be developed and released when a new zero-day vulnerability is discovered. Keeping all devices up to date is a time consuming process and sys admins are unlikely to be able to update all devices the second a patch is released. To effectively protect devices and networks from attacks using exploit kits, consider using a web filtering solution.
A web filter can be used to block websites containing exploit kits and thus prevent the downloading of malware, even if patches have not been installed. The best way to block exploit kits from downloading malware is to ensure that end users never visit a website containing an exploit kit!
A web filter should not be an excuse for poor patch management practices, but web filtering software can ensure devices and networks are much better protected.
Finding new revenue avenues for MSPs can be difficult. There are many ways for MSPs to increase client spending and win new business, although new revenue avenues for MSPs that are easy to implement and manage, are straightforward to sell to clients, and also offer good margins are few and far between. Fortunately, there is a product that can easily be incorporated into existing client offerings which is highly desirable, has a low management overhead, and offers MSPs excellent margins. That service is WebTitan Cloud. WebTitan Cloud is a web filtering service that has been developed with MSPs in mind.
New Revenue Avenues for MSPs: Internet Filtering-as-a-Service
The benefits of WebTitan Cloud are considerable. Our web filtering solution can be used to protect virtually all organizations from a wide range of Internet threats: Something that is increasingly important given the increase in phishing attacks and the proliferation of malware and ransomware in recent years. The cost of resolving malware infections is considerable, and data theft and loss can have catastrophic consequences for SMBs. Heavy fines can be issued by regulators for data breaches, and reputation damage from customer data theft can be considerable.
Employees need to be provided with Internet access to work efficiently; however, Internet access is often abused. Employees are wasting a considerable amount of time each day on personal Internet use. Social media networks are accessed, gambling sites used at work, and gaming sites used by many employees during working hours. By limiting access to these websites organizations can greatly increase the productivity of the workforce. Filtering the Internet to prevent employees and customers from accessing inappropriate website content can also prevent HR issues from developing and can reduce legal risk.
Our web filtering solution can also be used to manage bandwidth. Most organizations face bandwidth issues at some point, yet with careful configuration of our web filter, bandwidth can be effectively managed. Bandwidth-heavy Internet services can be limited to ensure that fast Internet access can be enjoyed by all.
WebTitan Cloud – An Easy Way for MSPs to Increase Profits
WebTitan Gateway is a powerful web filtering product that can keep networks protected from web-borne threats and can be used to control the content that can be accessed by employees and customers. While WebTitan Gateway can be offered by MSPs to their clients, TitanHQ has developed a new product that has been tailored to the specific needs of managed service providers.
WebTitan Cloud is a 100% cloud-based web filtering solution that requires no software installations and no hardware purchases. Our web filtering service can be applied in a matter of minutes without the use for on-the-ground IT support teams. Being DNS-based, all that is required is a small change to DNS settings. Point the DNS to our servers and website content can be filtered in as little as 2 minutes.
Configuring new clients’ web filtering settings is a quick and easy process. It takes approximately 20 minutes to add a new client and upload their Internet policy settings. Furthermore, configuring client accounts is a straightforward admin task requiring no technical skill. If clients want to manage their own settings, they can be provided with their own login and administrative roles can be easily delegated. With WebTitan Cloud, filtering the Internet could not be any simpler.
A Web Filtering Service that’s a Perfect Fit for MSPs
There are many companies now offering a web filtering service that can be used by MSPs, but few offer a product or service that has been created with MSPs in mind. With many solutions the cost of implementation is high, margins for MSPs are low, implementation is impractical, and management causes major headaches. On top of that, the lack of white label options means clients could easily end up going direct and cutting an MSP out of the equation. WebTitan Cloud is different.
WebTitan Cloud is offered as a white label, allowing MSPs to easily incorporate a web filtering service into their existing product offerings. MSPs are able to add their own logos, configure block screens, and change color schemes to match their own corporate branding. A range of APIs are also included to make integration with back-office systems as easy as possible. We even offer multiple hosting options. WebTitan Cloud can be run on our servers, in a private cloud, or even within an MSP’s infrastructure.
With WebTitan Cloud, MSPs can start providing a much more comprehensive Internet service to clients and easily boost their profits. For further information on WebTitan Cloud, how our service can be incorporated into your existing portfolios, and for details of pricing, contact our sales team today.
The risk of phishing attacks has increased considerably over the past 12 months, according to a new data breach report from Verizon. Ransomware attacks are also on the rise. The two are often used together to devastating effect as part of a three-pronged attack on organizations.
Firstly, cybercriminals target individual employees with a well-crafted phishing campaign. The target is encouraged to click a link contained in a phishing email which directs the soon-to-be victim to a malicious website. Malware is then silently downloaded to the victim’s device.
The malware logs keystrokes to gain access to login credentials which allows an attacker to infiltrate email accounts and other systems. Infections are moved laterally to compromise other networked devices. Stolen login credentials are then used to launch further attacks, which may involve making fraudulent bank transfers or installing ransomware on the network.
The Risk of Phishing Attacks is Growing
Verizon reports that due to the effectiveness of phishing and the speed at which attackers are able to gain access to networks, the popularity of the technique has grown substantially. In years gone by, phishing was a technique often used in nation-state sponsored attacks on organizations. Now there is a high risk of phishing attacks from any number of different players. Even low skilled hackers are now using phishing to gain access to networks, steal data, and install malware. Out of the nine different incident patterns identified by the researchers, phishing is now being used in seven.
Phishing campaigns are also surprisingly effective. Even though many companies now provide anti-phishing training, attempts to educate the workforce to minimize the risk of phishing attacks is not always effective. The 2016 Verizon data breach report suggests that when phishing emails are delivered to inboxes, 30% of end users open the emails. In 2015 the figure was just 23%. Rather than employees getting better at identifying phishing emails they appear to be getting worse. Even worse news for employers is 13% of individuals who open phishing emails also double click on attached files or visit the links contained in the emails.
Ransomware Attacks Increased 16% in a Year
Ransomware has been around for the best part of a decade although criminals have favored other methods of attacking organizations. However, over the past couple of years that has changed and the last 12 months has seen a significant increase in ransomware attacks on businesses. According to the data breach report, attacks have increased by 16% in the past year. As long as companies pay attackers’ ransom demands attacks are likely to continue to increase.
How Can Web Filtering Software Prevent Ransomware Infections and Reduce the Risk of Phishing Attacks
Defending a network from attack requires a wide range of cybersecurity defenses to be put in place. One of the most important defenses is the use of web filtering software. A web filter sits between end users and the Internet and controls the actions that can be taken by end users as well as the web content they are allowed to access.
A web filter can be used to block phishing websites and malicious sites where drive-by malware downloads take place. Web filtering software can also be configured to block the downloading of files typically associated with malware.
Training employees how to avoid phishing emails can be an effective measure to reduce the risk of phishing attacks, but it will not prevent 100% of attacks, 100% of the time. When training is provided and web filtering software is used, organizations can effectively manage phishing risk and prevent malware and ransomware infections. As phishing attacks and ransomware infections are on the increase, now is the ideal time to start using web filtering software.
In February, the Federal Bureau of Investigation (FBI) issued an alert over a new ransomware called MSIL (AKA Samas/Samsam/Samsa), but a recent confidential advisory was obtained by Reuters, in which the FBI asked U.S. businesses and the software security community for help to deal with the growing enterprise ransomware threat from MSIL.
The new ransomware is particularly nasty as it is capable of infecting networks, not just individual computers. In February, the FBI alert provided details of the new ransomware and how it attacked systems by exploiting a vulnerability in the enterprise JBoss system. Any enterprise running an outdated version of the software platform is at risk of being attacked. The FBI’s list of indicators was intended to help organizations determine whether they had been infected with MSIL.
Just over a month later, the FBI sent out a plea for assistance, requesting businesses to contact its CYWATCH cybersecurity center if they suspected they had been attacked with the ransomware. Any business or security expert with information about the ransomware was also requested to get in touch.
Recent high profile attacks on healthcare organizations and law enforcement have resulted in ransoms being paid to attackers in order to unlock ransomware infections. Oftentimes there is no alternative but to pay the ransom demand in order to recover data. However, paying ransoms simply encourages more attacks.
The Enterprise Ransomware Threat is Now at A Critical Level
Ransomware is not new, but the methods being used by cybercriminals to infect systems is more complex as is the malicious software used in the attacks. The volume of attacks and the number of ransomware variants now in use mean the enterprise ransomware threat is considerable, with some security experts warning that ransomware is fast becoming a national cybersecurity emergency.
The healthcare industry is being targeted as hospitals cannot afford to lose access to healthcare data. Even if electronic patient medical files are not encrypted, systems are being shut down to contain infections. This causes massive disruption and huge costs, which attackers hope will make paying the ransom the best course of action.
Dealing with the enterprise ransomware threat requires a multi-faceted approach. Attackers are using a variety of methods to install ransomware and blocking spam email is no longer sufficient to deal with the problem. MSIL attacks are being conducted by exploiting vulnerabilities in enterprise software systems, end users are being fooled into installing ransomware with social engineering techniques, drive by downloads are taking place and the malicious file-encrypting software is also being sent via spam email.
How to Protect Against Enterprise Ransomware Attacks
The FBI is trying to encourage business users and individuals never to open untrusted email attachments and to ensure they are deleted from inboxes. Fortunately, the high profile attacks on large institutions have put enterprises on high alert. With awareness raised, it is hoped that greater efforts will be made by enterprises to reduce the risk of an attack being successful.
Some of the best protections include:
Ensuring all software is kept up to date and patches are installed promptly
Using spam filtering tools to reduce the risk of infected attachments being delivered to end users
Backing up all systems frequently to ensure data can be restored in the event of an attack
Conducting regular staff training sessions to help end users recognize phishing emails and malicious attachments
Disabling macros on all computers
Using web filtering solutions to prevent drive-by downloads and block malicious websites
Issuing regular security bulletins to staff when a new enterprise ransomware threat is discovered
Today is World Backup Day – a day when awareness of the need to backup data is raised around the world. It is a day when companies that are not backing up their critical data are encouraged to do so, and companies that do are encouraged to take a close look at their data backup policies and procedures to make sure that they are up to scratch.
World Backup Day 2016 is More Important Than Ever
World Backup Day may be an opportunity for companies to sell you a host of products and services associated with disaster recovery – a number of software companies offering backup services sponsor the day – but this year the day is more important than ever. This week, a large not-for-profit health system in the United States discovered just how important it is to have a fully functional backup of all critical data.
MedStar Health, a network of 10 hospitals and more than 250 outpatient facilities in the Washington D.C. area, was hit with a ransomware infection that compromised 18 computers. It could have been far worse had rapid action not been taken to shut down its network to prevent the lateral spread of the ransomware infection.
Fortunately, systems are now being restored and it appears that the reported ransom demand of $18,500 will not need to be paid. Many companies would not be in a position to decide whether or not to pay the ransom. If a viable copy of data has not been stored securely on an isolated drive, the ransom would have to be paid. Losing critical data would simply not be an option.
MedStar Health is not the only healthcare organization to have suffered a ransomware attack in recent weeks. In the United States, Methodist Hospital in Kentucky, and Chino Valley Medical Center, Desert Valley Hospital, and Hollywood Presbyterian Medical Center in California have all been attacked, as was Canada’s Ottawa Hospital. All of those attacks have occurred in the past two months.
It is not just the healthcare industry that is under attack; however, many companies prefer not to announce that they have had their systems infiltrated and data encrypted by attackers. Ransoms are quietly paid in order to get the security keys to unlock the encryption.
30% of Users Have Never Backed Up Their Data
Even though the loss of data could prove catastrophic for companies, many organizations are not backing up data as frequently as they should. Some do not test the backups they perform to make sure that in the event of an emergency, data can actually be recovered.
Almost a year ago to the day, the Tewksbury Police Department in Massachusetts was given no alternative but to pay a ransom to have its files unlocked. A backup of data had been recently performed, but that file was corrupted. The only non-corrupted backup file the Police Department had was more than 18 months old.
The figures on the World Backup Day website indicate 30% of users have never backed up their data, even though the loss of files would cause considerable anguish. Figures from Backblaze suggest that since 2013 (from when the World Backup Day figures were taken) things have improved and the figure now stands at 25%.
Companies Need to Review Backup Policies
For companies, a single backup of data is not sufficient protection. Multiple backup files can reduce risk. If one backup file is corrupted, it will not spell disaster. Those backups must be stored off-site, but should not be connected to a computer network. Backup files can also be encrypted by ransomware if the drive on which they are stored remains connected to a network.
There are many other ways that data can be accidentally deleted or lost. There may not be an option to simply pay a ransom to recover valuable data. Without a viable backup data could be lost forever. WBD figures suggest that 29% of data incidents are the result of accidents.
Performing frequent backups is a complex task given the huge volumes of data now being stored by organizations. Today is a good day to reassess policies, procedures and software, to test backups, and to make sure that when (not if) disaster strikes, valuable data will not be lost.
System administrators that do not block malicious Word macros in Office 2016 could be making it far too easy for hackers to compromise their networks. Malicious Word macros are nothing new, but in recent months they have been increasingly been used to deliver ransomware and other nasty malware.
Macros Used in 98% of Office-related Enterprise Malware Attacks
It is common knowledge that executable files are used to deliver malware. Many companies implement a web filter to prevent the downloading of executable files by end users, and spam filters are often configured to prevent attached .exe files from being delivered.
Screensaver files (.SCR) are also commonly used to deliver malware and these too are often blocked by security solutions. Blocking other file types commonly used by attackers, such as batch files (.bat) and compressed files (.zip) can also help to reduce the risk of a malware infection. For the majority of enterprise end users, these files can be blocked without affecting workflows.
However, it is not practical prevent Word documents and other Office files from being emailed or shared. These file types are used by most workers on a day to day basis. They are also being extensively used to deliver malware. According to figures released by Microsoft, office document macros are used in 98% of Office-related attacks on enterprises.
Fail to Block Malicious Word Macros in Office 2016 at your Peril!
There have been a number of recent cases of ransomware being installed after enabling Word macros. Hackers can add malicious scripts to Word macros and install malware without rousing too much suspicion. Word documents are often trusted not to be malicious by many end users.
After a rise in the use of macros to deliver computer viruses, Microsoft made a change to automatically disable macros in Word by default. Opening a Word document therefore required users to manually enable macros before they could be run.
The use of macro viruses went into rapid decline after this security measure was introduced because macros ceased to be a particularly effective method of malware delivery. That was about a decade ago.
However, recently there has been a surge in the use of embedded VBA scripts to deliver malware. Even when system administrators block malicious Word macros in Office 2016 it does not prevent infection. End users are enabling macros in order to open Word documents after being convinced to do so by attackers.
Enterprise end users are sent spam emails containing infected Word documents and are fooled into enabling macros in order to view the documents. When end users open the infected files they are presented with a warning message saying the content of the document cannot be viewed without first enabling macros. The end user does just that, and the malicious VBA script is run. That script then opens a connection to the hackers C&C server and malware is downloaded to the user’s device.
IT departments can conduct training and tell end users to never enable macros, but sooner or, later, one individual will ignore that advice and will inadvertently install malware. Many businesses use macros in their office files, so blocking them from running is simply not an option. So how can businesses block malicious Word macros in Office 2016 without having to stop using macros in documents altogether? Fortunately, Microsoft has come up with a cunning solution.
Microsoft Makes It Easier to Block Malicious Word Macros
Microsoft has responded to the wave of malicious macro attacks by developing a better solution than the one introduced more than a decade ago. A new setting has been added to make it possible to block malicious Word macros in Office 2016 while still being able to use genuine macros. The good news for system administrators is the settings cannot be bypassed by end users who think they know better than their IT department.
System administrators can now apply a group setting that will block macros in Office files that have been obtained from the Internet zone. Microsoft’s definition of the Internet zone includes documents attached to emails that have been sent from outside an organization, as well as documents obtained from cloud storage providers such as Google Drive and Dropbox and from file sharing websites.
Opening and attempting to run macros from these sources will result in a warning being presented to the user saying their system administrator has blocked macros for security reasons. They will not be given the option of bypassing those settings and running the macros. The new setting can be found in the Microsoft Trust Center in the security settings of Word.
A new report issued by the Institute for Critical Infrastructure highlights the need for organizations to develop ransomware mitigation policies due to the high risk of cyberattacks involving the malicious file encrypting software. The report warns that 2016 will be a year when ransomware wreaks havoc on businesses in the United States, in particular on the U.S critical infrastructure community.
Ransomware is being used by cybercriminals as it is a highly effective method of extorting money from businesses. Businesses need data in order to function, and ransomware prevents them from accessing it. If ransomware is installed on a computer, or worse still spreads to a computer network, critical data needed by the business is encrypted. A ransom demand is issued by the attackers who will not release the decryption keys until the ransom is paid. Without those keys data will remain locked forever. Business are often given no alternative but to give in to the attackers’ demands.
Rampant Ransomware Prompts ICIT to Issue Warning
The report warns organizations of the current dangers, and says that in 2016, “Ransomware is rampant.” Organizations of all sizes are being targeted. The criminal gangs behind the campaigns are targeting healthcare providers, even though their actions place the lives of patients in danger. Police and fire departments have also been targeted, as have educational institutions and businesses. The greater the need for access to data, the bigger incentive organizations have to pay the ransom.
According to the report, “In numerous cases, organizations tend to pay because, for them, every minute of downtime directly equates to lost revenue.” The cost of that downtime can be considerable. Far more than the ransom demand in many cases.
Unfortunately, as pointed out in the report, it is too difficult and time consuming to track down attackers. They are able to cover their tracks effectively and they take payment in Bitcoin or use other online payment methods that give them a degree of anonymity. Often attacks are conducted across International borders. This makes it simply too difficult for the perpetrators to be found and brought to justice by law enforcement agencies.
Even the FBI has said that it advises companies to pay the ransom in many cases, unless the victims can live without their data. The report says, “no security vendor or law enforcement authority can help victims recover from these attacks.” It is therefore up to each individual organization to put measures in place to protect against ransomware.
Ransomware Mitigation Policies are Essential
Recovering from a ransomware infection can be expensive and difficult. It is therefore imperative that defenses are put in place to prevent ransomware from being installed on computers and networks.
The report suggests four key areas that can help with ransomware mitigation.
Forming a dedicated information security team
Conducting staff training
Implementing layered defenses
Developing policies and procedures to mitigate risk
An information security team should conduct risk assessments, identify vulnerabilities, and ensure defenses are shored up. Security holes must be plugged to prevent them being exploited. The team must also devise strategies to protect critical assets. They are an essential element of a ransomware mitigation strategy.
Staff training is essential. Employees must be instructed how to identify threats. Employees are often targeted as they are the weakest link in the security chain. It is easiest to get an employee to install ransomware than to attempt a hack in many cases. According to the report, this is one of the most important ransomware mitigation steps to take.
Layered defenses should be implemented to make it harder for attackers to succeed. Organizations should not rely on one form of defense such as a firewall. Antivirus and antimalware solutions should be used, anti-spam filters employed to prevent email attacks, and web filtering solutions should be used to prevent web-borne attacks.
With the threat now having reached critical levels, ransomware mitigation policies are essential. Administrative policies can help reduce the likelihood of an attack being successful. Employees must be aware who they can report suspicious emails and network activity to, and those individuals must be aware how they should act and deal with threats.
According to a recent report issued by Pwnie Labs, wireless device security vulnerabilities are not being addressed by enterprises even though many wireless devices can be used as backdoors into corporate networks.
If wireless printers and access points are not secured, hackers can easily use them to gain access to internal networks. Many organizations invest heavily in security defenses but forget to change the default configurations on their wireless printers. Pwnie Labs researchers ascertained that more than half of wireless devices (56%) used by enterprises are HP printers. When default settings are not changed, the devices can be used as a backdoor into corporate networks. HP printers were found to be the most commonly open wireless network, while 35% of wireless access points either did not use encryption or security defenses were found to be particularly weak.
Plugging wireless device security vulnerabilities is not always straightforward. Organizations need to change the default password on the devices, yet many do not do so because it causes connectivity problems. However, if wireless device security vulnerabilities are not addressed they could allow hackers to bypass an organization’s security defenses and gain access to internal networks.
Wireless Device Security Vulnerabilities Are Being Exploited by Hackers
A recent survey conducted on 400 IT security professionals showed that 55% of respondents had already witnessed a cyberattack via wireless devices. 86% said that they were concerned about wireless device security vulnerabilities.
Pwnie Labs found that many wireless printers are left with default settings active, although some do not even have a username and password set allowing anyone to connect. If the wireless printer is hardwired to an Ethernet network, gaining access to the printer via Wi-Fi could allow a hacker to also gain access to the network to which the printer is connected.
The devices are designed to make connection as easy as possible, and this feature can all too easily be exploited by attackers. If an attacker sets up a malicious access point and used the same SSID as that used by the manufacturer to configure the printer, the printer could automatically connect to that network.
To prevent this, remove open wireless networks from the preferred network list on the printer. Alternatively, ensure that the printer does not automatically connect to open wireless networks.
If a wireless printer is used as a network printer via an Ethernet connection, it is essential to disable Wi-Fi functionality to prevent the device from being used as a wireless bridge to the wired network. If there is no need for a wireless printer to be hardwired to a network, ensure that it isn’t and use strong encryption to connect wirelessly to the device.
Printers are not the only devices that can be used in this fashion. All devices with wireless functionality must be subjected to a full risk assessment. If wireless networks are not used by an organization, devices with wireless capability must have the function disabled. If wireless networks are in use, all devices must be carefully configured to reduce the risk of attack.
Locky ransomware is a new threat believed to emanate from the hacking team behind Dridex malware. The new threat is being delivered via spam email and is disguised as a Microsoft Word invoice. If macros are enabled, or if the macro contained in the infected Word file is run, a script will download Locky ransomware: A 32-bit executable file containing a dropper. That dropped malware will run from the %TEMP% folder and will disguise itself as svchost.exe.
Locky ransomware will search for files stored on the infected device and will rename them and add the extension locky. The renamed files cannot be identified by the user. They are given a unique file ID along with a unique ID for each user. Files are locked using RSA-2048 and AES-128 ciphers and all communication between Locky and its command and control server are encrypted.
Once files have been encrypted, a text file will be saved to the desktop detailing the actions that must be taken by the victim in order to restore their files. A bitmap containing the instructions is also set as the user’s wallpaper.
Links are supplied which the user must access via the Tor network and further instructions unique to that user are detailed on a unique webpage for each user. Users are instructed how to buy Bitcoin and how to send the ransom of 0.5 to 1.0 Bitcoin (around $200-$400) to the attackers. Upon paying the ransom the victim will receive a security key which will enable them to unlock their files. Locky ransomware encrypts data stored on local drives, removable media, and ramdisks, although it is also capable of encrypting data on network resources.
Locky ransomware can only be installed if a malicious macro contained in the Word file is run. Opening the infected Word document will not result in the device or network being infected until macros have been enabled. If this happens, the Word document macro will save a file to the device (Troj/Ransom-CGX) which will act as a downloader and will install the ransomware payload.
Once downloaded the payload will start to encrypt a wide range of files. Those files include documents, multimedia files, images, office files, and source code. Shadow copies (VSS files) on the device will also be removed. Even the wallet.dat file is encrypted, leaving Bitcoin users no alternative but to pay the ransom. The ransomware will encrypt files on any connected or mounted drive, and will lock files regardless of the operating system used.
Any user logged in with administrator privileges when Locky ransomware strikes will see a considerable amount of damage caused, leaving them no alternative but to pay the ransom to unlock files. Bear in mind that the above ransom amounts have been seen for individual users. There is no telling what ransom will be demanded if a business user is infected.
How to Protect Against Locky Ransomware Attacks
There are a number of ways that businesses can protect their networks from a Locky ransomware attack. The first is to prevent the malicious word document from being delivered.
A robust anti-spam filter can filter out malicious emails and quarantine them, preventing phishing and malicious spam emails from being delivered to end users’ inboxes.
Staff training is essential in case malicious emails find their way into end users’ inboxes. Employees must be warned of the risks of ransomware and other malware, told how the malicious software is delivered, and how to identify potentially malicious emails. End users must be told never to open a file attachment sent from someone they do not know.
All devices with Word installed should have macros disabled. If users are required to use macros, they should enable them to work on files and disable the macro function when the task has been completed. If macros are set to run automatically, opening an infected Word document will allow malicious code to run automatically.
Portable drives should not remain connected when they are not in use.
Users should never log in as an administrator unless it is strictly necessary. Always log in without administrator rights unless they are necessary for a particular task to be performed and log out afterwards.
Regularly backup important files (daily) and store backups off site.
Not all malware is delivered via spam email. Hackers are increasingly using FTP sites, file sharing websites, and compromised websites to deliver malware. Blocking these sites using a web filtering solution such as WebTitan is strongly advisable. WebTitan can also block files commonly used to deliver malware (BAT, SCR, and EXE files).
Patches should be installed promptly and browsers and plugins updated as soon as patches and updates are released. Security vulnerabilities can be exploited via malicious websites and malware and ransomware downloaded without any user action.
In recent months, concern has been growing over the lack of medical equipment cybersecurity protections in place at hospitals and medical centers. Healthcare providers are being targeted by cybercriminals for the confidential data they store on patients. Medical devices, and their associated computer hardware, could potentially be targeted by cybercriminals. Medical device security is often overlooked by health IT professionals, and the manufacturers of the devices often fail to make their equipment secure.
Healthcare providers store Social Security numbers, health insurance data, financial information, and the personal information of patients. These data have a high value on the black market as they can be used by criminals to commit identity theft and a multitude of fraud.
Cyberattacks on hospitals and health insurers are increasing, and while cybersecurity protections as a whole are improving, the industry still lags behind other industry sectors when it comes to implementing robust cybersecurity protections. Numerous security vulnerabilities are often allowed to exist, making it relatively easy for hackers to take advantage.
Medical equipment cybersecurity is particularly lax. The devices may not provide easy access to the types of data sought by identity thieves in some cases, but they are networked. If access is gained, attacks on other parts of a healthcare network could take place.
If hackers are able to gain access to a medical device a considerable amount of harm could be caused. A malicious hacker could alter or delete data, crash the device, or steal data stored on the device or the computer connected to it. If settings can be altered patients could be seriously harmed. Doses of medication could be altered or medical diagnoses or test results changed, with disastrous consequences for the patient.
Expensive equipment could be sabotaged or the devices could be locked with ransomware. The ransomware infection of Hollywood Presbyterian Medical Center this month shows that the threat of malware is very real. In fact, attacks on hospitals can be very lucrative for hackers. The hospital recently paid $17,000 for security keys to unlock its EHR system after a ransomware infection took it out of action.
How Bad Are Medical Equipment Cybersecurity Protections?
So how bad are medical equipment cybersecurity protections? Recently, Sergey Lozhkin of Kaspersky Lab decided to find out. He recently announced the results of his attempts to hack medical devices at the 2016 Security Analyst Summit (SAS 2016) in Tenerife.
Lozhkin set out to hack a hospital and succeeded in doing just that by exploiting a lack of medical device cybersecurity protections at a hospital. The hack started with a search using the Shodan search engine. Lozhkin discovered a number of hospital devices and contacted the owner. Along with his friend, he decided to conduct a penetration test to see just how easy it was to gain access to the devices. The senior managers of the hospital were aware of the test and secured real data to prevent any unauthorized disclosure or data loss as a result of the test.
The first attempt at hacking the medical devices failed. The hospital’s systems administrator had done a good job of securing systems from external attack. However, the second attempt at hacking was successful. Lozhkin decided that instead of attacking from home, he would travel to the hospital and try to attack from within. However, physical access to the hospital was not necessary. He was able to hack the hospital from his car, since he could park outside and gain access to the hospital’s local Wi-Fi network.
Once he hacked the network key he was able to gain access to a tomographic scanner. By exploiting a vulnerability in an application he gained access to the file system of the device and was able to view (fake) patient data. The real data had been secured prior to the test. In this case, the hack was possible because the hospital’s systems administrator had made a fundamental mistake, having connected a medical device to the hospital’s public WiFi network.
Forget Medical Equipment Cybersecurity Protections at your Peril
If medical equipment cybersecurity protections are insufficient, it may be hacktivists or data thieves that gain access to data rather than pen testers. Hospitals must ensure that medical equipment cybersecurity protections are put in place, but security must also be tested to ensure cybersecurity defenses actually prevent access to medical devices and the sensitive data they contain.
Better medical equipment cybersecurity protections must also be incorporated into the design of medical devices by the manufacturers to make sure medical equipment is harder to hack.
According to a February 2016 California data breach report issued by the California attorney general’s office, the majority of data breaches are easily preventable if basic security measures are adopted. Had companies doing business in the state of California implemented industry best practices and adhered to federal and state regulations, the privacy of millions of Californians would have been protected.
However, that was not the case and over the course of the past 4 years close to 50 million state residents have had their private data exposed as a result of data breaches suffered by government and private organizations.
The California data breach report includes a summary of data breaches reported to the attorney general’s office between 2012 and 2015. From 2012, the California Attorney general’s office needed to be notified of a breach of personally identifiable information if more than 500 state residents were affected.
Between 2012 and 2015, 657 data breaches were reported. 49.6 million state residents had their personally identifiable information exposed.
In almost half of cases, Social Security numbers were obtained by cybercriminals or were exposed as a result of the loss or theft of devices used to store personal information.
2015 was a Bad Year for Data Breaches in California
The California data breach report was compiled following a particularly bad year for Californians. In 2015, 24 million state residents had their personal information exposed. That equates to one in three Californians. To put the figure into perspective, in 2012 only 2.6 million state residents were affected by data breaches.
The California data breach report was compiled to show just how bad the current situation is. According to State attorney general Kamala D. Harris, the report should serve as a “starting point and a call to action for all of us.” The situation must improve.
Harris points out in the introduction to the 2016 Californian data breach report that “many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers,” she goes on to say that if a company chooses to store private and confidential data on state residents, that company has a “legal obligation to adopt appropriate security controls.”
California Data Breach Report Summary
The main findings of the 2016 California data breach report are listed below:
The biggest data security threats are malware and hacking
Malware and hacking exposed 54 percent of records and accounted for the most data breaches (365)
Malware and hacking attacks have grown by 22% in 4 years and caused 58% of breaches in 2015
Malware and hacking caused 90% of retail data breaches
Physical breaches (loss and theft of devices) accounted for 27% of all reported breaches.
Physical breaches are declining: They fell from 27% in 2012 to 17% in 2015
Errors and employee/employer negligence accounted for 17% of data breaches
Medical records were exposed or stolen in 19% of reported breaches
Payment card information was stolen in 39% of data breaches
Small businesses reported 15% of data breaches
According to the new California data breach report, the retail sector suffered the most, accounting for a quarter of all data breaches reported in the past four years. Those security incidents resulted in the exposure of 42% of the total number of records exposed in the past four years. The financial sector was in second place with 18% of breaches, while the healthcare sector was third being involved in 16% of data breaches.
Data Breach Prevention – Improve Protection Against Malware
The prevention of cyberattacks requires multi-layered security systems, although in the majority of cases data breaches were found to be the result of a failure to update software and apply patches. The security vulnerabilities that were exploited by hackers or used to install malware had been discovered and patched. In the majority of cases, patches had existed for over a year but had not been installed.
Malware is commonly used as a way of gaining access to computer systems used to store valuable consumer data. Malware is often delivered via spam email campaigns. A robust and powerful anti-spam solution should be implemented to catch malicious emails and prevent them from being delivered to user inboxes.
If staff are also trained to identify malware and potentially harmful emails and attachments, a great deal of malware infections can be prevented. However, email is not the only malware delivery mechanism. Cybercriminals are increasingly using exploit kits to probe for security weaknesses in browsers and browser plugins. Those vulnerabilities can be exploited and used to download malware without any user interaction required.
These infections are referred to as drive-by attacks, and they can occur if a user can be directed to a malicious website or a site that has been compromised by cybercriminals.
Third party advertising networks can contain adverts with malicious links that direct visitors to sites where drive-by attacks can take place. Those adverts can appear on legitimate websites. Even some of the biggest sites on the Internet have been discovered to display malvertising. These threats must be dealt with to prevent data breaches from occurring.
Protecting against malware delivery via the Internet requires a different solution: a web filter.
Protect End Users from Web-Borne Malware Threats with WebTitan
WebTitan offers a range of web filtering solutions for the enterprise to protect end users from web-borne threats such as malware, ransomware, viruses, Trojans, and memory-resident malware threats. Solutions have also been developed to keep Wi-Fi networks and hotspots free from malware.
By implementing a web filtering solution, end users can be prevented from visiting websites known to contain malware and from engaging in risky online behavior. By restricting access to potentially dangerous websites, the risk of a malware or ransomware infection can be greatly reduced.
For further information on the benefits of WebTitan’s web filtering solutions contact the Sales team today:
Kaspersky Lab has recently discovered the extent to which a remote access Trojan is being used by cybercriminals, highlighting the security risk from Java Runtime Environment.
Kaspersky Lab discovered that the Adwind remote access Trojan (RAT) discovered in 2012 is being used extensively by cybercriminals to conduct attacks on businesses. The RAT is frequently tweaked to avoid detection with numerous variants currently in use in the wild. The RAT has many names in addition to Adwind, with Alien Spy, JSocket, jRat, and Sockrat just a few of the names of the Adwind malware variants.
The Java-based RAT is now being rented out to criminal gangs to allow them to conduct their opportunistic attacks on companies and individuals, sometimes for as little as $25. Kaspersky Lab estimates that the number of criminals now using the malware has risen to around 1,800. The malware is estimated to be raking in around $200,000 a year for the authors. To date, it is estimated that the RAT has been used to attack as many as 440,000 users.
The frequency of attacks is also increasing. In the past 6 months, around 68,000 new infections have been discovered.
Have You Effectively Managed the Security Risk from Java Runtime Environment?
The latest variant is known as JSocket. The malware is believed to have first appeared in the summer of 2015 and is still being extensively used. The RAT is most commonly spread by phishing campaigns with users fooled into running the Java file, installing the Trojan. While the RAT is primarily distributed by large-scale email spam campaigns, some evidence has been uncovered to suggest it is being used as part of targeted attacks on individuals and organizations.
This is a cross-platform malware that can be used on Windows, Linux, Android, and Mac OS systems. It serves as a backdoor allowing cybercriminals to gain access to the system on which it is installed, effectively allowing them to take control of devices, gather data, log keystrokes, and exfiltrate data. It is also capable of moving laterally. It is written entirely in Java and can be used to attack any system that supports the Java Runtime Environment.
The security risk from Java Runtime Environment is considerable. Kaspersky Lab recommends that all organizations review their use of JRE and disable it whenever possible.
Unfortunately, many businesses use Java-based applications, and disabling or uninstalling JRE is likely to cause problems. However, it is essential to manage the security risk from Java Runtime Environment to prevent infections from Adwind and its variants.
If there is no need for JRE to be installed on computers, it should be removed. It represents an unnecessary risk that could result in a business network being compromised.
If it is not possible to disable JRE, it is possible to protect computers from Adwind/JSocket. Since this malware is commonly sent out as a Java archive file, the code can be prevented from running by changing the program used to open JAR files.
Have you managed the security risk from Java Runtime Environment? Is JRE unnecessarily installed on computers used to access your network?
Employee security training is an essential part of an organization’s defense against cyberattacks, yet many CISOs and CSOs are not conducting regular training. In fact, according to a survey conducted last year on behalf of ClubCISO, one in five CISOs (21%) said they had never given security training to their staff.
This could indicate overreliance on technological security measures to prevent cyberattacks, such as firewalls, anti-virus and anti-malware software, anti-spam filters, and web filters. Organizations may have confidence in their policies and procedures. CISOs may even believe that their organization is unlikely to be attacked. Regardless, of the reason, a lack of training leaves a gaping hole in security defenses.
Employee Security Training Is A Cost-Effective Way of Improving Security Posture
IT departments are well aware that employees are a weak link in the security chain and can all too easily undo all the good work done to keep data and networks secure. All it takes is for one employee to open a Word document and enable malicious macros, visit a compromised website, or inadvertently download malware for a network to be compromised.
If you want to improve your security posture, one of the easiest and most cost-effective ways to protect your network is training employees how to identify security risks. CISOs, CSOs, and IT staff may be well aware that opening an email attachment from someone they don’t know is risky. Not all employees will be so security-minded and may not appreciate the risk they are taking by opening an email attachment or visiting a link sent to them via email. Failing to train employees on these security basics is like leaving your front door unlocked when you go on vacation. Staff also need to be trained for email compliance regulations. A little training can go a very long way.
Employee Security Training Should Not Be A One-Time Event
Many organizations realize that training is important, yet still only conduct security training sessions once a year. Security training may only be given to new recruits when they join a company. The ClubCISO survey revealed that one in five employers only provided training to new employees, and 37% carried out training just once a year. Only 21% said they conducted regular security training sessions.
Furthermore, when training was provided, more than half of organizations had no idea about how effective their training had been. Training was given in a checkbox fashion in order to meet industry security regulations. Once provided, documents could be signed by employees to confirm that training had been provided, which would be sufficient if ever the organization was audited by industry regulators. However, it may not be sufficient to prevent a successful cyberattack. Employee security training is not a one-time event. It should be provided in regular training sessions, knowledge should be tested, and a security culture should be developed.
Getting Staff Cybersecurity Training Right
It is all too easy to purchase a new security product and hope that it is 100% effective and will prevent a cyberattack from being successful, but no system is infallible. Cybersecurity defenses must be multi-layered, and end users must be part of any defense strategy. After all, cybercriminals will target end users as they offer an easy entry point into a corporate network.
Employee security training is not something that is enjoyed by the staff, and many employees would prefer not to have to undergo training. Many employees don’t concentrate and forget their training almost immediately. Conducting a training session is therefore not sufficient by itself. Online security training is similarly unlikely to be particularly effective if the staff is not then tested on their new knowledge of security.
It is therefore important to make employee security training a regular exercise and to follow up training with testing to ensure that it is taken more seriously. Consider rewarding employees for taking part in training exercises. Make sure employees are given support, and if a test is failed, such as a phishing exercise, ensure that employees who need further training are given extra help.
Employee security training is not just something that is beneficial to employers. Employees also benefit. They can use training to keep their own online activities secure outside of the office, or can use training to protect their children when they go online. Explain the relevance and inform employees that the skills they learn can help to keep them safe outside work.
Get the Board to Back Security Training Efforts
All too often there is a lack of awareness of level of risk faced by organizations at the board level. Employee security training may be considered to be an unnecessary use of time and resources. Without board buy-in, CISOs are likely to face an uphill battle.
Employee security training will require support from the board and for that to happen it may be necessary for CISOs to explain the relevance and importance of employee security training. If you feel that your board does not appreciate the benefits, send the board members a dummy phishing email. If they click the link or open a bogus attachment, it may help them to understand the high risk of employees doing the same. Without buy in from the board it will be difficult to develop a worthwhile and effective training program.
With the current threat from malware, ransomware, phishing, and hacking, it is essential to take action to defend all attack surfaces. Since employees are often the weakest link in the security chain, they are a great place to start to improve overall security posture.
2014 was a bad year for IT security professionals, and thanks to some large scale cyberattacks, 2015 was not much better. However, what does 2016 have in store? What will be the biggest 2016 security threats? Some predictions for the coming year are listed below:
2016 Security Threats: What does the coming year have in store?
What is abundantly clear is that 2016 security threats will increase in number. The cyberattack surface is growing with more devices and device types to attack than ever before. Cybersecurity budgets may have been increased for 2016, but funding has not been increased by nearly enough for many IT departments. Tackling the biggest 2016 security threats will be a big ask, and vulnerabilities will remain that can be exploited.
Phishing will continue to be an effective attack option
Enterprise cybersecurity defenses are becoming more sophisticated, passwords are becoming more secure, and two-factor authentication is becoming the norm. It is certainly now harder for cybercriminals to successfully attack many companies. Unfortunately end users are still a major weak point that cybercriminals will continue to exploit. Many major cyberattacks in 2015 had their roots in phishing attacks and the attacks are expected to continue in 2016.
Unless staff members receive training on how to identify phishing emails and spot malicious websites, they are likely to fall for phishing scams. Major data breaches are likely to be discovered in 2016 that have been made possible due to phishing schemes.
IoT device hacks a growing cause for concern
If you thought that the hacking of IoT devices was something to be dealt with next year or later, you may find you will end up regretting not securing your devices sooner. It may not be time to worry about your refrigerator being hacked, but as was demonstrated quite clearly in 2015, IoT hacks are not a future problem. They are a clear and present danger. Valasek’s and Miller’s successful hacking of a Jeep Cherokee proved that. Medical devices are also high up the list of potential targets, and could be used as an easy entry point into healthcare networks. Hacks of IoT devices are likely to start in earnest in 2016.
Difficult-to-Detect attacks will increase
Traditional malware will continue to pose a major threat to consumers and businesses, but difficult-to-detect attacks are on the increase. Memory-resident and other fileless malware attacks will increase in prevalence in 2016. As security software gets better at identifying malicious software, cybercriminals will take advantage of security vulnerabilities in BIOS, firmware, and drivers. These attacks are difficult to detect, but are fortunately also difficult to execute. Until memory scanning technology is implemented by the majority of organizations, these attacks are likely to proliferate.
Apple Devices to be targeted
As Apple’s market share increases, attacking Apple devices will become more profitable. With Apple now having a 13.5 percent share of global smartphone sales and 7.5 percent of the desktop market, the devices are likely to be attacked with increasing regularity.
While the devices were previously considered to be secure, new iOS and OS X malware has been discovered. That malware doesn’t just pose a risk for users of jail-broken devices. In 2015, XcodeGhost found its way into the Apple App Store, and this is unlikely to be the last malware to target the Apple devices. Further Masque attacks can also be expected in 2016. Apple device owners may have a rude awakening in 2016 if they remain complacent about security.
Card-Not-Present (CNP) Fraud to Increase
Thanks to the introduction of new payment technologies, it is becoming harder for criminals to conduct point-of-sale attacks, but the data stored by retailers is still not well protected. Cyberattacks on retailers will concentrate on obtaining data for digital fraud, and an increase in card-not-present (CNP) fraud can be expected. In the EU, CNP fraud rose by 21% last year and faster growth is expected in 2016.
Healthcare industry will continue to be targeted
At the end of 2014, many security experts predicted that 2015 would be a rough year for the healthcare industry, but few could have imagined how rough it would get and how quickly cyberattacks would occur. It didn’t take long. Within two months, two healthcare hacking incidents were reported that made previous data breaches look tiny by comparison. The attack on Premera BlueCross exposed a whopping 11 million healthcare records, but even that was tiny compared to the 78.8 million records exposed in the hack of Anthem Inc. Over 113 million healthcare records were exposed or stolen in 2015.
In 2016, the healthcare industry is likely to continue to be targeted by hackers. The data they store is of high value and security defenses are still relatively poor.
The rise in popularity of Macs, Macbooks, and iPhones has seen even more consumers make the switch from desktops and Android phones. As the number of Apple users grows, so too will the threat from malware. While previously thought of as totally secure, Apple devices have now been attacked and those attacks are likely to continue. Some security experts are now predicting an OS X and iOS malware boom in 2016, as hackers and cybercriminals attempt to tap into Apples user base.
Hackers have previously concentrated on Windows due to the sheer number of users using the operating system. It is more profitable to attack a system that virtually everyone uses rather than a system used by relatively few individuals.
Apple devices are more secure than their Windows-based counterparts, although in recent months a number of chinks have been found in Apples armor. Hackers are expected to take advantage with increasing frequency over the course of the next 12 months.
One of the ways that cybercriminals have started to attack apple users is via malicious apps that have been sneaked into the Apple App store. The Masque attack in 2014 replaced legitimate apps with nasty versions, and other methods have been developed that have allowed hackers to sneak malicious programs onto user’s devices.
First iOS Malware Discovered in the Wild in 2015
iOS malware may be less common than malware designed to attack Windows, but we have already seen a major increase in malicious programs designed to attack Apple devices. OS X malware has increased nine-fold over the course of the past year according to Symantec, and in October the first iOS malware – YiSpecter – that was capable of attacking non-jailbroken devices was discovered. This iOS malware implements malicious functionalities in iOS and is capable of downloading, installing, and launching malicious apps, displaying adverts, and uploading user data to remote servers. The iOS malware attack mostly affected users in Taiwan and China, but attacks such as this are expected to take place worldwide in 2016.
A fix for this iOS malware was rapidly issued by Apple, and the latest versions of the operating system is now immune to YiSpecter attacks. However, this is just the first of a number of new iOS malware that can be expected over the next few months.
Apple Pay is also expected to be targeted in 2016. The payment system was unveiled in 2014 amid claims that it was immune from attack and could not be used to commit fraud, yet only a few months later it was discovered that Apple Pay was being used to commit fraud. Accounts could be used with stolen credit card numbers and purchases made using iPhones.
Apple users are still less likely to be targeted by hackers than Windows users, but the devices are far from immune from attack. As more users make the switch to Apple and its market share increases, hackers are likely to respond and start targeting Apple software with increasing regularity and iOS malware will increase.
Criminals are using a new tactic to con money out of small to medium-sized businesses and startups, and are now using insider phishing scams to convince account department executives to make fraudulent bank transfers. The insider phishing scams are highly convincing, and a number of company executives have already fallen for the scams. Thousands of pounds have already been transferred into the bank accounts of criminals. By the time the fraudulent bank transfers are discovered, the money is long gone and cannot be recovered.
Insider phishing scams are targeting specific individuals in the accounts department
A number of similar insider phishing scams have been seen in recent months. Workers are sent an email from their boss asking them to transfer money from their personal account to help cover an essential bill. These scams tend to work on small businesses that are likely to experience cashflow difficulties.
Employees fall for the scams and make the transfers as they are fearful of their employer and want to appear keen and willing to help. The latest insider phishing scams appear to me much more targeted. Criminals already know the names of the individuals working in the accounts department and are targeting the person most likely to respond.
These people are sent an email from their boss, are referred to by name, and the email address used to send the message appears, at first glance at least, to be genuine.
A brief message is sent asking for a transfer of several thousand points to be made, and the bank account and sort code information are provided in the email. The victim is informed that their boss will send them further information to allow the payment to be entered into the company accounts. The victim is also asked to send an email back confirming when the transfer has been made.
The scam is clever. By asking for a confirmation, the victim will most likely reply to the same email and not follow up for a couple of days or so. By that time the transfer will have cleared, the money taken out of the criminal’s account, and it will not be possible to recall the funds.
Fake domain names being registered to conduct insider phishing scams
If an email was sent from an email address with a non-company domain it would be unlikely to result in a bank transfer being made. Even a busy accounts department executive would check who sent the email before making a transfer of £20,000. To get around this problem, criminals are registering a very similar domain name to that used by the target company.
Typically, the domain name used will be virtually identical to the one used by the company, with one minor change: One character will be replaced with another. The most effective way to do this is to replace an L with an i, or a 1 with a lower case L, or vice versa. The different domain name is then unlikely to be noticed. Instead of “Littlewoods”, the domain “Litt1lewoods” or “Littiewoods” would be used.
The success of these insider phishing scams relies on the email being as genuine as possible. The email must also be sent to the right account executive. If the request appears unusual – being sent to a person who would not typically make a bank transfer for example – it would appear suspicious and would likely be questioned.
After the domain name has been purchased, the format of the company’s email addresses must be discovered. Then the name of the chief executive and the company’s financial controller. The criminal behind the campaign can send the scam email.
The victims are therefore researched beforehand. The correct individual is identified and they – and they alone – are sent the transfer request. It has been hypothesized that the reason these insider phishing scams are being conducted on tech companies is they are more likely to be easy to research.
There have been numerous reports of these insider phishing scams being conducted in recent weeks. Some individuals have fallen for the scams and have made large transfers to the criminal’s account as requested.
How to protect against insider phishing scams
It is essential that all staff members are warned about these insider phishing scams and told to be vigilant. Protecting against these attacks must start at the top. Email requests to make transfers may be convenient, but employers must set up policies that require accounts executives to verify the request, by telephone, before they are made.
A few years ago, spam emails were very easy to spot. They were sent out in bulk, contained numerous typos and grammatical errors, and on the whole were very easy to identify as being fake. That is no longer the case. Scammers are now taking time to develop highly convincing campaigns to fool specific individuals into revealing personal information or making large bank transfers. The effort put into these campaigns is worth the effort. The criminals are much more likely to get the victim to take the required action.
In addition to instilling a security aware culture in an organization, one of the best protections is to purchase a robust spam filtering solution. An email sent from a domain closely matching the company´s own domain name would be caught by the spam filter and directed to the email quarantine folder. Training is good, but preventing insider phishing emails from being delivered is a much more reliable method of stopping employees from falling for these phishing scams.
Miss. attorney general Jim Hood has issued a warning to state residents to be extra vigilant after receiving a convincing Google account phishing email.
The latest Google account phishing scam attempts to fool users into revealing their passwords by warning users that they need to review the terms and conditions of their account. The reason the email claims Google requires this is due to changes made to government regulations. Users must check the new T&Cs in order to maintain compliance with government regulations.
A link to do this was supplied in the email. Clicking the link would direct users to a page that appeared to be from Google; however, this was part of the scam. Users were asked to login and were presented with a standard Google login page, but when they did, their information was recorded and sent to a hacker.
While this scam appeared convincing, there was a tell-tale sign that the request was not genuine. The request to enter account details contained a spelling error in the word “account.” This is not an error that Google would make.
Google Account Phishing Email Scams
Google account phishing email scams are being conducted with increasing frequency. Two other Google account scams were spotted in the summer and are still being used by criminals to gain access to users’ email accounts.
Gmail Phishing Scam
This scam is not new. It was first discovered by Symantec early last year but it is still active. A new batch of spam emails was sent to Gmail account holders over the summer, which fooled many people into revealing their Gmail passwords.
Gmail offers anti-spam protection, although hackers were able to bypass the controls. The emails appeared to have been sent by Gmail administrators. The messages contained a link to a Google Drive document. Clicking the URL directed users to the document, but they needed to enter their login credentials to view it. Users entered their information and were able to view the document; however, what they would not have realized is they had also just compromised their accounts.
In this case, the link they were sent in the email directed them to a folder on Google Drive that had a preview page. The preview page looked like a standard Google login prompt. When the users entered their details, the login credentials were recorded by a PHP script and the data was sent to the hacker’s command and control center located in the United Arab Emirates. That attack was made possible as the hackers were able to fake Google’s SSL encryption. The faked SSL encryption was sufficient to bypass the anti-spam controls and fooled users into revealing their login credentials by exploiting their trust in Google.
The Gmail password recovery feature is being exploited by hackers using social engineering techniques to get users to provide access to their Gmail accounts. This Google account phishing email scam also exploits users trust in Google.
Provided an attacker knows the mobile phone number of a victim as well as their email address, they are able to attempt this scam.
It starts with the attacker using the password recovery feature on Gmail to resend a user’s password. The attacker enters the victims email address and opts to have the second step of the authentication process send an SMS to the user’s phone.
The user is sent a verification code to their mobile phone, which is closely followed by a text from the attacker. The attacker claims to be from the Google account management team and asks for their activation code. Since the attacker already has the email address, he or she can then use the code to complete the password reset function. Only the attacker will then be able to access the users Gmail account.
SMB ransomware infections can be time-consuming, expensive, or catastrophic. Which category an infection falls into will, to a large extent, depend on how you have prepared. If you run a SMB, ransomware protection is essential.
Ransomware protection is no longer an option, it is a necessity
It may not simply be a case of paying a ransom to recover your data. Data may be permanently lost. There is no guarantee that a security key will work, or will even be provided if a ransom is paid.
Unfortunately, ransomware is here to stay. Criminals have found it to be one of the best methods of obtaining untraceable money from victims. Ransoms are paid in Bitcoin – or via other anonymous payment systems – and infecting computers is exceptionally easy in many cases.
Ransomware will continue to be used as long as it proves profitable for cybercriminals. The profits from Cryptowall infections alone are estimated to be in the region of $325 million (£215 million) and the ransomware was only developed and released in September 2013. With such high profits, ransomware is here to stay – so businesses need to get prepared.
Importance of ransomware protection highlighted by Power Worm variant
Infected with ransomware? It’s not the end of the world, you could just pay the ransom. Unfortunately, that does not necessarily mean you will get your data back. Take the latest Power Worm variant for example.
Not all hackers diligently prepare their malware. Sometimes mistakes are made. The latest variant of Power Worm is a good example. The developers of the ransomware attempted to make decryption a more straightforward process, but made a critical error. The Power Worm variant they created encrypts files, but deletes the security keys to unlock them.
Even if a ransom is paid, data will not be unlocked. An infection will mean data will be permanently and irrevocably encrypted. This has not stopped the users of the ransomware from asking for a payment of 2 Bitcoin to decrypt the data. It just prevents them from making good on their promise.
There is never any guarantee that a security key will be provided even if a ransom is paid but, with this infection, it is simply not possible. This latest ransomware highlights the importance of implementing ransomware protection strategies to deal with infections when they occur. If you don’t, it could spell total disaster.
Ransomware protection strategies
Unfortunately, while ransomware is spread via spam email and social media networks, exploit kits are now being used to infect computers by taking advantage of security vulnerabilities. Fortunately, there are a number of ways you can protect against a malware infection.
Regularly back up your data on a separate device
A ransomware infection need not spell disaster, even if the criminal behind the infection does not unlock your data. If you have a backup, an infection is a pain, but you can recover your data.
Install a robust spam filter
Ransomware is often spread via infected email attachments. Configure your spam filter to block executable files, and you can prevent malicious email attachments from being delivered to users’ inboxes.
Show hidden file extensions
Windows often hides known file extensions. Criminals take advantage of this. If they name an executable file report.pdf.exe, when Windows hides the extension, it will appear as report.pdf. Users may inadvertently open an executable file believing it to be harmless. Make sure file extensions are shown to reduce the chance of accidental infections.
Make sure Remote Desktop Protocol (RDP) is disabled
You may use RDP to provide support to end users on your network, but hackers can exploit RDP to gain access to devices and install malware without any user interaction. If you do not use RDP, or can get away without using it, make sure that it is disabled on all internet enabled devices.
Make sure browsers are kept up to date and patches installed
Exploits are used to probe browsers for security vulnerabilities that can be exploited. It is therefore essential that the latest version of web browsers are always installed, and patches and updates are installed as soon as they are made available.
Install web filtering software
Ransomware is often installed using drive-by attacks. Malicious websites are not always easy to identify, but the sites can be blocked if web filtering software is employed. Stop end users from visiting malicious websites and you will greatly reduce the risk of ransomware being installed.