Globally cybercrime casused €83bn of damage, this presentation looks at the dangers and the measures you can take to stay safe. To view the webcast click here https://www.brighttalk.com/webcast/6331/90937
3. Agenda today
1
Cybercrime cost in numbers
2
Attack types and targets
3
Vulnerabilities
4
Insiders
5
Phishing and Ransomware
6
Watering holes and different attack tactics
7
Conclusion and resources
3
4. The global price tag of consumer cybercrime
€83 BN
Which is enough to host the 2012 London
Olympics nearly 10 times over
OTHER 17%
FRAUD 38%
REPAIRS 24%
THEFT OR LOSS
21%
€220
Average cost per victim
50% increase over 2012
4
5. The global price tag of consumer cybercrime
.7 BN
RUSSIA
9
28 BN
USA
EUROPE
27 BN
CHINA
BN
3 BN
MEXICO
INDIA
2.2 BN
6 BN
.7 BN
JAPAN
BRAZIL
AUSTRALIA
SOUTH AFRICA
0.2 BN
ALL AMOUNTS IN EURO
.7 BN
5
6. Different motives – Different attacks
Hacktivism
Money
DDoS
Banking Trojan
Defacement
Extortion
SQL Injection
Scam
Espionage/Sabotage
6
12. Billions
Top Targeted Countries Per Financial Trojan Family
Count
$50,000.00
7
$45,000.00
6
5
$35,000.00
$30,000.00
4
$25,000.00
3
$20,000.00
$15,000.00
Trojan Family Count
Population x Wealth per Capita
$40,000.00
2
$10,000.00
1
$5,000.00
$-
0
Population x Wealth per Capita
Trojan Family Count
Linear (Trojan Family Count)
12
13. Billions
Top Targeted Countries Per Financial Trojan Family
Count
$50,000.00
7
$45,000.00
6
5
$35,000.00
$30,000.00
4
$25,000.00
3
$20,000.00
$15,000.00
Trojan Family Count
Population x Wealth per Capita
$40,000.00
2
$10,000.00
1
$5,000.00
$-
0
Population x Wealth per Capita
Trojan Family Count
Linear (Trojan Family Count)
13
14. Financial Trojans - Profile of Countries
• Preferred targets: developed country, sizeable wealthy population
• Fewer banks means, less variation needed by the attacker
Country
United Kingdom
Germany
Austria
Netherlands
Italy
France
Spain
Ireland
Finland
Banks
Population
Wealth Per Capita
Number of Threats
52
1873
752
277
729
644
322
472
313
62262000
81857000
8452835
16751323
60849247
65350000
46163116
4588252
5424360
128959
89871
66639
120086
119704
93729
92253
89327
38754
6
5
5
5
4
4
4
3
2
10561614
3180394
838897
417617
1294236
10839905
5445324
2061400
53357
22126
99526
75694
26361
85818
23968
36672
2
2
2
1
1
0
0
0
Portugal
154
Lithuania
141
Cyprus
137
Malta
27
Estonia
16
Belgium
107
Slovakia
29
Slovenia
25
Number of threats fund in EU countries
14
15. Financial Trojans - Profile of Countries
• Preferred targets: developed country, sizeable wealthy population
• Fewer banks means, less variation needed by the attacker
Country
United Kingdom
Germany
Austria
Netherlands
Italy
France
Spain
Ireland
Finland
Banks
Population
Wealth Per Capita
Number of Threats
52
1873
752
277
729
644
322
472
313
62262000
81857000
8452835
16751323
60849247
65350000
46163116
4588252
5424360
128959
89871
66639
120086
119704
93729
92253
89327
38754
6
5
5
5
4
4
4
3
2
10561614
3180394
838897
417617
1294236
10839905
5445324
2061400
53357
22126
99526
75694
26361
85818
23968
36672
2
2
2
1
1
0
0
0
Portugal
154
Lithuania
141
Cyprus
137
Malta
27
Estonia
16
Belgium
107
Slovakia
29
Slovenia
25
Number of threats fund in EU countries
15
25. Our Websites are Being Used Against Us
53%
61%
of web sites serving
malware are legitimate sites
of legitimate websites have
unpatched vulnerabilities
25%
have critical vulnerabilities
unpatched
25
27. Malicious Insiders could pose the greatest risk
Who are they?
1. The disgruntled
employee
2. The profit-seeking
employee
3. A soon to depart
employee
4. The one who owns
the code
27
28. Malicious Insiders could pose the greatest risk
Considerations
• Know your people
• Focus on
deterrence, not
detection
• Identify information that
is most likely to be
valuable
• Monitor ingress and
egress
• Baseline normal activity
28
34. Phishing (Brand impersonation)
Criminals use well-known brands
to trick people into disclosing
information or installing malware.
• 79% of companies experienced one
or more Web-borne attacks in
2012, and 55 percent were affected
by phishing attacks.*
• 20% more brands were targeted by
attackers in the first half of 2013
• 30% of people will still open a
suspicious email
*Webroot/Qualittics Research 2012
34
35. Ransomware
• Anti-Fraud Service for Fraudsters
• Multiple Pricing options
• “FBI" Ransomware
– Now offers optional extras
– Authors resort to disturbing images in bid to make
victims pay
• Cryptolocker
– Continues to cause problems
– Roughly 25 per cent of computers are not running any
real-time protection vs. malware
– Encrypts files with full PKI encryption and sets a deadline
– Offers a discount? 2 0.5 Bitcoins
37. Ransomware is ever present
• New variants encrypt data with strong cryptography
• Making an appearance on mobile devices
• Problem: People don’t back-up their data!
5.00%
4.50%
4.00%
3.50%
3.00%
Percentage of Ransomware
infections in the Netherlands
2.50%
2.00%
1.50%
1.00%
0.50%
0.00%
January February
March
April
May
June
July
August
37
38. Targeted Attacks can come via
partners, customers or suppliers
Everyone is a target now.
38
39. Top targeted sectors in 2013
Government / Public Sector / Academia
Manufacturing
Banking / Financial Services / Real Estate
Computer/IT
Energy
Services
Food/Agriculture
Transport/Logistic
Raw Material / Mining / Chemical
July-Dec 2012
Jan-June 2013
WholeSales / Distributor
0
0.05
0.1
0.15
0.2
0.25
0.3
39
40. Targeted Attacks by Company Size
50% 2,501+
50% 1 to 2,500
Employees
2,501+
9%
1,501 to 2,500
2%
3%
5%
1,001 to 1,500
501 to 1,000
251 to 500
50%
31%
1 to 250
18%
in 2011
Greatest growth in 2012 is at companies with <250 employees
Small business often not well protected, but connected to others
40
41. Targeted Attacks by Company Size
50% 2,501+
50% 1 to 2,500
Employees
2,501+
9%
1,501 to 2,500
2%
3%
5%
1,001 to 1,500
501 to 1,000
87% of SMBs suffered a
cyberattack last year, only
50%
44% see security as a
31%
priority
251 to 500
1 to 250
18%
in 2011
Greatest growth in 2012 is at companies with <250 employees
Small business often not well protected, but connected to others
41
42. Targeted Attacks by Job Function
30%
R&D
27%
Sales
24%
25%
C-Level
17%
20%
15%
Senior
12%
Shared
Mailbox
13%
10%
5%
Recruitment
4%
Media
3%
PA
1%
0%
Attacks may start with the ultimate target, but often look opportunistically for any
entry into a company
42
44. Spear Phishing
Watering Hole Attack
Send an email to a person
of interest
Infect a website and lie
in wait for them
Targeted Attacks predominantly start as spear phishing attacks
In 2012, Watering Hole Attacks emerged
44
45. Effectiveness of Watering Hole Attacks
Watering Hole
Attack in 2012
Infected 500
Companies
All Within
24 Hours
Watering Hole attacks are targeted at specific groups
Can capture a large number of victims in a very short time
45
46. Watering Hole Targeted iOS Developers
In 2013 this type of attack will become widely used
Several high profile companies fell victim to just such an attack
46
47. Using the Phone to back up a Phishing Attack
• What can attackers do to improve success rate of phishing
email?
• On 11 April 2013, an employee in an “Organisation A” in
France received a phone call
• French speaking caller, urges her to download an invoice
from a link she will receive through email
• Link doesn’t go to an invoice but instead
installs a version of W32.Shadesrat,
a well-known Remote Access Trojan
• Suspicious, the employee shuts
down the machine 15 minutes
later and contacts the CISO
47
48. The Motive – Financially Driven
• Targets accountants or finance department employees
• These targets may have access to…
• Sensitive commercial information
• May have authority to carry out financial
transactions
• May have access to information that
could facilitate future attacks
• Email addresses
• Phone numbers
• Invoices
• Account numbers
48
49. The potential attack space is growing...
Internet of things
Wearables (glasses)
Password theft
Targeted attacks
Ransom Trojans
419 scams
Bitcoin
SQL injection
Social media
Financial Trojans
Privacy
Cloud
SCADA attacks
DDoS attacks
WLAN hotspot
Cyberwarfare
Browser attacks
Auction scams
Mobile threats
Smart cars
Smart homes/TVs
49
51. Addressing Cyber Risk
Visibility of Risk
Risk Awareness
Technical Controls
Insider Abuse
Commodity Malware
Procedural Controls
Coordinated Attacks (APT)
Policy Management
Demonstrable Processes
Changing Landscape
Massive Data Volumes
Massive Data Volumes
Stay ahead
of threats
Complete
visibility
Focus
on top
priorities
Build a
sustainable
program
Present in
business
context
54. Conclusion
Avoid breaches and mitigate risks
• Patch, patch, patch
• Is your AV up to date?
• Scan your sites for vulnerabilities and malware
• Email and web gateway filtering
• Host based intrusion detection
• Two factor authentication
• Look inside as well as out.
54
55. Where you can learn more
Print Screen now
• Internet Security Threat
–
–
–
–
http://go.symantec.com/istr/
http://www.symantec.com/security_response/publications/
http://www.symantec.com/connect/blogs/elderwood-project-infographic
@threatintel
• Endpoint Security
– http://go.symantec.com/sep12/
• Website Security Solutions
–
–
–
–
–
http://go.symantec.com/ssl
http://www.symantec.com/connect/blogs/website-security-solutions
@NortonSecured
Monthly webinar channel – 4 December 2013
https://www.brighttalk.com/channel/6331
55
Hello everybody I’d like to welcome to you all to our webcast today. – my name is Andrew Horbury – I’m a Product Marketing Manager for Symantec Website Security Solutions. We are best known for providing SSL, Code signing and certificate automation and management tools. Due to the nature of our business a lot of what we see online gives us a fantastic insight into the threat landscape and the everyday threats that we see targeting consumers and businesses. This presentation is called attack of the cyber spies but the title only tells part of the story……. I’m going to talk about how we are being targeted, attacked and what we are potentially doing to make life easier for the cyber spies.Cybercrime is growing – but at what rate and who is being targeted? We as consumers are of course being targeted but at what level and what is the monetary value of what is being stolen? How are the targets and tactics changing, what's new and what is working. I’m, going to spend the next 40 minutes talking about this along the way there will be an opportunity for you to ask questions – and download resources….
I want to highlight where much of the information we are going to discuss today comes from and how it is sourced: As a company Symantec has established one of the most comprehensive sources of Internet threat intelligence in the world, which is compiled from around 70 million attack sensors which record thousands of events every second of every day in almost 160 countries. Symantec maintains one of the world’s most comprehensive vulnerability databases, which currently consists of more than 50K recorded vulnerabilities (spanning the last two decades) from almost 17K vendors representing over 43K products. Spam, phishing, and malware data is captured through a variety of sources, including a system of more than 5 million decoy accounts; Over 3 billion email messages and more than 1.4 billion Web requests are processed each day across 14 data centres. And then Symantec’s Website Security Solutions technology (this is the division of the business that I work in) scans over 1.5 million websites each year and on a daily basis scans over 130,000 URLs for malware and a further 1,400 vulnerability scans.
First I want to set the scene and give you an insight into what we see in the consumer world. On screen now, is a statistic that we track on an annual basis this is the total global cost of cybercrime. Which, for 2013, is EURO 83 billion. Last year, the cost was EURO75 billion, so we’ve seen a slight increase since 2012.These are figures from The Annual Norton Cybercrime Report which is a study that focuses on people – consumers like you and me. We’ve arrived at these numbers by taking the information directly reported to us by the 13,000 respondents to our annual cybercrime survey from 24 countries and extrapolating the figures to the worldwide population. We’ve also removed any anomalies – respondents who self-reported losses that were dramatically more than the average. The figure only includes direct costs and not the time spent resolving the crime.It’s also worth noting that though the total cost went up this year, we have seen consistent results year-over-year, across different respondent groups, providing further proof that the findings from this study are reliable, replicable and valid.The average victim of cybercrime loses EUR220, which represents a 50 percent increase over last year’s findings. Our research tells us that this is again the result of cybercriminals becoming more efficient in their attacks. While once fake antivirus software was the dominant threat, now we see ransomware has taken over. This has likely been a calculated move by cybercriminals, as ransomware is a lot more profitable for them. In previous years, we’ve seen a large percentage of people victimized by fake AV software, where they could be scammed out of EUR40-EUR100 – the “market price” of other, legitimate AV. However, with ransomware, where criminals pose as law enforcement or other authority, there is no limit to the amount they can demand from their victims.
Let’s take a closer look at the direct costs of cybercrime by focusing on the costs for particular countries and regions. Within our study, we extrapolated the direct cash costs for specific countries to bring the point home that cybercrime is a global problem that affects us all.Many of the figures for country and regional costs were similar to last years. One notable exception was the U.S., where losses have increased from 21 million to 38 million.
I think this year we’ve seen some significant differences in attack motives and I’d like to highlight the differences between so-called hacktivism and Cyber CriminalsBefore I do that though I’d like to refer to a recent survey from ESG who asked 244 enterprise security professionals working at companies employing 1,000 or more employees. ESG asked them to identify the groups that pose the greatest security threat to their organization (in terms of launching a targeted attack against them such as an Advanced Persistent Threat). The results were as follows (note: multiple responses were permitted):1. Hacktivists (defined as groups who use computer hacking as a form of protest or civil disobedience), 46%2. Organized crime, 42%3. Competitors conducting industrial espionage, 41%4, Nation state, 34%5. Terrorist organization, 28%6. None of the above, 5% Quite whether you deem Hacktivists criminals or not is a point I’m not going to cover here. With Hacktivist groups creating their fair share of misery and mayhem last year. They stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role.True, when it comes to motivation, there is a difference. Hacktivists are trying to advance a cause and target those they believe are against that cause. Obviously, a different motivation from the simple pursuit of other people's money. But the tactics and results are the same. For the targeted organization, that's what really matters. There shouldn't be any difference in the defences you put in place for a hacktivist or common thief. It is worth noting noting that the most common attack methods are social engineering (phishing and watering hole attacks for example) and the exploitation of weak passwords, a lack of up-to-date patching and other lax company security policies.The main point here is that if you discover your company has been breached, the nature of the stolen data and how it was lifted matter more than the motivation of the attackers.The answer to the threat is the same as it ever was: Organisations need a program of layered security technologies and policies. They have to make employees use stronger passwords. They have to educate the masses on the social engineering tricks out there.
I think this year we’ve seen some significant differences in attack motives and I’d like to highlight the differences between so-called hacktivism and Cyber CriminalsBefore I do that though I’d like to refer to a recent survey from ESG who asked 244 enterprise security professionals working at companies employing 1,000 or more employees. ESG asked them to identify the groups that pose the greatest security threat to their organization (in terms of launching a targeted attack against them such as an Advanced Persistent Threat). The results were as follows (note: multiple responses were permitted):1. Hacktivists (defined as groups who use computer hacking as a form of protest or civil disobedience), 46%2. Organized crime, 42%3. Competitors conducting industrial espionage, 41%4, Nation state, 34%5. Terrorist organization, 28%6. None of the above, 5% Quite whether you deem Hacktivists criminals or not is a point I’m not going to cover here. With Hacktivist groups creating their fair share of misery and mayhem last year. They stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role.True, when it comes to motivation, there is a difference. Hacktivists are trying to advance a cause and target those they believe are against that cause. Obviously, a different motivation from the simple pursuit of other people's money. But the tactics and results are the same. For the targeted organization, that's what really matters. There shouldn't be any difference in the defences you put in place for a hacktivist or common thief. It is worth noting noting that the most common attack methods are social engineering (phishing and watering hole attacks for example) and the exploitation of weak passwords, a lack of up-to-date patching and other lax company security policies.The main point here is that if you discover your company has been breached, the nature of the stolen data and how it was lifted matter more than the motivation of the attackers.The answer to the threat is the same as it ever was: Organisations need a program of layered security technologies and policies. They have to make employees use stronger passwords. They have to educate the masses on the social engineering tricks out there.
I think this year we’ve seen some significant differences in attack motives and I’d like to highlight the differences between so-called hacktivism and Cyber CriminalsBefore I do that though I’d like to refer to a recent survey from ESG who asked 244 enterprise security professionals working at companies employing 1,000 or more employees. ESG asked them to identify the groups that pose the greatest security threat to their organization (in terms of launching a targeted attack against them such as an Advanced Persistent Threat). The results were as follows (note: multiple responses were permitted):1. Hacktivists (defined as groups who use computer hacking as a form of protest or civil disobedience), 46%2. Organized crime, 42%3. Competitors conducting industrial espionage, 41%4, Nation state, 34%5. Terrorist organization, 28%6. None of the above, 5% Quite whether you deem Hacktivists criminals or not is a point I’m not going to cover here. With Hacktivist groups creating their fair share of misery and mayhem last year. They stole more data than any other group. Their entrance onto the stage also served to change the landscape somewhat with regard to the motivations behind breaches. While good old-fashioned greed and avarice were still the prime movers, ideological dissent and schadenfreude took a more prominent role.True, when it comes to motivation, there is a difference. Hacktivists are trying to advance a cause and target those they believe are against that cause. Obviously, a different motivation from the simple pursuit of other people's money. But the tactics and results are the same. For the targeted organization, that's what really matters. There shouldn't be any difference in the defences you put in place for a hacktivist or common thief. It is worth noting noting that the most common attack methods are social engineering (phishing and watering hole attacks for example) and the exploitation of weak passwords, a lack of up-to-date patching and other lax company security policies.The main point here is that if you discover your company has been breached, the nature of the stolen data and how it was lifted matter more than the motivation of the attackers.The answer to the threat is the same as it ever was: Organisations need a program of layered security technologies and policies. They have to make employees use stronger passwords. They have to educate the masses on the social engineering tricks out there.
So what type of activity do we see and how can you prepare and react to it? I'm going to talk about different motivations, the insider threat and how you might detect and react and to them
The first thing to note is that Cyber criminals have time and money – some groups are very well resourced
They are also global and highly skilled….
Reflecting what we saw in the earlier slide in terms of cybercrime. Attackers prefer to target companies and organisations in developed countries with relatively large populations and wealthy residents. This makes perfect sense as there is a large potential base of individuals to compromise with a high potential return. Spoken languages and countries where international transactions are more difficult and require local steps to launder the money are additional factors which influence attacker decisions – after all why make things difficult when they don’t necessarily have to be. Go for the low hanging fruit as there is plenty of it around. Looking at the graph above you can see there is a very definite sweet spot for the English speaking countries (or where English is acceptable to use) – because you can for the most part reuse and repurpose the attacks very easily.
Reflecting what we saw in the earlier slide in terms of cybercrime. Attackers prefer to target companies and organisations in developed countries with relatively large populations and wealthy residents. This makes perfect sense as there is a large potential base of individuals to compromise with a high potential return. Spoken languages and countries where international transactions are more difficult and require local steps to launder the money are additional factors which influence attacker decisions – after all why make things difficult when they don’t necessarily have to be. Go for the low hanging fruit as there is plenty of it around. Looking at the graph above you can see there is a very definite sweet spot for the English speaking countries (or where English is acceptable to use) – because you can for the most part reuse and repurpose the attacks very easily.
7 December 2012 —Wealthy countries with smaller populations are also attacked, but to a much lesser degree (as is the case with Malta and Cyprus, on screen now). In addition, attacking groups may change their targets over time, switching target institutions to avoid attracting too much attention. Interestingly Belgium, a developed nation with a population of approximately 10 million and wealth per capita of just over $80 thousand appears to be a good target, but no configuration files we examined targeted its institutions. Financial institutions in Belgium tend to use more robust security measures like smart card readers which may well deter would-be attackers who move on to other countries with less security or more profitable institutions. Out-of-band transaction verification significantly reduces the ability to socially engineer a fraudulent transaction. Although this technology is not immune to attack, the institution inherently becomes a less desirable target because why make life more difficult for yourself. Evidence that if you do have layers of security and prevention mechanisms then if really does help to protect you in some way shape or form. In the same way a car criminal will try car doors until finally they come across an unlocked car – this is much easier and less risky than smashing a window.
7 December 2012 —Wealthy countries with smaller populations are also attacked, but to a much lesser degree (as is the case with Malta and Cyprus, on screen now). In addition, attacking groups may change their targets over time, switching target institutions to avoid attracting too much attention. Interestingly Belgium, a developed nation with a population of approximately 10 million and wealth per capita of just over $80 thousand appears to be a good target, but no configuration files we examined targeted its institutions. Financial institutions in Belgium tend to use more robust security measures like smart card readers which may well deter would-be attackers who move on to other countries with less security or more profitable institutions. Out-of-band transaction verification significantly reduces the ability to socially engineer a fraudulent transaction. Although this technology is not immune to attack, the institution inherently becomes a less desirable target because why make life more difficult for yourself. Evidence that if you do have layers of security and prevention mechanisms then if really does help to protect you in some way shape or form. In the same way a car criminal will try car doors until finally they come across an unlocked car – this is much easier and less risky than smashing a window.
So who is doing this? Well rather than focus on the Hacktivist lets look at a group of Hackers for hire…I think we all know that there are organised gangs out there Wikipedia tells me the that a decent definition of Organised crime is a term that categorises transnational, national, or local groupings of highly centralized enterprises run by criminals and we’ve recently seen reports of what appears to be a to be a highly resourced, agile and organised hacking group that has been given the name of Hidden Lynx, (named after a string found in the command and control server communications). This team has been behind several campaigns including the compromise of Bit9’s trusted file-signing infrastructure in February of this year.
So who is doing this? Well rather than focus on the Hacktivist lets look at a group of Hackers for hire…I think we all know that there are organised gangs out there Wikipedia tells me the that a decent definition of Organised crime is a term that categorises transnational, national, or local groupings of highly centralized enterprises run by criminalsand we’ve recently seen reports of what appears to be a to be a highly resourced, agile and organised hacking group that has been given the name of Hidden Lynx, (named after a string found in the command and control server communications). This team has been behind several campaigns including the compromise of Bit9’s trusted file-signing infrastructure in February of this year.
So who is doing this? Well rather than focus on the Hacktivist lets look at a group of Hackers for hire…I think we all know that there are organised gangs out there Wikipedia tells me the that a decent definition of Organised crime is a term that categorises transnational, national, or local groupings of highly centralized enterprises run by criminals and we’ve recently seen reports of what appears to be a to be a highly resourced, agile and organised hacking group that has been given the name of Hidden Lynx, (named after a string found in the command and control server communications). This team has been behind several campaigns including the compromise of Bit9’s trusted file-signing infrastructure in February of this year.
The group has also targeted hundreds of different organisations in a whole host of regions and often undertakes campaigns concurrently. Symantec’s Threat Intelligence team have blogged extensively on this subject and believe that hidden lynx are the best of breed in terms of hackers for hire…..The Hidden Lynx attackers have demonstrated cutting-edge technical skills throughout these campaigns – if you’ve heard any of our webinars in the past you might well recall watering hole attacks – well it was this team that pioneered the watering-hole technique and had access to a number of zero-day vulnerabilities. Along with this, they have been seen attacking supply chains and lying in wait until they compromise their real targets through these channels. The attackers have proven to be very calculated, strategic and patient. Hidden Lynx are professional hackers-for-hire who allow prospective clients to contract with them in order to undertake campaigns. Given the type of skills and expertise offered it is likely that the group is made up of a considerable number of attackers, possibly somewhere between 50 to 100 operatives, who are split into at least two teams that focus on different activities using specific tools and methods. One team appears to focus on disposable tools with basic but effective techniques to attack several targets. Whilst the other main team is made up of elite attackers that use their tools more sparingly but focus primarily on high value targets.
As the previous slides have indicated criminals will look for your weakest link and your weakest link could be your employees, your website or even your unpatched servers.
Lets focus on the weak links in your infrastructure for a moment….in the last year we have seen an increase in zero-day vulnerabilities. There were 14 unreported vulnerabilities first seen being used in the wild in 2012.In the last three years much of the growth in zero-day vulnerabilities used in attacks can be attributed to two groups; the authors of Stuxnet and the Elderwood Gang. In 2010, Stuxnet was responsible for 4 of the 14 discovered zero-day vulnerabilities. The Elderwood Gang was responsible for 4 of the 14 discovered in 2012. The Elderwood Gang also used zero-day threats in 2010 and 2011, and they’ve used at least one so far in 2013. Generally speaking attackers use as many zero-day vulnerabilities as they need, not as many as they have – therefore they tend to keep their powder dry.Stuxnet and Elderwood make for an interesting contrast in the strategy of their use. Stuxnet remains the aberration, using multiple zero-day exploits in one attack. From what we know today, it was a single attack that was directed at a single target. Multiple zero-day exploits were used to ensure success so they would not need to attack a second time.By contrast the Elderwood Gang has used one zero-day exploit in each attack, using it continually until that exploit becomes public and it becomes patched. And once that occurs they move on to a new exploit. This makes it seem that the Elderwood Gang has a limitless supply of zero-day vulnerabilities and is able to move to a new exploit as soon as one is needed.
Looking at other vulnerabilities we can see that the number is slightly up in the last year, from 4,989 in 2011 to 5,291 in 2012. And whilst zero-day vulnerabilities present a very serious security threat, known (and even patched) vulnerabilities are dangerous if ignored. Many companies and consumers fail to apply published updates and patches in a timely way. Toolkits that target well-known vulnerabilities make it easy for criminals to target millions of PCs and find the ones that remain open to infection. And perhaps one of the most interesting points I want to make today is that, the vulnerabilities that are often the most exploited are not the newest.
And these vulnerabilities are being exploited looking at the graph on screen now you can see that the rate the rate of web based attacks blocked per day increased by 30 percent year on year, while the rate of discovery of vulnerabilities has only increased by 6 percent. As you can see cyber criminals still make extensive use of known vulnerabilities, it’s these unpatched loopholes that continue to be a popular means of carrying out attacks.The numbers are in itself I think quite telling particularly when you compare them to those searching for a security solution that cover the ‘threats of tomorrow. These numbers and the evidence that we’ve seen highlights how unsophisticated attacks on corporate networks can have an effect without resorting to expensive zero-day exploits. You know…. Whether it’s exploiting poor security practices, misconfigured security devices or staff that lack security training, companies should understand that it is possible to gain control of most parts of an organisation, even though no new attacks or methods are used.We’ve seen some data that indicates that the time from when a vulnerability is detected to when it is patched is “almost uniform in every country,” indicating that this is a global trend. It is therefore essential to shift the approach to security from stand-alone tools to integrated solutions as part of business processes.
So what might be a popular way in?Webservers can be attacked by malware just like desktop PCsIn 2012, Symantec scanned over 1.5 million websites for malwareOver 130,000 URLs were scanned for malware each day, with 1 in 532 websites found to be infected with malwareApproximately 53 percent of websites scanned were found to have unpatched, potentially exploitable vulnerabilities (36 percent in 2011), of which 25 percent were deemed to be critical. The most common vulnerability found was for cross-site scripting vulnerabilities.With all these unpatched vulnerabilities in legitimate websites there is no need for malware author to set up their own. In fact 61% of all malicious web sites are legitimate sites – so as we can see this is a significant issue.
And if its not the website that is being used against us then it might well be your employees.
So lets look at insiders….Fortune magazine reports: If a police sketch artist were to draw the person who was trying to steal internal data and information, what would that person look like? A masked Houdini, would it be a haggard, red-eyed hacker working in a basement? Would it be a member of the criminal underground or national secret agent, acting under orders?Or is it more likely to be the familiar,friendly, smiling face within your own organisation?http://www.forbes.com/sites/ciocentral/2012/08/27/intelectual-property-theft-beware-the-enemy-within/So far we’ve really focussed on the faceless threat which is why we have countermeasures such as firewalls, antivirus software, and intrusion detection systems that are all aimed at these threats. Yet these measures do little to counter an even greater threat - that of malicious insiders within the organisation.And it seems that many organisations do not treat these threats seriously. Such threats include fraud, sabotage, and theft or loss of confidential information caused by trusted insiders. These threats go beyond negligence. They represent purposeful action on the part of insiders to act in opposition to the interests of the organisation, whether for financial gain, retribution, or some other motivation. I think we can divide these up into four distinct categories…The disgruntled employee - The employee who feels to have been personally disrespected, perhaps due to an expected pay raise that failed to materialise or perhaps they’ve had a negative review or a disagreement over time off, demotions, transfers or other similar issues. In this instance, revenge would seem to be is the employee’s motive.Profit-seeking employee – this is like hacking for profit – driven by greed – as money is a simple motivation for many people. They work for a wage; however, by stealing information, they can make more money selling the stolen data or modifying the data to steal an identity. The information could be relatively easy to access and steal for the employee, plus the theft can be rationalised because, as a malicious insider might say, “The company won’t even miss it.”An employee who is moving on to a competitor or starting a business – For someone starting a business in the same field, the theft of customer lists, business plans, and even simple forms or templates can be tempting. Alternatively, imagine the employee leaving to work for a competitor. Perhaps the new employerhas hinted that such an exchange of information could help the new employee progress at a faster rate.Finally it could be an employee who believes they own the code or product – In this instance, employees feel a sense of ownership over code they wrote or a product they developed. Therefore, they take the code for their future use or even for their next job.What do you need to focus on here? You need to know your peopleFocus on deterrence, not detectionIdentify information that is most likely to be valuable –Monitor ingress and egress - look at and consider and potentially restricting the flow of information outbound from one network to another. look at solutions like data loss preventionBaseline normal activity – by that I mean start to consider base-lining normal user activity and looking at what could be perceived as abnormal activity.
So lets look at insiders….Fortune magazine reports: If a police sketch artist were to draw the person who was trying to steal internal data and information, what would that person look like? A masked Houdini, would it be a haggard, red-eyed hacker working in a basement? Would it be a member of the criminal underground or national secret agent, acting under orders?Or is it more likely to be the familiar,friendly, smiling face within your own organisation?http://www.forbes.com/sites/ciocentral/2012/08/27/intelectual-property-theft-beware-the-enemy-within/So far we’ve really focussed on the faceless threat which is why we have countermeasures such as firewalls, antivirus software, and intrusion detection systems that are all aimed at these threats. Yet these measures do little to counter an even greater threat - that of malicious insiders within the organisation.And it seems that many organisations do not treat these threats seriously. Such threats include fraud, sabotage, and theft or loss of confidential information caused by trusted insiders. These threats go beyond negligence. They represent purposeful action on the part of insiders to act in opposition to the interests of the organisation, whether for financial gain, retribution, or some other motivation. I think we can divide these up into four distinct categories…The disgruntled employee - The employee who feels to have been personally disrespected, perhaps due to an expected pay raise that failed to materialise or perhaps they’ve had a negative review or a disagreement over time off, demotions, transfers or other similar issues. In this instance, revenge would seem to be is the employee’s motive.Profit-seeking employee – this is like hacking for profit – driven by greed – as money is a simple motivation for many people. They work for a wage; however, by stealing information, they can make more money selling the stolen data or modifying the data to steal an identity. The information could be relatively easy to access and steal for the employee, plus the theft can be rationalised because, as a malicious insider might say, “The company won’t even miss it.”An employee who is moving on to a competitor or starting a business – For someone starting a business in the same field, the theft of customer lists, business plans, and even simple forms or templates can be tempting. Alternatively, imagine the employee leaving to work for a competitor. Perhaps the new employerhas hinted that such an exchange of information could help the new employee progress at a faster rate.Finally it could be an employee who believes they own the code or product – In this instance, employees feel a sense of ownership over code they wrote or a product they developed. Therefore, they take the code for their future use or even for their next job.What do you need to focus on here? You need to know your peopleFocus on deterrence, not detectionIdentify information that is most likely to be valuable –Monitor ingress and egress - look at and consider and potentially restricting the flow of information outbound from one network to another. look at solutions like data loss preventionBaseline normal activity – by that I mean start to consider base-lining normal user activity and looking at what could be perceived as abnormal activity.
And they are good at it
If they don’t get you one way they will try another…..
Here is one of those senior people – was targeted relentlessly – in the end they couldn’t get to him – so they wen to try someone else – someone easier to attack
And so how might they do this…? Criminals use well-known names and brands to trick people into disclosing confidential information or installing malware. Often, they use fake websites to fool people. The best-known example of this kind of attack, known as ‘phishing’, is when a fraudster uses a fake bank site to lure customers into revealing bank or credit card details and passwords.A more recent development has seen scammers use social media to lure people to fake websites where they disclose information, such as social media website passwords, in the hope of some reward such as free vouchers or a free phone. And this is part of the reasons why Malware is continuing to rise – Cybercriminals are taking advantage of social media, social media – social media is viral in nature and people of less suspicious of content from friends. And of course by installing malware then the known vulnerabilities can continue to be exploited and the readily availability of toolkits to distribute malware help the circle of life go on….79 percent of the companies experienced one or more Web-borne attacks in 2012, and 55 percent were affected by phishing attacks.
for those of you not familiar with Ransonware. Typically this is a tactic where an application is installed onto a PC which then locks it and can only be unlocked in return for a fee. There have been stories recently where Police departments have been caught out which is particularly ironic when you consider that the advice from law enforcement agencies the world over is to never pay the fee demanded by those holding a hostage, but one Massachusetts police department has admitted that it paid approximately US $700 to unlock one of its computers that had become infected with the CryptoLocker variant of the ransomware malware. The standard fee for unlocking appears to be a flat US$300 what they call "release fee" to free up the victim’s computer from some made up accusation. But, as the cybercriminals become more willy they have reasoned, if a victim is willing to pay US$300 for allegedly viewing “ something like pornography” then perhaps they may also like to buy other value added services, such as the option to wipe their criminal record and, as they’ve termed it – "avoid any problems at work and other places where criminal records can be checked", a snip at only US$450 extra! And of course – it’s all more money down the drain for the paranoid victim.
On screen now you can see a typical example of Ransomware and there are plenty of indications that Cryptolocker ransomware is wreaking havoc among unsuspecting users across the globe. At this point, all major AV providers have good protection against the Cryptolocker threat. However, as Microsoft reported a few months ago, roughly 25 per cent of computers are not running any real time protection against malware. This statistic is based on data from a pool of computers in excess of 600 million. If we assume these numbers to be correct, then this suggests that there are at least 150 million computers that are easily susceptible to infection by Cryptolocker. That’s clearly a huge number and with the Cryptolocker ransom at around US$300 computer that’s a whole lot of money to be made – around $45 Billion!
As we can see here from this graph the Ransomware threat is growing and growing and while it can be tempting to just pay up when faced with looming deadlines or potential loss of critical data, paying these fees will only further embolden the attackers. The police are setting a really bad example not just in terms of their response but also how they run their IT systems. In the case of Cryptolocker, the maxim of prevention is better than cure is most definitely true. A multi-layered approach is once again the best policy for dealing with this threat.
So lets look at targeted attacks and alternative ways in….earlier I spoke about assumptions that smaller business might not be targets…. Let take a look.
Targeted attacks are aimed at one person or a specific, group of people. Until relatively recently, writers of viruses were trying to spread their malware to as many computer users as possible in order to make a name for themselves. But today cybercriminals largely driven by financial motives and targeted assaults are replacing global widespread virus outbreaks because these are much more profitable. On screen now you can see that Public sector, banking and manufacturing are the most targeted industries.
So lets take a look at the sizes of businesses are being targeted….The graphic on screen now highlights that 50% of businesses targeted employ 2500+ but what’s surprised us more than anything recently is that for the last two years this makes up only half of the targeted attacks. The biggest growth we’ve seen was against smaller companies - those employing less than 250 people. This sector of the market made up 31% of all attacks. As we saw earlier the aim is make money, and criminals don’t care where the money comes from - they simply want to take it and will target who they think they can get it from and smaller business perhaps represent lower hanging fruit.
A Ponemon survey of 2000 IT Managers reports that 44% of those surveyed saying that a strong security policy is not a priority and 58% claiming that management do not see cyber attacks as a significant threat.
As we saw on a previous slide Executives are no longer the leading targets of choice – attackers have moved to knowledge workers - employees who work on or have access to company intellectual property. Sales employees are also a very popular target for attack. But all employees run the risk of being targeted and consequently should be protected.
You know…. Its not just about direct attacks or email….
The biggest innovation in targeted attacks was the emergence of watering hole attacks. This involves compromising a legitimate website that a targeted victim might visit and using it to install malware on their computer.
For example, this year we saw a line of code in a tracking script on a human rights organisation’s website with the potential to compromise a computer. It exploited a new, zero-day vulnerability in Internet Explorer to infect visitors. Our data showed that within 24 hours, people in 500 different large companies and government organizations visited the site and ran the risk of infection. The attackers in this case, used sophisticated tools and exploited zero-day vulnerabilities in their attacks, pointing to a well- resourced team backed by a large criminal organization or a nation state.
I want to give a quick example of a watering hole attack…This example is of an attack on a legitimate site visited by iOS developers. The Elderwood gang managed to exploit a vulnerability in this website and inject malware into it. This site is by no means a mainstream site but the visitors tend to be the type of mobile developers targeted. There were about 40+ developers infected in this attack. But these victims worked for companies such as Twitter and Facebook but also smaller app developers…. By planting malware on this site the attackers were able to infect any visitor. It is unclear if the attackers were looking for one specific company to attack, or any vendor of iOS applications who visited the site. It’s important to remember that the web site used in a waterhole attack is also a victim. As a company Symantec has solutions we have solutions that can help protect your site from attacks like this – we have Website security solutions that can encrypt the traffic to your site and also scan your site for any possible vulnerabilities and malware. I know if I were running a similar site to this one right now I’d be exploring how I could demonstrate to my visitors that they can be assured that what happened here could not happen to them
This type of attack is not really so new… Particularly if you work in in sales, you’ve always known that, when possible, it helps to call ahead and let a prospect know that you’ll be sending an email with a proposal, or the details they requested… Well, it would also seem that cyber criminals have been paying attention to this tactic and are doing the same thing – with alarming success.This pretty sophisticated Spear Phishing attack, cyber criminals are calling various accounting and finance department employees in targeted French companies — along with their subsidiaries in Romania and Luxembourg — and asking if they can email over an invoice.
The unsuspecting victim on the other end of the phone (who typically deals with numerous invoices a day) agrees to receive the emailed invoice. However, when they open the email they either click a link or download an attachment that contains a variant of the remote access Trojan W32.Shadesrat, which can be used to steal passwords and launch DDoS attacks.As we noted a few slides back cyber criminals typically don’t have to look long and hard for data about their victims. Email address and phone numbers are often available in various websites and directories, or in corporate information such as brochures, white papers, executive reports and more – so this one is a relatively simple attack to carry out but the rewards can be fruitful. IT seems is really is better to call ahead before sending malware….
So as we’ve seen the cybercrime threat is very real and as there is seemingly malware for every device then we really need to be aware of what we use and how we use it. PC users are targeted with banking Trojans, ransomware and rootkits, but Mac users also face threats such as phishing sites, fake antiviruses and spyware. When it comes to smartphones and tablets, cybercriminals have developed all sorts of malicious elements designed to target such devices. So it’s clear that no matter what type of device we have, it’s vulnerable to cybercriminal attacks. This is why it’s important to deploy security software on all of them. The most efficient way to do this is by using a multi-device solution but can you control all the devices being brought into your organisations?
So….. coming to the end of the presentation in terms of where to go next. I wanted to quickly share this slide with you - this is perhaps how you might want to consider addressing cyber risks.Stay ahead of threats, gain complete visibility across your organisation, focus on top cyber priorities, build a sustainable program not one that works for today, and to gain buy in present it in a business context - understand the risk and present it accordingly.