Ransomware 2.0 is around the corner and it’s a massive threat to the enterprise

Despite the efforts made to improve cybersecurity at many organizations, there are too many systems with aging infrastructure and vulnerabilities that leave companies at risk, with ransomware one of the most sinister threats, according to a new Cisco report.

Ransomware is a top concern because it’s become an area of intense focus for cybercriminals due to its effectiveness at generating revenue. Once a cybercriminal hacks into a company’s files and encrypts them, victims have little option but to pay the asking price for the code to decrypt their files. Ransomware is becoming more ominous as new versions are continually being developed.

“The landscape is simple. Attackers can move at will. They’re shifting their tactics all the time. Defenders have a number of processes they have to go through,” said Jason Brvenik, principal engineer with Cisco’s security business group, discussing the Cisco 2016 Midyear Cybersecurity Report.

Cisco used data from its customers to create the report, since there are more than 16 billion web requests that go through the Cisco system daily, with nearly 20 billion threats blocked daily, and with more than 1.5 million unique malware samples daily, which works out to 17 new pieces of malware every second, Brvenik said.

Brvenik has the following recommendations for companies wanting to improve security:

  • Improve network hygiene – Improve aging infrastructure to limit vulnerabilities.
  • Integrate defenses – Use machine learning techniques combined with novel data views.
  • Measure time to detection – Find out how long an attacker can live in your network before they are found.
  • Protect your users everywhere they are – Protect users whether they’re on a laptop, a smartphone, or another device. Don’t just protect networks but protect users. They are the target.

The next step in the evolution of malware will be ransomware 2.0, which Brvenik said “will start replicating on its own and demand higher ransoms. You’ll come in Monday morning and 30% of your machines and 50% of your servers will be encrypted. That’s really a nightmare scenario.”

Ransomware campaigns started out primarily through email and malicious advertising, but now some attackers are using network and server-side vulnerabilities as well. Self-propagating ransomware will be the next step to create ransomware 2.0, and companies need to take steps to prepare and protect their company’s network, Brvenik said.

New modular strains of ransomware will be able to quickly switch tactics to maximize efficiency. For example, future ransomware attacks will evade detection by being able to limit CPU usage and refrain from command-and-control actions. These new ransomware strains will spread faster and self-replicate within organizations before coordinating ransom activities, according to the report.

The report detailed one widespread campaignthat appeared to target the healthcare industry earlier this year. It used the Samas/Samsam/MSIL.B/C (“SamSam”) ransomware variant, which was distributed through compromised servers. The attackers used the servers to move laterally through the network and compromise additional machines, which were then held for ransom, according to the report.

JexBoxx, an open source tool for testing and exploiting JBoss application services, had been used to allow the attackers to gain access to networks in the targeted companies. Once the attackers had access to the network, they encrypted multiple Windows systems using SamSam.

Overall, in all aspects of cybersecurity, there are too many companies with vulnerabilities that haven’t been addressed. Out of 103,121 Cisco devices connected to the internet that were studied for the report, each device on average was running 28 known vulnerabilities. The devices were actively running known vulnerabilities for an average of 5.64 years, and more than 9 percent had known vulnerabilities older than 10 years, according to the report.

“In April, Cisco estimated that 10% of all JBoss servers worldwide were compromised. And they were compromised using readily available tools and old vulnerabilities. Adobe Flash is still a favorite. It gives a viable attack surface for them. And we see Microsoft Silverlight vulnerabilities. This means to us that people are opportunizing those that work for them,” Brvenik said.

Brevik noted that the nature of the attack is also likely to change, focusing on service-oriented technologies and systems, with teams ready to attack and try to compromise systems. Advertising is a viable model for attack.

“We saw a 300% increase in the use of HTTPS with malware over the past four months. Ad injection is the biggest contributor. Adversaries are using HTTPS traffic to expand time to operate. That’s the attacker opportunity as it exists today,” he said.

It’s no longer reasonable to expect to block 100% of threats, but being able to detect the threat fast, and limit the time the attacker is in your system is key to minimizing the damage. In December 2014, the median time before an attack was detected was 50 hours. In April 2016, it dipped to a median of 13 hours for the previous six months, Brvenik said.

“It is a living number as defenses improve and attackers change. This is good. It says that for the customers that have these systems, when they are compromised, they’re now down to 13 hours as a median time to detect it. I wouldn’t leave the door to my house open for 13 hours; and that’s what you’re doing when you leave your door open to attackers for 13 hours.”

Industries that previously thought they were immune because their business was of little interest to attackers are wrong.

“No industry is safe,” Brvenik said. “Assuming that what you do is of no interest to attackers is not a good way to think of it.”

 

80% of businesses can’t properly manage external cyber attacks

Cyber attacks may cost businesses big bucks, but that doesn’t mean that organizations are prepared for them. According to a report released Monday, 79% of IT and IT security professionals don’t have the proper infrastructure to identify and defend against cyber attacks.

The report, Security Beyond the Traditional Perimeter, was based on research conducted by the Ponemon Institute, and sponsored by BrandProtect, was based on answers from 591 respondents from 505 different companies. On average, these companies experienced more than one cyber attack per month, and cost them roughly $3.5 million a year. If that seems like a lot of money, consider the prediction that, by 2019, cyber crime will cost businesses $2 trillion, according to Juniper Research.

“The majority of security leaders understand that these external internet threats imperil business continuity,” said Larry Ponemon, president of the Ponemon Research Institute. “The study highlights a gap in defenses against threats that have proven to be extremely effective for cyber criminals and costly for enterprises.”

This report focused primarily on external threats, such as “socially engineered attacks, executive impersonations, brand-based attacks with ransomware, malware, or other payloads, rogue social domain activity, hacktivism/activism and activities which violate compliance or regulatory requirements.”

Of those surveyed, 62% said external threats were harder to detect than internal threats, and 52% said that they were more difficult to contain. That is important because an additional 59% said that “the protection of intellectual property from external threats is essential or very important to the sustainability of their companies.”

As noted, despite the potential problems that could be presented in the aftermath of such an attack, nearly 80% of businesses don’t have proper security measures in place. Here is how that 79% of responses broke down:

  • Security is non-existent – 38%
  • Security is ad hoc – 23%
  • Security is inconsistently applied throughout the enterprise – 18%

So, what’s holding back the security practices at these organizations? Across the board, most respondents said it was a lack of tools and resources.

However, external threat is a broad term and could encompass a variety of threat vectors. Respondents were asked to rank threats from 1-9 in terms of likelihood of occurrence (9 being the most likely), and the rankings were as follows:

  • Cyber threats and incidents – 8.21
  • Data loss or theft – 7.99
  • Branded exploits against customers and the public – 6.78
  • Compliance/regulatory incidents – 6.24
  • Phishing/social engineering attacks – 5.03
  • Denial of service – 4.11 Hacktivism/activism/event/physical threats – 3.42
  • Domain-based threats/cyber-attack infrastructure creation – 2.32
  • Executive threats / impersonations – 1.91

The next question the report looked at was what exactly these organizations feared as a result of these attacks. The biggest worry was reputational damage, with 51% of respondents. Branded exploits (40%) and compliance/regulatory incidents (33%) were also high on the list.

While 79% were not monitoring the internet or social media for new threats, they did still see it as a critical action. Monitoring mobile apps and cyber incidents were also seen as key actions to help avoid a cyber attack. Additionally, 60% said collecting phishing IP addresses was essential, 59% said malicious mobile app details should be accounted for, and 54% said rogue domain data was important.

As a response to this, many respondents believed that their internal network monitoring and firewall monitoring would increase over the next 24 months.

In terms of what’s holding these organizations back from better monitoring, insufficient risk awareness was the biggest barrier, according to 50% of respondents. Lack of knowledgeable staff was cited by 45%, and lack of technologies and tools was chosen by 43% as well.

A major theme was a lack of tools and resources, but respondents did list the tools and skills that they thought would make them better able to contain external threats. These were ranked 1-7, with 7 being the most important.

  • Actionable intelligence – 6.53
  • Resilience – 6.01
  • Strong security posture – 4.87
  • Expert staff – 4.15
  • Leadership – 3.55
  • Ample resources – 2.31
  • Agility 1.67

To view the full report, click here.

Worried about Gmail Security? Here’s some things you can do to improve it.


Image: iStockphoto/LindaMarieB

If your Google account login information is ever compromised, you first need to secure your account. Go tohttps://www.google.com/settings/passwordchange and follow the steps to change your password.

Next, you need to look for potential leaks.

1. Check Gmail accounts, filters, and forwarding

If your password leaked, a thief could have logged in and configured your account to send a copy of every email to another account. You might never notice, because you would still see all your email, too.

To guard against this, check your accounts, filters, and forwarding settings. Open Gmail in your browser and access Settings (from the sprocket menu in the upper right). Then, review the following tabs and settings:

  • Accounts: Remove any unwanted accounts and secure any accounts listed
  • Filters: Remove suspicious filters that forward email elsewhere
  • Forwarding & POP/IMAP: Delete forwarding email to unfamiliar accounts
a-check-gmail-settings.jpg
After a password leak, check Gmail to make sure you have no unwanted accounts, filters, or forwarding settings configured.

2. Review app access

An app or Chrome extension with access to Gmail data can leak data, too. I counsel caution before you give any app or extension access to Gmail. That Chrome extension that claims to “help” you manage client information in Gmail may work, but it might also be a clever attempt to gain access to your account.

I suggest you only allow apps that pass three “trust tests” to access your Gmail account. First, make sure the apps can be installed from the Google Apps Marketplace. That means the maker has taken the trouble to comply with Google’s Apps Marketplace policies and review at minimum. Next, look for a third-party review of the organization’s policies and practices (e.g., SOC 2 compliance). Third, carefully examine the company and people behind the app: Is it a team you trust?

To review apps with Gmail access, go to https://security.google.com/settings/security/permissions. (You’ll need to login to your account.) The list shows every app with access to your Google account. Look for apps with either “Has full access to your Google account” or “Has access to Gmail.” To disable access, select the app then choose “Remove.”

b-apps-with-access.jpg
Review apps with either ‘full access’ or ‘access to Gmail.’ Select an unwanted app, then choose ‘Remove.’

3. Reset recovery methods

None of the above really matters, though, if the attacker has added their phone number or email address as a recovery option to your account. That would give the attacker another route to regain control of your account.

To change your recovery settings, go to https://myaccount.google.com, look for “Personal Info & Privacy,” then check the settings for both your email address and phone number. (If you don’t have a phone with active SMS service, at least review the phone information to make sure a thief’s number isn’t listed.) Make sure that the recovery email address you provide is secured and under your control.

c-my-account.jpg
Go to myaccount.google.com to update the recovery email address and phone number associated with your account.

4. Enable 2-step authentication.

If your account permits it—and you carry a phone—enable 2-step authentication for your Google account at https://www.google.com/landing/2step/. This will require you to obtain a code from your phone to allow access to your accounts when you login to your account. (Not all administrators allow Google Apps account users to enable 2-step authentication, but many do. Security-minded administrators require it.) You can authenticate with an app or a code you receive over SMS.

d-google2-step.jpg
Enable 2-step authentication to secure your account.

 

5. Consider a check-up

Even if you haven’t noticed a password leak, you should periodically review your Google account security settings. Google’s Security Checkup (at https://security.google.com/settings/intro/security/secureaccount) walks you through a review of several important settings, step-by-step.

The best way to protect your Gmail account remains relatively simple: Always enable 2-step authentication and never allow a non-Google app (or extension) access to Gmail.