February 4, 2015
Protecting Your Business from Increasingly Sophisticated Malware
Published by Igor Varnava, February 3, 2015
According to TrendLabs 2Q 2014 Security Roundup, events such as the data breaches that we saw in the first half of last year “strongly indicate that organizations need to start adopting a more strategic approach to protect digital information” this year. This includes protecting sensitive data such as intellectual property, but is also important for protecting customer data. An Identity Theft Resource Center study carried out last year found that more than 10bn personal records had been exposed in the first half of 2014 and “the majority of the breaches occurred in the business sector.”
This is not by any means a new problem. A study carried out in November 2013 by Osterman Research states that “security is no longer a “nice to have, but a must-have”. This is especially true for a few reasons, the need to protect both customer and organizational data, the increasingly sophisticated nature of malware and the growing popularity of technologies such as the Internet of Things. The latter, Trend points out, makes the threat landscape into a “moving target” as it presents new targets for cybercriminals to attack.
Attacks Become More High Profile
While the incidences of high-profile attacks are now something that are commonly reported on, it seems that organizations are still not doing enough to protect business systems. This is due to “a failure to adequately address employee and insider vulnerabilities” as well as a lack of a strategic approach to cybersecurity. Protecting systems must be something that takes a strategic approach and aligns with business goals. It’s no use simply allocating a budget and effectively throwing money at the problem and hoping it will go away, security must be addressed in such a way that it’s not just the responsibility of the IT department, but also gains attention at board level.
So what can a business do to ensure that they are protected? To some extent, it’s impossible to protect against every single threat as many now don’t damage systems but do all that they can to remain hidden. Add to this the growing power of DDoS attacks, where one attacker with as little as 1MB of bandwidth can carry out a 20GBPS attack thanks to botnet amplification, and it’s clear that businesses need to take steps to protect themselves in a variety of way and put layered protection in place.
With that in mind, let’s have a look at what every business should be doing to ensure that data and customers are as protected as they can be in the current threat landscape.
Education and Training
Any security professional will tell you that the end user is often the weakest link when it comes to network security. Spear phishing techniques are now sophisticated enough that even the most tech savvy employee can get caught out. Despite this, many companies don’t adequately train staff on the dangers of phishing and social engineering techniques rife on social media.
Education on security issues is globally inadequate. It could be said that given the threat to business and consumers alike, not to mention national infrastructures, governments should be doing more to ensure that citizens are aware of the common types of threats that are out there. However, this isn’t the case, so it’s up to the organization to ensure that proper training is put in place for staff.
Staff training should include:
- Guidance on phishing mails – examples, understanding how information is gathered by cybercriminals on social media, dangers of opening attachments and clicking on links.
- Understanding vulnerabilities – while it’s the responsibility of the IT department or IT support company to patch systems, the employee who is aware that it needs to be done is one that is more vigilant.
- Disaster recovery/incident response plans – staff should be aware of processes that need to be carried out in the event of a breach or other security incident, such as the best person to contact, how to respond, etc.
- Use strong passwords – it’s astonishing but true that in 2014 the most commonly used ‘bad’ passwords were 12345 and ‘password’. Teach employees how important strong passwords are and ensure that they’re used on the network. Ideally, employees should use a password manager to generate and store complex passwords.
Employees need to understand that the way that they approach network security can make a difference to the business. It’s thought that 60% of companies fail in the six months following a data breach so to the employee, the bottom line is that they could lose their job.
AV and Vulnerability Scanning
Research carried out last year by NTT Group found that 45% of all network attacks were due to malware, but many of these could be prevented if businesses has basic protect in place and “effective vulnerability lifecycle management.” It was found that many companies didn’t employ even the most basic protection such as AV software and in some cases, patches hadn’t been applied to software for more than 2 years.
Further to this, the report found that 77% of all participating businesses did not have a disaster recovery plan in place.
The research collated and studied data from around 3 billion attacks that took place in 2013 and focused on the losses suffered by businesses that had already suffered an attack. By putting in place more robust security and prioritizing controls, one firm reported a saving of almost $100,000. The report recommended that businesses work with trusted security professionals to mitigate risk, with vulnerability scanning being a priority alongside pulling together an effective incident response plan.
It was also recommended that company networks should have the ability to analyze and collect logs which could then be stored for use in investigative reports.
The use of AV software, or lack of it as highlighted in the report is surprising. However, the industry has been in decline for some time now as more layered approaches to security have become more popular. Despite this, it remains a vital part of a company’s approach to security and shouldn’t be dismissed.
Business Grade Security
Even if your business does use an AV solution, it’s important to understand that this alone is not enough to protect systems. Modern AV software is relatively powerful, but it doesn’t pick up each and every threat that comes along and it can’t protect against incidences such as a DDoS attack or even a good hacker.
The modern network requires that businesses take a layered approach, as mentioned earlier. So, if one layer is bypassed by an attack, then another should stand in the way of the attacker gaining access to the network. The most common approach to this is in the use of firewalls and intrusion detection systems. A firewall is installed between the internal network and the rest of the network (such as the internet) and restricts traffic depending on how it’s been configured.
A good firewall can:
- Detect unusual activity on the network
- Block email services to prevent spam
- Restrict access to certain services on the network
- Verify incoming and outgoing traffic
- Log all network traffic
However, a firewall cannot:
- Prevent an employee revealing sensitive information through social media
- Protect against flaws and vulnerability at application level
- Can’t prevent tunneling attempts
Additionally, a firewall is only ever as good as the rules that are configured to govern it, so it’s essential that’s it’s set up correctly in the first instance.
Types of Firewall
Firewalls and the level of protection that they afford an organization vary depending on the type chosen. For a business, it’s unlikely, for example, that a free, consumer-grade software firewall will ever be enough to offer a decent level of protection.
The main types of firewall available are:
- Hardware – for networks a hardware firewall provides an additional physical layer of security.
- Software – protects at the application level.
- Packet-Filter – filters at network or transport level based on information carried in the TCP/IP header of each packet.
- Application gateway – Analyze information at application level as to whether or not a packet should be transmitted.
- Stateful Packet Inspection (SPI) – similar to a packet filter, this also makes decisions as to whether to allow a packet based on IP and data contained in the TCP header and can dynamically open and close ports.
More recently, we’re seeing technologies such as Unified Threat Management (UTM) solutions come to the fore, which provide the following protection:
- Content and email filtering
- Intrusion prevention
- Application control
Depending on the level of configuration needed, UTM solutions are simple to deploy and offer wide range network protection from internal and external threats. They are cost effective and can be fully managed from a single console. The market shows a robust level of growth and is becoming increasingly competitive; in 2014, the market was estimated by MarketsandMarkets to be worth $2584.6 million and that was expected to grow to $4445.7 million by 2019.
Lost or stolen data can be fatal to an organization and yet many still fail not only to inadequately protect the network, but also to put in place a plan with regard to how to respond to an attack or IT disaster. A sound disaster/incident recovery plan can help to bring a network online again quickly, lessening the cost of downtime and reducing the cost of disaster to the organization.
It should set out who to contact in the event of an IT failure or outside attack and what to do in order to prevent further damage. Without it, an organization’s staff must respond in a disorganized manner and this leads to mistakes being made.
The mainstream use of the cloud also means that there’s no real reason for an organization’s data not to be fully backed up and easily restorable. Organizations which don’t feel safe with their data being offsite can choose to implement a hybrid solution in which data is backed up both onsite and to the cloud.
Whilst there’s little that can be done to prevent a huge DDoS attack, to some extent the risk can be mitigated by early detection and the use of a service which helps to distribute the attack. Monitoring at file and server level can also be put in place to help pick up attacks before they can do too much damage.
DDoS attacks have become much more common in recent years and vary in the approach that they take. Some use botnets whilst others, more commonly used by hacktivists, use bandwidth attacks only. It’s simple for attackers to find and rent tools that cost very little but can have a devastating effect on a business. The best protection against attacks such as this begins with understanding the risk and why it should be mitigated. Cybercriminals who come up against a well-protected network will simply move on to the next if they find too much resistance.
Cybercrime and its effect on business continue to present a problem for many businesses of all sizes. Whilst many believe that it’s more common for large organizations to come under attack this isn’t the case. Smaller businesses present a far easier target for the majority of attacks and so as the weakest link, these are attacked more often.
It’s important for CEOs to understand the risks if they are going to have a hope of mitigating the considerable risks and to put strong protection in place. Education of staff is key too as they represent an area in which further targeting by cybercriminals is implemented.
The threat landscape is a complex and ever-evolving one and in order to ensure that a business is safe from as many threats as possible, businesses must learn to understand the risk and what should be done in order to eliminate it. For many years IT departments have bemoaned the lack of attention to security at board level but this is changing now as CEOs have come to understand that risk must be mitigated if the business is to survive. Whilst little can be done to stop attacks on the scale seen recently by Sony as these are thought to be state sponsored, there’s plenty that can be done to halt cyberattacks that are based in criminal activity.