In their November 2014 Threat Report, McAfee reported detecting over 307 new threats every minute in the third quarter of this year. The purpose of this article is not to explain the rapid growth in threats, other than to state that it’s clear that cybercrime has become an organized industry, but to describe additional measures organizations should be taking to further protect their systems and data.
Systems Engineering (SE) has long been a proponent of a layered or a ‘defense in depth’ approach to security. In brief this means you have multiple and unique technologies on your desktop, core network, perimeter/firewall and in the cloud to assist with averting a cybercriminal's exploits. All of these are essential technologies to have and, for regulated organizations, they can be a requirement. However, at the current rate of threat expansion, it is evident that more needs to be done notably in the areas of improving human behavior, patching, and firewall management.
In Q3 of this year the US, and to some extent our own clients, experienced a dramatic increase in ransomware attacks. These are commonly known as CryptoLocker and CryptoWall. These viruses will encrypt various data files on your desktop and file server. Once encrypted, you receive a pop-up message to send money to the criminals to get your data back. For SE clients that were affected, we were able to restore data from reliable backups and avoid the ransom.
And ransomware is not the only threat. The now infamous Target breach started with the infection of a third-party vendor's desktop. In both cases, once a computer is infected the malware will phone-home to its C2 “command and control” server to wait for instructions to begin the encryption process or the discovery and exfiltration of credit card or other high value data. What’s important to note about these attacks is that they avoid detection. They infect a desktop by getting the end-user to click on a link or open an attachment in an email.
What additional measures should you take to mitigate your risk?
- Ensure the layered security approach you've implemented includes patching of both servers and desktops. Actively managing and keeping up-to-date on patching is becoming more and more critical. Out of date software or newly discovered “Zero Day” vulnerabilities can allow criminals to execute a drive-by attack and download their malware without you doing anything more than visiting a popular website or opening an infected attachment.
- Train all users at least once a year in the proper use of technology. End users need to learn how to avoid common email phishing traps such as malware hidden in attachments or legitimate looking hyperlinks that take them to malware sites. Studies have shown that repeated phishing email attacks will almost guarantee the cybercriminal an open door into your network.
- Implement a more advanced live threat and managed firewall solution. While there is no way to guarantee an organization will never get infected or experience a breach, the faster and more accurately you can detect an event the sooner you can stop it and understand its impact.
Why our clients partner with Systems Engineering;
- We provide fully managed patching to our customers with SE Monitoring, SE Secure, SE Essentials, and SE Desktop Patching. Not only does this ensure you are up-to-date on patches should a Zero Day vulnerability be discovered, we proactively update your systems as soon as possible.
- We can provide security awareness training and network security assessments. For organizations requiring audited training and phishing email simulated drills, we provide that capability as well through one of our industry partners.
- We continue to evaluate additional security measures which are added to our SE CleanMail spam filtering service to further protect users from phishing email and malicious links.
- For our clients with managed firewalls under SE EventWatch™, SE Secure and SE Essentials, we have put in place a process to proactively block outbound communications from the CryptoWall malware to its command and control network. This approach stops the communication from executing even if a desktop becomes infected.
For more information on how you can better protect your organization from crybercriminals, request a security assessment from SE.