The 119-page ISTR report is heavy going and should be compulsory reading for system administrators and those consumers who have an interest in security. For the rest – I hope this article does it justice.
I spoke at length with Nick Savvides, Information Security Solution Engineer at Symantec prior to the report’s release.
He said that 2013 was the year of mega breaches – over 552 million identities were exposed, 23 zero-day vulnerabilities discovered, one in eight web sites had a critical vulnerability, a 62% increase in number of breaches and a 91% increase in targeted attacks.
“2014 will be memorable as the year ransomware increased by 113%, new levels of maliciousness, and increased sophistication as cybercriminals employed faster, highly targeted attacks on business – its where the money is,” Nick said.
The report covers six main areas
- Mobile Devices and Internet of Things
- Web Threats
- Social Media and Scams
- Targeted attacks
- Data breaches and privacy
- E-crime and malware
Its findings come from the Symantec Global Intelligence Network, which comprises 57.6 million attack sensors, in 157 countries that receive information from Symantec products and services such as Symantec DeepSight Intelligence, Symantec Managed Security Services, Norton consumer products, and other third-party sources. Spam, phishing, and malware data is captured through sources including the Symantec Probe Network, a system of more than 5 million decoy accounts. In other words, it is accurate.
Rapid attack, slow response
Within hours of the Heartbleed vulnerability exposure, attackers were exploiting it. There were 24 zero-day vulnerabilities (ZDVs) - up one from 2013.
Operating system makers took 204 days, 22 days, and 53 days to provide a patch for the top three most exploited ZDVs – in 2013 it was just four days. Attackers used the top five for a combined 295 days before patches were available.
Attackers more sophisticated – old tactics for defence no longer work
Highly targeted spear-phishing increased and gained better response with less work. Trojanised software updates aimed at software a company uses became common. Nick explained that attackers now profile targets, find out what software they used, weaponised it, and via spear phishing encouraged the company to download updates and infect itself. Device drivers for the Internet of Things (IoT) was a particular target
These attackers had implemented high levels of surveillance to identify suppliers to targets, gathering public information by web searches, and even employing people to observe and infiltrate the organisation. In many cases, malware was able to enumerate systems and software used within a corporate network.
60% of all targeted attacks struck small and medium-sized organizations that don’t have the resources to invest in security, and many are still not adopting basic best practices like blocking executable files and screensaver email attachments.
Companies are not anticipating attacker’s tactics
While gaining access with employees credentials is still a major threat attackers have upped the bar by building custom attack software inside corporate networks by hijacking companies’ own infrastructure and turning it against them. Traditional protection is not adequate. Five out of every six large companies (2,500+ employees) were targeted with spear-phishing attacks - a 40% increase. Small- and medium-sized business attacks increased 26% and 30%, respectively.
Malware is the new black
More than 317 million new pieces of malware created nearly one million new threats each day. The sheer bulk of malware made it impossible to stop it all. For the first time it was seen on Android as well.
The main numerical use of malware was to install crypto-ransomware that grew 113%. It holds a victim’s files, photos and other digital media hostage. A key is provided upon payment – usually $300-500 and often in untraceable Bitcoins – to decrypt files and these is no guarantee the key will work.
“Being seventh globally for ransomware is rather disturbing when you think about it,” said Nick Savvides, Symantec security specialist. “I think it speaks to the fact that the attackers go where the money is and Australia’s a fairly wealthy country, so there are a lot of opportunities for the attackers to extract revenue out of this market.”
Cyber-criminals use social networks as a delivery mechanism
70% of social media scams were manually shared. They spread rapidly and are lucrative because people are more likely to click something posted by a friend.
Mobile is ripe for attack
Most users neglect even basic security precautions on their smartphones. 17% of all Android apps (nearly one million total) contained malware – these were not from Google Play Store but third party stores. Grayware apps that track user behaviour, accounted for 36% of all mobile apps. iTWire has articles on Android and iOS malware.
84% of mobile vulnerabilities are iOS related and 11% from Android. These threats are lessened by using official app stores and not jailbreaking or rooting the device. They include:
- Send Content – premium SMS, Spam and SEO Poisoning threats.
- Adware/Annoyance – advertisement popups and unwanted information.
- Reconfigure Device – modify user settings, and elevates privileges.
- Traditional Threats – Backdoor Trojans, Downloaders, DDoS utility, Hacktool and Security Alerts.
- Steal Information – steal device data, media files and any user credentials e.g. Banking Trojan.
- Track User – spy on users, tracks user location.
IoT is not immune
Opinion - The human element
The biggest weakness is not the hardware – that can be protected but human that uses it.
Malware requires human interaction – you have to say yes to install it.
Spear-phishing requires you to act on an email by clicking on a link and then installing malware.
Stolen credentials are due to loss of unsecured mobile devices or in some cases by coercion – money is paid to get access. Also by attackers posing as system administrators and tricking you to reveal logins and passwords – the old ‘Microsoft support’ phone call scam.
The more I spoke to Nick the more I realised that we don’t have an IT drivers licence, we don’t teach security in schools or tertiary institutions and we are all too trusting. There is no such thing as a free iPad for answering a few questions, weight loss requires a balanced diet and exercise and let’s not get into the pharmaceutical, sex, inheritance, and other scams.
Attackers however are surveilling businesses, workers and their habits. The higher the stakes the easier it is to gather information that can be used to trick you. What if you got an email saying your best friend had died – click here for information? What if you click on a cute puppy picture and have to say “Yes” to view it? What if an SMS comes from a colleague with a link to click to get work instructions? These are all real ways to get malware.
Wise up please. The more I research security the more I realise security breaches are preventable with common sense. Australian’s are famous for the ‘She’ll be right attitude – can’t happen to me’ – well have I got a deal for you!