Cybercrime has become big business. An August 2016 Osterman research survey revealed that 39 per cent of respondent organizations were impacted by ransomware in the preceding twelve months. In the United States, nearly one-third of victims faced data ransom demands of US $500 or less, likely the result of mass automated infection techniques, however some targeted ransomware demands exceeded US $10,000.
Individuals, corporations, hospitals, schools, governments, and law enforcement agencies have all been victimized. The FBI estimated cybercriminals collected $209 million in the first quarter of 2016, suggesting that ransomware is now a $1 billion per year crime.
The frequency and magnitude of security breaches continues to increase at an alarming pace. In 2016, Yahoo disclosed that law enforcement provided the company with data files that a third party claimed was Yahoo user data. Based on a forensic analysis, Yahoo concluded that an unauthorized third party stole data associated with more than one billion user accounts in August 2013. Yahoo indicated that they have not been able to identify the intrusion associated with the breach.
In addition to being the largest breach of this type, the Yahoo hack confirms what security professionals have known for years: Compromises frequently go undiscovered, rendering statistics unreliable. Had a foreign government been responsible for this breach, it is unlikely that it would have been detected.
The 2016 United States Presidential Election generated unprecedented dialog on state-sponsored hacking. It was widely reported that one of the organizations allegedly responsible for hacking the Democratic National Convention (DNC), nicknamed APT28, may be associated with Russian military intelligence. It is risky to base a conclusion solely on publicly available evidence. Democratic National Convention (DNC) email accounts were breached, and malware was apparently spread across DNC computers. While it is certainly possible that the attack was state sponsored, it is also conceivable that APT28 could have been working for a non-nation client, including domestic political opponents.
Security vendors continue to improve anti-malware software and develop products to detect and combat intrusions. Some of these tools can be effective against mass malware campaigns and known malware toolkits, but they have very little impact on bespoke malware developed for targeted attacks. Anyone who feels comfortable with their current anti-malware controls should read the Crowdstrike blog post about the DNC intrusion (https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/) for a rare glimpse into the world of advanced persistent threats:
“On many occasions, both the dropper and the payload will contain a range of techniques to ensure the sample is not being analyzed on a virtual machine, using a debugger, or located within a sandbox. They have extensive checks for the various security software that is installed on the system and their specific configurations. When specific versions are discovered that may cause issues for the RAT, it promptly exits. These actions demonstrate a well-resourced adversary with a thorough implant-testing regime that is highly attuned to slight configuration issues that may result in their detection, and which would cause them to deploy a different tool instead.”
On the consumer front, things are even worse. Product manufacturers continue to fail at security. Poorly designed IP cameras and routers are being conscripted into botnets by the millions. IoT devices with no meaningful security features are permeating homes and offices. It is only a matter of time until sophisticated threat agents exploit these devices and use them to inject malware, if they have not done so already.
Albert Einstein is said to have defined insanity as doing the same thing over and over again and expecting different results. It is undisputed that email and web sites are the primary malware delivery vectors, yet we continue to pull data from these sources into the heart of business operations. There are solutions, but most people don’t want to hear them; instead they hope for a miracle or magic bullet, or at least to dodge the next ransomware attack. The insanity continues.
Have a security question you’d like answered in a future column? Email firstname.lastname@example.org
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…