Tag Archives: malware

Now Is the Time for Cyber to Take Off

Uncertainty about several key variables appears to be causing U.S. businesses and insurance companies to move cautiously into the much-heralded, though still nascent, market for cyber liability policies.

Insurers continue to be reluctant to make policies more broadly available. The big excuse: Industry officials contend there is a relative lack of historical data around cyber incidents, and they bemoan the constantly evolving nature of cyber threats.

This assessment comes in a report from the Deloitte Center for Financial Services titled: Demystifying Cyber Insurance Coverage: Clearing Obstacles in a Problematic but Promising Growth Market

“Insurers don’t have sufficient data to write coverage extensively with confidence,” says Sam Friedman, insurance research leader at Deloitte.

But the train is about to leave the station, and some of the stalwarts who shaped the insurance business into the ultra conservative (read: resistant to change) sector it has become could very well be left standing at the station.

Consider that regulations imposing tighter data handling and privacy protection requirements are coming in waves. Just peek at the New York Department of Financial Services’ newly minted cybersecurity requirements or Europe’s recently revamped General Data Protection Regulation.

With cyber threats on a steadily intensifying curve, other jurisdictions are sure to jump on the regulation bandwagon, which means the impetus to make cyber liability coverage a standard part of everyday business operations will only increase.

Meanwhile, cybersecurity entrepreneurs, backed by savvy venture capitalists, are moving aggressively to eliminate the weak excuse that there isn’t enough data available to triangulate complex cyber risks. In fact, the opposite is true.

Modern-day security systems, such as anti-virus suites, firewalls, intrusion detection systems, malware sandboxes and SIEMS, generate mountains of data about the security health of business networks. And the threat intelligence systems designed to translate this data into useful operational intelligence is getting more sophisticated all the time.

See also: Why Buy Cyber and Privacy Liability. . .  

And while large enterprises tend to have the latest and greatest of everything, in house, even small and medium-size businesses can access cutting-edge security systems through managed security services providers.

Meanwhile, big investments bets are being made in a race to be the first ones to figure out how to direct threat intelligence technologies to the task of deriving the cyber risk actuarial tables that will permit underwriters and insurers to sleep well at night. One cybersecurity vendor to watch in this arena is Tel Aviv, Israel-based InnoSec.

“Cyber insurance policies are being given out using primitive means, and there’s no differentiation between policies,” observes InnoSec CEO Ariel Evans. “It’s completely noncompetitive and solely aimed right now at the Fortune 2000. Once regulation catches up with this, cyber insurance is going to be required. This is around the corner.”

InnoSec was busy developing systems to assess the compliance status and overall network health of companies involved in merger and acquisition deals. It now has shifted to seeking ways to apply those network assessment approaches to the emerging cyber insurance market.

At the moment, according to Deloitte’s report, that market is tepid, at best. While some have predicted U.S. cyber insurance sales will double and even triple over the next few years to reach $20 billion by 2025, cyber policies currently generate only between $1.5 billion and $3 billion in annual premiums.

Those with coverage in minority

As of last October, just 29% of U.S. business had purchased cyber insurance coverage despite the rising profile of cyber risk, according to the Deloitte report. Such policies typically cover first- and third-party claims related to damages caused by a breach of personally identifiable information or some derivative, says Adam Thomas, co-author of the Deloitte report and a principal at the firm. In some cases, such policies also might cover business disruption associated with a cyber incident.

The insurance industry contends it needs more businesses to buy higher-end, standalone cyber insurance policies, until enough claims data can be collected to build reliable models, much as was done with the development of auto, life and natural disaster policies.

But businesses, in turn, aren’t buying cyber policies in enough numbers because insurers are adding restrictions to coverage and putting fairly low limits on policies to keep exposure under control. “It is a vicious cycle,” Friedman says.

“Insurers recognize that there is a growth opportunity, and they don’t want to be left out of it,” he says. “On the other hand, they don’t want to take more risk than they can swallow.”

While the insurance industry gazes at its navel, industry analysts and cybersecurity experts say the big challenge—and opportunity—is for underwriters and insurers to figure how to offer all businesses, especially small- and medium-size companies, more granular kinds of cyber policies that actually account for risk and provide value to the paying customers.

“What they’re doing now is what I call the neighbor method,” InnoSec’s Evans says. “You’re a bank, so I’ll offer you a $100 million policy for $10 million. The next guy, he’s a bank, so I’m going to offer him a $100 million policy for $10 million. It has nothing to do with risk. The only place this is done is with cyber.”

Talk in same terms

This is due, in part, to a lack of standard terminology used to describe cyber insurance-related matters, says Chip Block, vice president of Evolver, a company that provides IT services to the federal government. The SANS Institute, a well-respected cybersecurity think tank and training center, last year put out a report that drills down on the terminology conundrum, including recommendations on how to resolve it, titled Bridging the Insurance/Infosec Gap.

And the policies themselves have been another factor. “If you compare car insurance from Allstate and Geico, a majority of the policies are relatively the same,” Block says. “We haven’t gotten to that point in cyber. If you go from one underwriter to another, there is no common understanding of the terminology.”

Understandably, this has made it hard for the buyer to compare policies or to determine the relative merits of one policy over the other. Block agrees that cyber policies today generally do not differentiate based on risk profile—so a company that practices good cyber hygiene is likely to see no difference in premiums as compared with one that doesn’t.

See also: How Data Breaches Affect More Than Cyberliability  

Industry must get moving

InnoSec’s Evans argues that even though cybersecurity is complex, the technology, as well as best practices policies and procedures, are readily available to solve the baseline challenges. What is lacking is initiative on the part of the insurance industry to bring these components to bear on the emerging market.

“This is absolutely possible to do,” she says. “We understand how to do it.”

Putting technological solutions aside, there is an even more obvious path to take, Friedman argues. Resolve the terminology confusion and there is little stopping underwriters and insurers from crafting and marketing cyber policies based on meeting certain levels of network security best practices standards, Friedman says.

“You look at an organization’s ability to be secure, their ability to detect intrusions, how quickly they can react and how much they can limit their damage,” he says. “In fact, insurers should go beyond just offering a risk-transfer mechanism and be more aggressive in helping customers assess risk and their ability to manage and prevent.”

Thomas pointed to how an insurance company writing a property policy for a commercial building might send an engineering team to inspect the building and make safety recommendations. The same approach needs to be taken for cyber insurance, he says.

“The goal is to make the insured a better risk for me,” he says.

ransomware

Ransomware: Growing Threat for SMBs

Ransomware, a cyber scourge that appears on the verge of intensifying, poses an increasingly dire threat to small- and medium-sized businesses (SMBs) in 2016.

In a ransomware attack, victims are prevented or limited from accessing their systems. Cyber criminals attempt to extort money by first using malware to encrypt the contents of a victim’s computer, then extracting a ransom in exchange for decrypting the data and allowing the victim to regain access.

Until now, most attacks have targeted consumers and, to a lesser extent, businesses working on Windows platforms.

That’s about to change. Security experts caution that small- and medium-sized business owners and users of non-Windows platforms can expect to be increasingly targeted in attacks that seek to extort money from them via sophisticated ransomware tools.

Upcoming webinar: Navigating Identity Theft: How to Educate and Protect Your Employees and Clients

Experts say many of the malicious campaigns will likely be carried out by opportunistic attackers and newbie extorters trying to take advantage of inexpensive do-it-yourself ransomware kits that are beginning to become available in underground markets.

Estimates about the cost to victims from more widely used ransomware tools like CryptoWall and CryptoLocker range from tens to hundreds of millions of dollars.

Now, analysts are concerned that cyber criminals are on the verge of widening the scope of their attacks. Last month, researchers at security vendor Emsisoft analyzed Ransom32, a malware tool many believe is a harbinger of things to come on the ransomware front.

Fewer are immune to attack

Ransom32 is the first ransomware tool written entirely in Javascript. That makes it easily portable to other platforms like Linux and Mac OS X.

Kowsik Guruswamy, Menlo Security chief technology officer
Kowsik Guruswamy, Menlo Security chief technology officer 

 

Kowsik Guruswamy, chief technology officer at Menlo Security, says that, unlike the JavaScript in a browser that is sandboxed to prevent access to the file system and other local resources, Ransom32 also is designed to have unfettered access to the system.

“Ransom32 is one-of-a-kind in that it’s cross-platform, which alone increases the targets for the malware authors,” Guruswamy says. “Since the underlying Chromium interpreter is cross-platform, this allows Ransom32 to target users across all of the (operating systems) and devices in one go. This is the worrisome part.”

Related video: A case for making software more resistant from the start

Significantly, the authors of the malware appear to have adopted a ransomware-as-a-service model in their distribution approach. Ransom32 is available via a hidden server on Tor to anyone with a bitcoin account.

The malware does not require any specific skills to operate, and it comes with a management interface that the attacker can use to customize ransom messages and specify the ransom amounts. The interface supports a feature that lets the authors of Ransom32 track how much money is being collected via the tool and lets the authors take a 25% cut from the total.

DIY kit for bad guys

Ransom32 is the second publicly disclosed ransomware in recent months that is being distributed as a do-it-yourself kit in the cyber underground. The first was Tox, a malware tool discovered by a researcher at Intel’s McAfee Labs that, like Ransom32, was distributed via Tor to anyone interested in launching a ransomware attack.

“Ransomware as a service is an increasing and worrisome trend,” says Fabian Wosar, a security researcher at Emsisoft. “Fortunately, most schemes are of poor quality, but the people writing these types of frameworks are learning.”

Each time a security vendor finds a weakness in a ransomware tool, the threat actors figure out what mistakes they are making and plug it immediately, Wosar says.

Going forward, expect to see the emergence of tools like Ransom32 and trends like ransomware-as-a-service pose a bigger threat for businesses, especially the small and medium ones, which generally don’t have the same resources that large companies have to defend themselves.

Lately, there have been an increasing number of reports about company servers being attacked directly through the Remote Desktop Protocol (RDP) that is used to remotely administer and manage systems.

SMBs have limited defenses

“Most SMBs don’t have the budget to employ their own in-house IT staff,” Wosar says. “As a result, a lot of them employ outside companies to take care of their IT infrastructure, and these companies often use remote control tools like RDP to administrate the network and server [remotely].”

One result is that a lot of SMBs are exposed to attacks that take advantage of weakly protected remote control interface to gain access to internal systems and data. Wosar says that in such situations it is just a matter of time before an attacker stumbles on a critical server and hijacks it for ransom.

Because the attackers typically gain access to the server itself, they also can turn off any security software that might be installed on it, and they become virtually undetectable in the process. All that is left behind is usually a note that informs the admin about the hack, with a means of communication to negotiate the price.

There already has been an increased interest from cyber criminals in specifically targeting companies, largely because of the potentially bigger payouts involved, says Christian Funk, who heads Kaspersky Lab’s global research and analysis team in Germany.

“A business is depending on its digital assets and, therefore, often more willing to pay the ransom,” Funk says. “There have been cases where cyber criminals noticed that a company has been successfully infected and, therefore, the criminals decided to charge up to eight times the original ransom. I suspect such methods, as well as targeted attacks, are likely to increase in future.”

This article was written by Third Certainty’s Jaikumar Vijayan.

Firms Ally to Respond to Data Breaches

More companies than ever realize they’ve been breached, and many more than you might think have begun to put processes in place to respond to breaches.

A survey of 567 U.S. executives conducted by the Ponemon Institute and Experian found that 43% of organizations reported suffering at least one security incident, up from 10% in 2013. And 73% of the companies surveyed have data breach response plans in place, up from just 12% in 2013.

“Compared with last year’s study results, survey findings show encouraging signs that organizations are beginning to better prioritize data breach prevention, but more needs to be done,” says Larry Ponemon, namesake founder of Ponemon Institute.

Major data breaches have become a staple of news headlines. So it can’t be that companies are complacent. The problem seems to be that big organizations just can’t move quickly enough.

Home Depot was blind to intruders plundering customer data even as Target endured exposure and criticism for being similarly victimized just months before, possibly by the same gang.

In our connected world, it’s hard to keep pace. The Ponemon study found 78% of companies do not account for changes in threats or as processes at a company change.

Rise of threat intelligence

That’s where the trend toward correlating data from disparate threat sensors could begin to close the gap. It’s a promising sign that ultra-competitive security companies have begun to collaborate more on sharing and analyzing threat intelligence.

Boulder, Colo.-based security vendor LogRhythm, for instance, has formed an alliance with CrowdStrike, Norse, Symantec, ThreatStream and Webroot to share sensor data and compare notes on traffic that looks suspicious.

LogRhythm supplies a platform for culling and analyzing data from its partner vendors “to help identify threats in our customers’ IT environments more quickly, with fewer false positives and fewer false negatives,” says Matt Winter, LogRhythm’s vice president of corporate and business development.

Since announcing its Threat Intelligence Ecosystem last month, LogRhythm has received “considerable inbound interest from customers and channel partners,” Winter says. “Feedback has been very positive.”

Similar threat intelligence alliances, both formal and informal, are taking shape throughout the tech security world. The business model of Hexis Cyber Solutions, a year-old startup, relies on pooling threat sensor data from several security vendors, including antivirus giant Symantec and social media malware detection firm ZeroFOX.

Hexis applies analytics with the goal of accurately identifying – and automatically removing – clearly malicious programs.

“The state of the art today is a single-point security product triggering alerts on particular things and putting a warning on a screen,” says Chris Fedde, president of Hexis. “We’re all about analyzing alerts and taking action on them. Anything that’s malicious we go ahead and remove.”

In one recent pilot study, Hexis tracked 5,000 computing devices and 13,000 user accounts of a U.S. medical center for 30 days. Hexis intercepted 35,000 incidences of suspicious outside contacts and removed 23 malicious files.

Those malicious files that got inside the medical center’s network included: Dirtjumper, a tool used to conduct denial of service attacks; Tsumani, malware used for spamming and data theft; a remote access tool (RAT) used to take full control of a compromised computer; and an adware Trojan.

There’s a long way to go. But alliances to share threat sensor information, like the ones being pioneered by LogRhythm, Hexis and many other security vendors, seem destined to take root.

Someday in the not too distant future, it may not matter if intruders get inside the network, if robust threat intelligence systems are poised to cut them off from doing damage.

Scammers Taking Advantage of Google

Some 500 million people use Gmail and Google Drive. I’m one of them.

Gmail and Google Drive are wonderful for communicating and collaborating. But it turns out they’re also ideal tools for hacking into your computing device.

Bad guys on the cutting edge have discovered this. And their success so far indicates attacks manipulating Google’s productivity platform-and similarly exploiting other popular cloud-based business tools-are destined to progress.

This development should not come as a big surprise. Cyber criminals are quick to recognize fresh opportunities created by our headlong rush to use cloud services and mobile devices without giving due consideration to security and privacy.

Intelligence about the latest iteration of hacking comes courtesy of security startup Elastica.

Flying under the radar

Researchers at Elastica this summer discovered scammers using Gmail accounts to send messages crafted to fool recipients into downloading corrupted PowerPoint presentations stored on Google Drive. Scammerswere thus able to slip the malicious PowerPoint file past malware detection filters.

Video: Viral Gmail, YouTube alerts spreading via email

Another tactic discovered by Elastica involved scammers opening free Gmail accounts from which they sent out spoofed messages tricking recipients into visiting a website they controlled that was hosted on Google’s own servers. Because the bad guys’ website was hosted on Google servers, it was deemed trustworthy, making it easier for them to trick visitors into divulging account logons.

Any hacker can tell you that once you get someone to download a corrupted file, or get them to navigate to a website you control, the rest is comparatively easy. At that point, the target is a half-step away from being owned.

Keys to the (data) kingdom

“In the cloud environment, the username and password become all-powerful; almost all these applications use some sort of username and password as a way to get in,” says Eric Andrews, Elastica’s marketing vice president. “Once you have that, you can do anything you want. You can get all the data. You can get all the files. So a lot of these attacks that are going at the cloud apps are all about trying to get somebody’s username and password.”

These fresh hacking opportunities are being presented not just by Google but by each and every one of the most popular cloud-based email, productivity tools, file-sharing and customer-relationship tools.

“Office365, Dropbox, Salesforce, all of these apps are very, very convenient and have a lot of great business utility,” Andrews says. “But there is this kind of lurking concern. You don’t really know if your company’s data is safe. You don’t know if other people can get to it. This move to the cloud really has a fundamental ripple effect through all security functions.”

Gmail more widely used

In abusing Google’s services, cyber criminals are taking advantage of the fact that Gmail has become a de-facto backup email throughout the business world. It is widely used by well-intentioned workers, in companies of all sizes, who are hustling to work more productively.

No one is surprised anymore to receive an email from the private Gmail account of a supervisor, colleague, partner or customer-or even an administrative message from Google. A trust exists. And this creates a perfect environment for spoofing.

Likewise, free or cheap Google Drive file storage makes for a perfect repository to set up phishing attacks and distribute malicious web links.

In a case recently dissected by Elastica, the bad guys sent phishing emails out to victims who they guessed would have an interest in controversies surrounding Tibet’s Dalai Lama. The enticement: Click to a link to a corrupted PowerPoint presentation hosted on Google Drive.

Aditya Sood, chief architect at Elastica’s Cloud Threat Labs, describes how the social engineering aspect of the attack then unfolds:

“There are no attachments in the email. Basically, it’s just a direct link to the Google cloud service, which hosts the PowerPoint presentation. When the user retrieves that link, the user won’t be able to view this PowerPoint presentation. So the user then is going to download that file onto the local machine. Once the user opens it on his local machine, the PowerPoint presentation actually extracts two files. One, the INF file, contains a launch code for the second, a GIF file. The GIF file downloads malware to the end user system.”

Gmail and Google Drive are powerful, flexible, reliable, easy-to-use and free. Yet, it turns out that these are the very characteristics that make them ideal tools for cyber criminals to infect computers. In essence, the bad guys are simply adopting infection-techniques that proved highly effective in the desktop environment to new opportunities presenting themselves in the cloud environment.

These bad guys no longer have to trouble themselves with creating malicious email attachments, nor do they have to worry as much about spreading tainted Web links that can be quickly detected and blacklisted. And as long as the trust remains high in Gmail, Google Drive, Office 365, Salesforce and other top cloud services, social engine trickery remains easier than it really ought to be.

“Attackers don’t have to invest too much time or money in gaining credentials or compromising servers to attack people,” Sood says. “They simply create one Gmail account and then, basically, abuse the Google publishing functionality.”

Predictive Tech Can Preempt Cyber Threats

In the ever-evolving landscape of cyber threats, for many organizations, simple detection and remediation is no longer enough. Some cybersecurity companies are now going one step further-providing predictive intelligence that can preempt threats.

In September, Triumfant became the latest to enter this growing field, through a partnership with Booz Allen Hamilton.

“If you’re just offering prevention, you don’t have a complete product. If you have detection and remediation, you’re getting closer,” Triumfant CEO John Prisco says. “When you add predictability, you’re starting to get a fairly robust treatment of the problem.”

More: How data-mining boosts network defense

Triumfant, founded in 2002, has been evolving in the way it provides endpoint protection. The latest iteration of its AtomicEye platform integrates Booz Allen’s capabilities to reverse engineer an attack with the goal of attribution-looking for the source of the attack-and threat prediction.

“(Booz Allen) will accept the malware from us, detonate it in their lab and reverse engineer it,” Prisco says. “They’ll then use the information they have to try and determine attribution.”

Although not all clients are interested in attribution, the capability is built into AtomicEye so files can be easily collected for the Booz Allen lab.

The AtomicEye platform detects malware by analyzing the computer’s patterns against an established blueprint-an atomic fingerprint based on upward of a million data points that were collected previously to establish the baseline. Once malware is detected, the computer’s operator clicks on a button to remediate the attack.

The offending file can be checked against threat intelligence databases, and, if it’s not listed, that indicates the likelihood of a zero-day attack. The Triumfant platform becomes essentially a filter for potential future analysis.

“If it doesn’t exist in the database, then it’s a real candidate for Booz Allen to do analytical work on it,” Prisco says.

Randy Hayes, Booz Allen Hamilton vice president, says his company is “uniquely qualified to deconstruct the threat in the lab” because it has been providing advanced malware analysis to the U.S. government for years. Booz Allen can use that experience to do things that no one can replicate for getting more actionable threat intelligence, according to Hayes.

“One of the biggest problems with cybersecurity right now is that there is too much focus on technology and automated solutions,” he says. “What we need instead is more intelligence tradecraft to include more mathematics around behavioral analytics, which is what Triumfant does.”

Prisco says what makes his company different in the threat intelligence space is the approach.

He says that typically, threat intelligence platforms would scan a computer for known offenders to see if those types of files exist on the machine. But because there could be millions of files uploaded to the cloud-based threat-intelligent platforms, scanning a computer for all of them would essentially make the machine inoperable, so the platform may scan for a select number.

He points out that’s why, in a recent data breach report, Verizon was critical of threat intelligence platforms.

“It’s difficult to get all the threat intelligence in the cloud fast enough to make a difference,” he says.

AtomicEye, instead, detects the offensive file first, then scans it against the threat-intelligence database.

“That’s much easier to do,” Prisco says. “We’re not trying to burden each computer and scan for each problem.”

In other words, instead of using the typical signature-based detection, Triumfant uses statistical anomaly analysis to find malware.

“For a long time, the industry has been looking at malware variety and zero-day malware, trying to detonate, categorize and understand to enrich cyber intelligence,” Hayes says. “However, because Triumfant’s AtomicEye… is able to isolate and discover behaviors that would indicate the presence of malware on the network, we anticipate being able to get more actionable threat intelligence out to consumers.”

In 2012, Gartner forecast that predictive analytics was the future of business intelligence, fueled by big data. In 2014, the research company said big data analytics would play a critical role in cybersecurity, as well.

Hayes says he’s noticed a shift since that report came out in the way CSOs and CISOs are thinking-moving from post-incident to pre-incident threat intelligence.

He says the trend is in its infancy and has a long way to go “before it is fully baked,” but it could help slightly close the gap the bad actors maintain over the good actors.

Part of the advantage of this approach is the strategic analysis that can help anticipate attacks.

“Human beings launch these attacks, not robots,” he says. “If we focus on who is pulling the trigger, the motivation, the target and the intent, we will have a better chance of mitigating the impact of the attack. We need to shift the focus from the ‘bullets’ to the adversary and its target.”