Editor’s Note: This article looks back at the year in cybercrime. It is the second of a series on Internet technology safety and security in the workplace. A future installment will focus on IT security fundamentals for employers.
The year 2012 in corporate cybersecurity was marked by the increasing mobility of data, the changing nature of the endpoint device and the malware that adapted to take advantage of these trends, according to a recent report.
The Security Threat Report 2013, released by security software developer Sophos, is a detailed assessment of what’s happened in IT security in 2012 and what’s expected for 2013, from the rapidly evolving bring your own device (BYOD) movement and the increasing adoption of cloud services, to cybercriminals extending their reach into social networks, cloud services and mobile devices.
“Cybercriminals tend to focus where the weak spots are and use a technique until it becomes less effective, and then move on to the next frontier,” wrote Sophos Chief Technology Officer Gerhard Eschelbeck in the report. “Protecting data in a world where systems are changing rapidly, and information flows freely, requires a coordinated ecosystem of security technologies at the endpoint, gateway, mobile devices and in the cloud,” he wrote.
Attackers continued to target thousands of badly configured websites and databases to expose passwords and deliver malware and new social engineering attacks like ransomware, according to the report.
New Platforms, Changing Threats
2012 was the year of malware, and in particular, a resurgence of web malware, the report found. Eighty percent of attacks on the web came in the form of redirects from legitimate sites infiltrated with malicious code. The report warned that attackers extended their reach to more platforms, from social networks and cloud services to Android mobile devices.
Social media. Throughout 2012, hundreds of millions of users flocked to social networks like Facebook, Twitter and Pinterest—and cybercriminals followed. They built creative new social engineering attacks based on key user concerns such as widespread skepticism about Facebook’s new Timeline interface, or users’ natural worries about posted images of themselves.
In September 2012, compromised Twitter accounts sent out direct messages containing links that install a Trojan horse virus on the user’s computer. With 1 billion users, Facebook remains the number one social network and a top target for cybercrime. The report found that Facebook draws on massive, up-to-the-minute lists of malicious links and scam sites to reduce risk.
Cloud services. In 2012, the financial and management advantages of cloud services attracted many IT organizations. Cloud security drew attention in 2012 with file-hosting service Dropbox’s admission that usernames and passwords stolen from other websites had been used to sign into a small number of its accounts. A Dropbox employee had used the same password for all his accounts, including his work account with access to sensitive data. When that password was stolen elsewhere, the attacker discovered that it could be used against Dropbox. This was a powerful reminder that users should rely on different passwords for each secure site and service, the report said. It was also reported that the company’s iOS app was storing user login credentials in unencrypted text files, where they would be visible to anyone who had physical access to the phone.
Dropbox’s difficulties have called greater attention to cloud security in general, the report said. With public cloud services and infrastructure beyond the control of the IT organization, how should companies approach security and compliance?
Multifactor authentication is a must.
Apply web-based policies using URL filtering, controlling access to public cloud storage websites and preventing users from browsing to sites you’ve declared off-limits.
Use application controls to block or allow particular applications, either for the entire company or for specific groups.
Automatically encrypt files before they are uploaded to the cloud from any managed endpoint. You won’t have to worry if the security of your cloud storage provider is breached.
Android. In the U.S., a September 2012 survey of smart phone users gave Android a whopping 52.2 percent market share. Targets this large are difficult for malware authors to resist. And they aren’t resisting, according to the report. Attacks against Android are increasing rapidly.
The report revealed that almost 10 percent of Android devices in the U.S. have experienced a malware attack over a three-month period in 2012, compared to about 6 percent of PCs.
Sophos noted that the most common malware attack on Android involved installing a fake app on a phone and secretly sending expensive messages to premium-rate SMS services.
Cyber criminals have also found ways to subvert two-factor authentication used by financial institutions to protect mobile transactions, according to the report. They do that by planting eavesdropping malware on a phone to obtain the authentication code sent to a phone by a bank to complete a transaction.
In most business environments, the risks from Android are modest at this point, the report said. But those risks are growing. Android malware can place a company’s future at risk by exposing strategic information or stealing passwords. With this in mind, Sophos recommended the following steps to bring down the level of risk:
Extend your IT security and acceptable use policies to Android devices.
Consider full device encryption to protect against data loss, and provide for remote wipe of lost or stolen devices.
Keep your Android devices up-to-date with security patches.
When you authorize app stores, limit users to apps with a positive history and a strong rating.
Malware has turned up in the Google Play Store, but much less frequently than in many of the other unregulated, unofficial app markets, notably those in Eastern Europe and Asia.
The Sophos report identified the five riskiest and safest countries in the world for experiencing malware attacks. Hong Kong was the riskiest country, with 23.5 percent of its PCs experiencing a malware attack over a three-month period in 2012. It was followed by Taiwan (21.2 percent), the United Arab Emirates (20.7 percent), Mexico (19.8 percent) and India (17.4 percent).
Norway (1.8 percent) was the safest country against malware attacks, followed by Sweden (2.5 percent), Japan (2.6 percent), the United Kingdom (3.5 percent) and Switzerland (3.8 percent). The U.S. comes in at No. 6 with only 3.8 percent of its PCs experiencing a malware attack.
In 2012, Sophos saw a resurgence in ransomware attacks that lock users out of their computers, and demand payment to restore access. Ransomware arrives via e-mail and poisoned webpages. One sort of ransomware merely freezes your PC and asks for money. This leaves your underlying files intact.
The other sort of ransomware scrambles your files, so it is as catastrophic as losing your laptop altogether or suffering a complete disk failure. This attack can be defeated by rebooting to an antivirus tool that contains its own operating system, bypassing Windows. Once this tool is running, users can scan their systems, remove the infection, and restore their systems. Also, updated antivirus software can prevent ransomware from installing and running on your computer.
Passwords Still Vulnerable at Major Organizations
2012 saw one massive password breach after another, at a slew of high profile organizations, including LinkedIn, eHarmony, Philips, Yahoo and IEEE, the world’s largest professional association for the advancement of technology. Sophos recommended employees use a variety of stronger passwords or password management software, such as 1Password, KeePass or LastPass, which generate hard-to-crack passwords for you. Organizations were recommended to always apply a randomly-generated salt to each password before hashing and encrypting it for storage and to protect the password database, network and servers with layered defenses.
Threats to Expect in 2013
The predictions for 2013 share a major trend with 2012: more Android malware. In 2013, as computing increasingly shifts to virtualized cloud services and mobile platforms, attackers will follow, just as they always have, the report authors said.
“We believe that in 2013 malware will continue to slip through single-tier traditional security systems, wrote James Lyne, Sophos director of technology strategy, in the report.
“As a result we believe we will see more attacks where attackers hold long-term, high impact access to businesses. In response, a renewed focus on layered security and detection across the entire threat lifecycle, not just the point of initial entry, is likely to be a significant theme in the coming year,” he wrote.
Lyne identified the following five trends that will factor into the cybersecurity landscape in 2013:
*Basic web server mistakes. In 2012 there was an increase in SQL injection hacks of web servers and databases to steal large volumes of user names and passwords, Lyne said. “With the uptick in these kinds of credential-based extractions, IT professionals will need to pay equal attention to protecting both their computers as well as their web server environment,” he said.
*‘Irreversible’ malware. “In 2012 we saw a surge in popularity and quality of ransomware malware, which encrypts your data and holds it for ransom,” Lyne said. “The availability of public key cryptography and clever command and control mechanisms has made it exceptionally hard, if not impossible to reverse the damage.” Lyne predicted more of the same for 2013, which will place a greater focus on behavioral protection mechanisms as well as backup/restore procedures, he said.
*Attack toolkits. In 2013, Lyne predicted a continued evolution in the maturation of cybercrime toolkits like the infamous Blackhole kit, making malicious code simpler for criminals.
*Integration challenges. In the past year mobile devices and applications like social media became more integrated, creating new opportunities for cybercriminals to compromise security or privacy, Lyne said. “This trend is identifiable not just for mobile devices, but computing in general. In the coming year watch for new examples of attacks built on these technologies.”
Roy Maurer is an online editor/manager for SHRM.
Follow me on Twitter @SHRMRoy.
Cybersecurity Bill Dies, Executive Order on the Way?, SHRM Online Safety & Security, November 2012
SHRM Online Safety & Security page
Keep up with the latest Safety & Security HR news.