STE WILLIAMS

An analysis of the threat landscape in the first quarter of 2017 suggests that ransomware will continue to pose major problems for enterprises and individual users through the rest of the year.

Organizations can also expect to see increased malware development activity targeting Apple Mac and Android systems and evolving methods for distributing malware via exploit kits, social engineering methods and spam email, Malwarebytes said in a report this week.

“It’s important to realize that threats are constantly evolving, faster than we have ever seen before,” says Adam Kujawa, director of malware intelligence at Malwarebytes. “This is mainly due to the increased resources available to the cybercrime community, which means more people, more money, more talent.”

Cerber somewhat unexpectedly emerged as the most widely distributed ransomware sample in the first quarter of this year, displacing Locky from the top spot. Malwarebytes’ inspection of ransomware distribution trends last quarter showed Cerber growing its presence from 70% to 90% of overall share, while Locky vanished almost completely with a less than 2% share.

It’s unclear why Locky petered out so quickly, considering many had assumed it would dominate the ransomware scene this year. But it is likely that the authors of the malware either found a more profitable route or got entangled with law enforcement, Kujawa says.

Cerber, with its military-grade encryption capabilities and hosted distribution model, poses a potent threat to organizations and individuals. The authors of the malware have made it relatively easy for criminals with little technical capabilities to acquire and distribute it via hosted ransomware-as-a-service operations. Recent innovations, like a feature capable of evading antivirus tools that employ machine learning and one capable of detecting when the malware is executing in a sandbox, have made it harder to detect as well, Malwarebytes warned.

Mac Attack

The last quarter also saw a surge in Mac malware activity. New samples in the first three months of the year nearly equaled the number of Mac malware samples in all of 2016. A majority of them were backdoors with varying capabilities, levels of sophistication, and delivery mechanisms.

Many were designed to run arbitrary commands, to download malware, hijack the webcam and to siphon data from infected systems. The last quarter also witnessed a surge in the number of potentially unwanted programs in the Apple Mac App Store.

Based on the activity last quarter, Mac users can expect to see a big spike in malware and potentially unwanted applications directed at the platform this year, Malwarebytes said in its report.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

On the Android front, two malware families in particular posed big problems for users. One was Trojan.HiddenAds.lck an ad-serving app that actively prevented user attempts to uninstall it. The other was Jisut, an Android ransomware sample that grew its presence dramatically last quarter with tens of thousands of new samples introduced into the wild.

Malware activity in the last quarter also shows that threat actors are continuing to evolve their distribution methods, Kujawa says. “The bad guys are investing heavily on e-mail based attacks, which means phishing attacks that lead users to sites to trick them into download malware,” he says. Many are utilizing scripts and password-protected archive files to download and install malware or Microsoft Office documents either using a macro script embedded in the document, or some new exploit, he says.

“We did predict earlier this year that new evolutions would be made to the e-mail attack methodology and we were right about that,” Kujawa says. “The data shows a continued use of this tactic and the continued dominance of ransomware as the primary malware type being pushed by cyber criminals.”

Related Content:

• Mac Malware Reaches New Highs
• Enterprises Hit with Malware Preinstalled on their Androids
• Commodity Ransomware Is Here 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/endpoint/ransomware-mac-malware-dominate-q1-threat-landscape/d/d-id/1328640?_mc=RSS_DR_EDT

While enterprises are making meaningful progress on improving their encryption practices, there’s still a lot of work to go. Several major studies out in the last several months have underlined the highs and lows of encryption trends out in the real world.

On the plus side, the most recent research out this week from Ponemon Institute and Thales shows that the existence of enterprise-wide encryption strategies has more than doubled in the last decade and organizations are responding to cloud risks with improved encryption deployments for data at rest and in transit. On the negative side, this study and other industry numbers suggest that we haven’t yet reached the tipping point of more than half of organizations following best practices–and that a sizeable number of organizations that use encryption are making big mistakes along the way.

“The accelerated growth of encryption strategies in business underscores the proliferation of mega breaches and cyberattacks, as well as the need to protect a broadening range of sensitive data types,” says Dr. Larry Ponemon of Ponemon Institute. “Simply put, the stakes are too high for organizations to stand by and wait for an attack to happen to them before introducing a sophisticated data protection strategy.”

This is the twelfth year running of the Global Encryption Trends Study and Ponemon has found that since 2006, the ratio of organizations with enterprise-wide encryption strategies has risen from under 20% to over 40%. It’s a steady drumbeat of improvement, but the fact remains that the majority of organizations still don’t have such a policy. Nevertheless, the steady tick upwards and additional survey data show that worries about data security regulations, protection of intellectual property, and protection of customer data are all driving gradual change for end-to-end encryption.

Certain areas are better than others when it comes to the current state of encryption deployment.

For example, with data at-rest Ponemon found that approximately 61% of organizations report that they routinely encrypt employee and HR data, 56% encrypt payment data, 49% encrypt financial records and 40% encrypt customer data. Meanwhile, a study out last week from Venafi highlighted prevalence of encryption of data-in-transit, with 57% of organizations reporting they encrypt 70% or more of their external web traffic and 41% doing the same for internal network traffic.

According to the Ponemon study, enterprises’ focus on encryption and key management is being spurred on by increased cloud adoption as more data moves into third-party data centers. Approximately 67% of organizations report that they either perform encryption on premises prior to sending data to the cloud or encrypt data in the cloud using keys they generate and manage on premises. An additional 37% also report that they encrypt some cloud data using methods that turn complete control of keys and encryption processes to the cloud provider.  

This most recent study doesn’t offer a fine point on how much data is going to the cloud completely unencrypted–but data out in 2016 from HyTrust showed that number to be pretty alarming. According to that study, about 28% of all data within all cloud workloads remain unencrypted. Even more troubling, a different 2016 study from Ponemon and Gemalto found that 76% of organizations don’t encrypt or tokenize sensitive data sent to SaaS applications.  

A recent breach at Scottrade earlier this month highlights why a lack of encryption in the cloud is such a risk for enterprises. The online brokerage exposed loan applications for 20,000 customers after a third-party IT services provider uploaded information to the cloud without any encryption mechanisms in place.

“The data breach at Scottrade exemplifies the one-strike law for security in the cloud. In the public cloud, a single vulnerability, security or process lapse is all it takes to expose highly sensitive private data to the world and get datajacked,” says Zohar Alon, CEO of Dome9. “Even with strict security controls in place, breaches such as this still occur due to very basic process failures.”

Lapses like the one at Scottrade exemplify why it is important to not only encrypt sensitive data in the cloud, but also lock down policies for inventorying data whether in the cloud or on premises, for when and how it is encrypted, for how access is configured, and for how keys are managed.  

“It’s vitally important to encrypt sensitive data at-rest, but encryption alone isn’t sufficient. Even encrypted data is designed to be accessed by applications and authorized personnel,” says Tim Erlin, vice president of product management and strategy for Tripwire. “Organizations have to protect the access methods, in addition to encryption, in order to protect data.”

With regard to key management, the study out this week from Ponemon shows that there’s again steady improvement but lots of room to grow. Approximately 51% of organizations have a formal key management policy, but hardware security module (HSM) usage is still only at 38%. Of those, nearly half own and operate an HSM on-premises to support cloud deployments. On a positive note, nearly six in 10 of organizations that use HSMs say they have a centralized team that provides cryptography as a service across their entire organization.  

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/the-long-slog-to-getting-encryption-right/d/d-id/1328629?_mc=RSS_DR_EDT

While information security and anti-fraud teams remain on high-alert for potential indicators of income tax fraud, given the rapidly approaching April 18th filing deadline, a lesser-known yet serious threat with ties to both income tax fraud and 2016’s healthcare breaches continues to emerge: health savings account (HSA) fraud.

HSA fraud in and of itself is nothing new, but the threat has evolved substantially in credibility, complexity, and frequency since 2016. More specifically, the unprecedented surplus of stolen medical records currently offered for sale on Deep Dark Web marketplaces has created financial difficulties for many cybercriminals who have traditionally relied on the profits generated from selling medical personal identifiable information or PII.

Threat actors who purchase so-called “fullz” or full listings of PII, typically utilize this data to commit various types of fraud. However, as demand for bulk medical fullz is not rising in tandem with the increased availability and declining sale prices of such information, many cybercriminals have sought out different ways of identifying the most valuable records for use in more profitable fraudulent activities such as HSA fraud.

This renewed interest in HSA fraud first emerged around September 2016, when one of the most prolific actors attacking healthcare institutions, known as “cr00k,” suggested using stolen healthcare information to target valuable HSAs. Such attacks soon grew into an emerging trend among various low-tier cybercriminals in possession of medical PII. In order to identify higher-value HSA accounts, cybercriminals typically utilize various free credit reporting and financial management platforms to access victims’ credit scores and gauge their financial status.

To create or look up accounts on these types of platforms, cybercriminals must be in possession of the victim’s fullz, obtained from compromised healthcare institutions. Some cybercriminals use this information to target valuable HSAs directly whereas others may sell victims’ credit reports packaged with their medical fullz for substantially higher prices. cr00K in particular has been known to sell such information for HSA fraud for as high as $80-$100 per account record; accounts with higher credit scores tend to fetch higher prices, and vice versa.

In addition to the widespread availability of medical fullz on the Deep and Dark Web, the current composition of the US health insurance landscape may also be another factor contributing to cybercriminals’ renewed interest in HSA fraud. As health insurance costs continue to rise, more individuals are opting to purchase high-deductible health insurance plans, which tend to have less expensive monthly premiums.

HSAs are only available for individuals covered by high-deductible insurance plans, so as these plans become more popular, HSAs also become more popular. Recent estimates suggest that there are over 20 million existing HSA accounts that hold nearly $37 billion in assets, which represents a year-over-year increase of 22% for HSA assets and 20% for accounts. These figures raise concerns over the potentially larger population of individuals susceptible to HSA fraud, which remains more difficult for both victims and financial institutions to detect and mitigate for three reasons:

• Access to victims’ fullz — which typically include their social security numbers and mothers’ maiden names — can enable fraudsters to change HSA account passwords, gain illicit access to funds, and transfer them from the account. To further evade detection and bypass financial institutions’ anti-fraud measures, some fraudsters even transfer HSA funds onto prepaid cards opened in the victim’s name.
• Unlike other types of tax-free health-related accounts, HSA funds roll over from year to year, earn interest, and don’t expire. As such, many individuals treat HSAs like normal savings accounts and may not check their account balances routinely, if ever. In fact, numerous reports have surfaced from individuals who were not aware that their HSA accounts had been compromised until months later.
• Not only does late detection of HSA fraud make it more difficult for financial institutions to investigate incidents and bring wrongdoers to justice, but a U.S. federal law holds financial institutions liable for lost funds only if the account holder reports the incident within 60 days of its occurrence.

Unfortunately for victims of HSA fraud, the abuse of their medical PII may continue to persist as financially motivated cybercriminals come to recognize that individuals with valuable HSAs may also be lucrative targets for income tax fraud. And while the IRS has strengthened anti-fraud measures in anticipation of increased levels of income tax fraud, cybercriminals with access to individuals’ medical fullz and credit reports can often leverage such information to bypass these measures.

For example, while the IRS has recently implemented a PIN system to reduce instances of identity theft and fraud, cybercriminals who have previously gained access to victims’ email accounts can reset and/or retrieve victims’ PINs via their emails. As an additional measure, the IRS also includes security questions such as “What is your mother’s maiden name?” which, again, may be easy for cybercriminals with access to victims’ medical fullz to answer and bypass.

The most effective way to avoid becoming a victim of HSA, tax, and other types of fraud is to prevent your PII from becoming compromised in the first place. However, we all know that this is far easier said than done. The reality is, the string of large-scale data breaches that struck the healthcare and other sectors in recent years has already inundated the Deep and Dark Web with millions of PII records, which means that many of us have already had our PII compromised in some capacity — whether we know about it or not. The best course of action to detect and mitigate any instances of fraud is to closely monitor the balances and activity within all our personal and financial accounts, including HSAs, bank accounts, credit reports, and tax returns. While it may be nearly impossible to prevent all instances of fraud, swiftly detecting and reporting potential indicators of compromise is integral to reducing the extent of any damages.

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 16, where Dark Reading editors and some of the industry’s top cybersecurity experts will share the latest data security trends and best practices.]

Related Content: 

• FBI: Attackers Targeting Anonymous FTP Servers in Healthcare
• Stolen Health Record Databases Sell For $500,000 In The Deep Web
• Tax Season Surprise: W-2 Fraud
• 9 Phishing Lures that Could Hijack your 2017 Tax Refund

Vitali Kremez is director of research at Flashpoint. He specializes in researching and investigating complex cyberattacks, network intrusions, data breaches, and hacking incidents mainly emanating from the Eastern European cybercriminal ecosystem. He has earned the majority … View Full Bio

Article source: http://www.darkreading.com/endpoint/health-savings-account-fraud-the-rapidly-growing-threat/a/d-id/1328633?_mc=RSS_DR_EDT

Microsoft said that from January- to June 2016, it received between 1,000 and 1,499 tracking orders under the Foreign Intelligence Surveillance Act (FISA) for revealing user content, the highest request to the company since 2011, Reuters reports. The report further says user accounts fell from 17,500-17,999 to 12,000-12,499 during this period.

The FISA request data was included in a recent biannual transparency report published by Microsoft, along with a national security letter under the USA Freedom Act.

FISA orders are tightly guarded secrets and issued by judges of Foreign Intelligence Surveillance Court, but the Trump administration is currently scrutinizing the scope of such orders following the president’s “unsubstantiated allegations” of spying by the Obama administration, Reuters said.

FISA will partly expire by year end unless renewed. Efforts are under way by several members of the Congress to define the transparency of such a rule as well as usage limits of data collected.

Read full story here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/threat-intelligence/microsoft-foreign-surveillance-requests-under-fisa-shot-up-in-2016/d/d-id/1328631?_mc=RSS_DR_EDT

A survey of 410 security professionals worldwide about mobile security by Dimensional Research and Check Point Software Technologies found organizations ill-equipped to handle security breaches – even though 94% believe attack frequency will increase. While 64% are unsure whether they can avert a mobile breach, 79% say it’s getting more difficult to secure these devices.

According to the report, mobile devices in organizations are subjected to a broad range of attacks, with malware and phishing attacks topping the list. One-third of companies are aware of existing risks, and 34% believe data loss can be bigger on mobile devices. Most don’t secure their devices, and more than 60% attribute this to a lack of resources or experience, and 37% say there’s not enough risk for such an investment. Only 38% have security in place for mobile devices.

Around 24% have no idea if they had been breached or corporate data has leaked from their devices.

Read full survey here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/1-out-of-5-companies-have-suffered-mobile-device-breach/d/d-id/1328632?_mc=RSS_DR_EDT

The Interop ITX conference is just around the corner, coming to the MGM Grand in Las Vegas May 15-19. Here’s how to get answers to the questions that rattle around inside your noggin every day when you’re banging your head against the wall. Questions like: 

1. Can I actually block ransomware attacks, or are good backups and ransom payments my only options? If you don’t want to just sit around, tossing your spare change into the “Ransom Fund Jar,” waiting to be infected, then there are Interop ITX sessions for you. Don’t miss “Ransomware: How to Stop It In Its Tracks and Respond When You Can’t,” with independent security consultant Gal Shpantzer. Also check out a bonus speed session from WatchGuard Technologies, “Malware on Main Street: How Ransomware and Zero Days Target SMBs.” 

2. How can I identify potential malicious insiders and mitigate insider threats without being Big Brother and making everyone I work with hate me? Let Paul Brager, lead associate, cybersecurity architect, ICS/SCADA at Booz Allen Hamilton, guide you through some methods to balance trust with preparedness (keep both your friends and your sensitive data), in “Malicious Insider Threats: Finding Them and Rooting Them Out.” 

3. How can I survive this cybersecurity skills shortage now, when everyone wants to steal my best people, I don’t have enough to begin with, and I still have to wait 10 years for those 6th-grade STEM program kids? Head to “Surviving the Security Skills Shortage” and get tips from Rob Duhart, DSC Security, Control and Automation Lead/IT Manager for Ford Motor Company, Katherine Fithen, Chief Privacy Officer and Director Global IT Governance Compliance for The Coca-Cola Company, and Ann Johnson, Vice President of the Enterprise Cybersecurity Group at Microsoft. They’ll discuss ways to get by with a small staff, ways to retain the staff you’ve got, and better places to scout undiscovered talent than middle-school robotics competitions.   

4. Okay I get it, the Internet of Things is full of threats. What am I supposed to do about it? It probably wouldn’t do to rip the smart TV off the wall and you might not be able to take down the Mirai botnet all by yourself, but you can go to “Five Ways To Prepare Your Organization To Address The Internet of Things,” with John Pironti, president of IP Architects, and learn what adjustments to make to your identity management, risk profile, and more. Also check out the bonus speed session from the Trusted Computing Group “Tackling IoT Security from the Inside Out” and, considering the recent impact of IoT botnets, check out EfficientIP’s speed session on “Protect Your DNS Services Against Security Threats.”  

5. I can’t stop my customers from using the same account logins across sites. I can’t stop other sites from having breaches of login data. So how can I protect my customers and my brand from account takeover hacks? You might not be able to stand over the shoulder of every user at the account creation stage and yell “Don’t do that!” However, you can let Mike Milner, co-founder and CTO of Immunio, show you an account takeover attack in action and show you countermeasures in “Live Account Takeover Hack and Tips on Preventing Today’s Most Dangerous Application Threat.” 

6. Hey, all this new threat intelligence data is really nice, but when exactly am I supposed to look at it, how am I supposed to know what’s most important for my organization, and how can I figure that out fast enough for it to be of any use? Clearly you need to spend some of your limited time with KPMG’s threat intel cyber security consultant Cheryl Biswas and senior consultant Haydn Johnson in their session “Collecting, Correlating, and Analyzing Security Data.” They’ll give you techniques for finding the jewels in your data (without needing to buy yet another piece of technology to do it). And don’t worry; it’s only an hour.  

7. Will I ever get my developers to write more secure code, and what exactly is DevSecOps anyway? Developers may speak a different language and even be from a different planet. Learn more about their needs, their motivations, and how to speak their language in “The Security Pro’s Guide To DevOps: How to Get Developers to Write Secure Code,” with Franklin Mosley, principal application security engineer for Ellucian. (And while you’re at it, persuade your company’s developers to attend Franklin’s complementary session in the DevOps track, “DevSecOps: Minimizing Risk, Improving Security.”) 

8. Am I in for an unhappy surprise the first time I file a cyber insurance claim? Does my policy really cover what I think it covers? You’ve probably been in cybersecurity longer than most of the companies providing cyber insurance have. If you’re planning on trusting them to help your organization in its darkest times, then you’d better let David Bradford, chief strategy officer for Advisen take you through “Cyber Insurance 101” first. 

9. Almost every attack manipulates end users in some way, whether it’s through a phishing message or something else. What can I do that actually makes an impact on what users let through the door? Start your week with a workshop by Bikash Barai, co-founder of FireCompass, called “Security Awareness Isn’t Enough: Using the Science of Habits To Transform User Behavior.” Follow it up with the session “Defeating Social Engineering, BECs and Phishing,” with Bishop Fox’s managing security associate Rob Ragan and security analyst Alex DeFreese. If calling users “stupid” all these years hasn’t worked, surely these speakers can suggest something that will be more effective. 

10. How can I get the people who approve my budget to actually approve it, with less of a hassle?

• Step 1. Bring them to the Dark Reading Cybersecurity Crash Course. This two-day event is an excellent way for IT generalists to get initiated on the main issues in security, so they better understand your needs, and for security pros to get quickly caught up on the latest security trends. (It even includes a talk on Speaking to Management About Security.) 
• Step 2. Spruce up your risk management and metrics skills in “The Art of Performing Risk Assessments” by Ali Pabrai, CEO of ecfirst. 
• Step 3. Take your business game to the next level, and learn how to explain that security might actually make money, not just cost money. Head to “Managing Risks to Reap Rewards: How to Use Security as a Growth Advantage” with Roland Cloutier, SVP and global chief security officer of ADP.

Other questions you might get practical answers to while at Interop? How does the game craps work? Which Cirque du Soleil show is your favorite? Is a “dry heat” really preferable? Register now and learn more.   

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/endpoint/10-questions-to-get-practical-answers-at-interop-itx/a/d-id/1328625?_mc=RSS_DR_EDT

Nearly half (45%) of consumers have never heard of ransomware, but 17% have been infected. Of those hit with ransomware, 38% have paid between $100 to $500 to their attackers, as discovered in new research from Trustlook.

Hackers may earn greater sums by targeting large organizations, but consumers are increasingly appealing targets as they lack security awareness and usually have fewer information security resources. Infections are more likely to be successful and result in payment.

Because ransomware is usually delivered via phishing emails, consumers and employees should be trained to prevent it. The report states the likelihood of human error has dulled the effectiveness of traditional security practices; for example, antivirus tools.

Read more here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/nearly-40--of-ransomware-victims-pay-attackers/d/d-id/1328634?_mc=RSS_DR_EDT