The Ultimate Guide to Corporate Cyber Security
Cyber Security is hard to get a handle on.
Ask even the most sophisticated experts. It’s constantly evolving and changing. Cyber criminals are coming up with new exploits as quickly as companies are able to patch them up.
Cyber security is a constant battle between the “good guys” and the “bad guys.” In this case, the good guys are your company and its employees, and the bad guys are trying to shut you down, steal your information, or take your identity.
As is always the case, it’s not as simple as finding a solution to keep the bad guys away forever. That’s just not possible. Cyber security is an everyday battle. Vigilance is needed. Reliable tools of combat are a necessity. Disaster can strike at any moment.
Luckily, there are ways to stay safe. Antivirus software, third party security firms, and high, well-thought out levels of encryption and access are only some of the ways to keep the bad guys at bay.
The most important tool, however, is knowledge. If you don’t know what you’re up against, how can you hope to combat it?
We’ve compiled some of best information available to teach you the ins and outs of corporate cyber security, including:
- Cloud Security
- Internet of Things Security
- Mobile Payment Security
- Cyber Insurance
After reading this article you’ll be ready to start building a digital fortress against any intruders that may wish you harm.
Malware is any type of malicious software that tries to infect a computer or mobile device. Types of malware include spyware, adware, phishing, viruses, Trojan horses, worms, rootkits, ransomware and browser hijackers.
Malware most often comes through the internet or email. It can come from hacked websites, game demos, music files, toolbars, software, free subscriptions, or anything else you download from the web onto a device which is not protected with anti-malware software.
Spyware is a type of malware that cybercriminals use to spy on you, and it lets them gain access to personal information, banking details, or online activity. It collects information about your surfing habits, browsing history, or personal information (such as credit card numbers), and often uses the Internet to pass this information along to third parties without you knowing. Keylogger are a type of spyware that monitors your keystrokes.
Spyware is often bundled with other software or download on file-sharing sites. It is secretive, so often people are unaware it’s on their computer. New or unidentifiable icons appearing in the task bar, searches redirecting you to a different search engine and random error messages could indicate you’ve been infected with spyware.
Adware bombards users with ads and pop-up windows that could be dangerous to the device. It could be also a type of free software supported by advertisements that show up in pop-up windows or on a toolbar on your computer or browser.
Adware comes the same way spyware does, and you can detect it by noticing ads popping up in applications where you haven’t seen them before. If your browser’s homepage has changed on its own it may be the result of adware.
A Computer Virus is a program or piece of code that is loaded onto your computer without your knowledge or permission. Most viruses are destructive and designed to infect and gain control over vulnerable systems. A virus can spread across computers and networks by making copies of itself.
Viruses come from commonly used programs or files attached to emails. If you have a slow or non-existent internet connection, or your antivirus and firewall have been disabled, it may be a virus.
A Trojan Virus is a type of virus that pretends to be something useful, helpful or fun, but really steals data. Trojans often are spread via an infected email attachment or a download that hides in free games, applications, movies or greeting cards. Your computer will often slow down due to a Trojan.
A Computer Worm is a program that self-replicates and spread through networks. They are transmitted through attachment, file-sharing networks and links. They consume large amounts of memory or bandwidth and the network servers will often stop responding because of them.
Rootkit is a program that allows hackers to have administrative access to your computer. It can be installed through commercial security products or third-party app extensions. Detecting rootkit-like behavior can be tedious work. When searching your system memory, monitor all ingress points for invoked processes, keeping track of imported library calls (from DLLs) that may be hooked or redirected to other functions.
A Browser Hijacker takes over your computer’s browser settings and redirects to websites of its choice. They come from add-on software, extensions, browser helper objects and toolbars. If your browser’s home page is overridden, and when you try to open it, you’re automatically redirected to the hijacker’s website, you may have a browser hijacker.
Phishing attacks occur when a cybercriminal attempts to trick someone into giving over sensitive information such as social security numbers, passwords, bank account information, credit card information, PIN numbers, addresses, social media accounts, birthdays, etc. Some statistics:
- 23% of email recipients open phishing messages
- 11% click on attachments
- 15-20% of workers’ web sessions are initiated by clicking a link in an email
- 92% of employees trust the security of the company’s email system and feel their email is safe
Cybercriminals typically use phishing attacks in order to steal identities or sell the information. The information gathered can let criminals withdraw money, make purchases, open credit card accounts and more. Phishing attacks always involve deception in some way.
Cybercriminals will create fake messages and websites to trick users into giving over information. They will use photos, names and company info to make the messages and websites look as legitimate as possible. Messages could come from financial institutions, government agencies, retailers, social networks, and even friends. The cybercriminals may even redirect to a legitimate site and use a fake pop-up to gather info, or gather info then send the user to a legitimate site, leaving them none the wiser. The information is gathered by getting the user to reply, follow a link, or download an attachment.
There are a number of strategies for phishing attacks. Heimdal security gives great explanations in its blog post, The ABCs of Detecting and Preventing Phishing:
An email directed at specific individuals or companies.
Attackers gather all information available about the target including personal history, interested, activities, details about colleagues and more. This information is usually publicly available on social media and such.
The attackers then create a highly personalized email that requires urgent action. As the email seems personal and legitimate, users typically don’t double check due to the sense of urgency.
Spear phishing attacks are most successful and account for 95% of attacks.
An email directed at high profile targets within companies, typically upper management and senior executives.
They emails are made to look like critical business emails and sent from legitimate authorities. They often include legal subpoenas, managerial issues, or consumer complaints.
Attackers make off with a high return on investment because they are able to get personal and/or professional information about a high-level employee.
An email that uses legitimate, previously delivered emails to carry out an attack.
Attackers will use original emails and clone them to create an almost identical version. They are then resent as the original or an updated version of the original, with the attachment or link replaced with a malicious version.
Phishing attacks distributed via email or social media as a message sent by compromised accounts of friends or on the behalf of a cloud service provider.
This attack will ask users to download a document that was uploaded to a cloud service.
These attacks come from communications claiming to be law enforcement agencies, such as the IRS or FBI.
However, government agencies do not initiate contact with taxpayers via email, and will never request personal or financial information through email.
Social Media Phishing:
These attacks occur when cybercriminals create websites to look identical to social media platforms like Facebook and LinkedIn, using similar URLs and emails, in an attempt to steal login information.
Users are asked to reset passwords, an
d taken to a fake landing page that looks identical to the social media platform to enter login information.
Attackers then access the account, sell them the info to third parties, or blackmail the user.
You can avoid phishing attacks by checking:
- Sender Details: Make sure the sender is legitimate. Often, if the domain name is different than the company, it’s fraudulent.
- Message Content: An attackers message will often ask you to send them or verify personal information via email, will stress the urgency of delivering this info through threat or promotion, or will claim there was a problem with a recent purchase.
- Message Form: Hover over the URL with your mouse before clicking – if the URL that shows is different than the one displayed, it could be a trap. Also, look out for IP address links or URL shorteners, as they can hide nefarious links. Typos and spelling mistakes aren’t normal. Poor design and missing signatures could indicate fake messages.
- Attachments: Attachments can be files that contain links or hid malware.
- External Links: If you already clicked on the link, make sure the website starts with “https” instead of “http”, which indicated the website has Secure Sockets Layer (SSL) and is encrypted.
Ransomware is a type of attack that utilizes malware in order to hold the user’s information ransom.
It can happen on a personal level, where personal information like credit card info, bank account numbers, social security numbers and more can be held ransom. The attacker will threaten to release or sell the information unless the user pays them a sum of money.
On the business level, the impact can be much more dangerous. Customer information or trade secrets can be stolen. If customer info is stolen it could cripple the company permanently. The attacker could threaten to sell trade secrets to competition. Again, the attacker will demand a sum of money in order to return the info.
The biggest problem with ransomware is that there is really no guarantee that the data is returned. Attackers could release the info after receiving payment, or demand more and more money.
Here’s an example of how a ransomware attack could be carried out, from The Hacker News:
In early 2016 hackers were believed to be carrying out social engineering hoaxes by luring victims into installing deadly ransomware through email spam. The spam contained malware disguised as a Microsoft Word file. The ransomware was dubbed “Locky.”
The ransomware worked due to macros, which are series of commands and instructions that group together as a single command to automate tasks in word. Hackers sent the files in the form of company invoices with word file attachments that embed vicious macro functions.
Source: The Hacker News
When a victim opens the document, a doc file is downloaded. When the file is opened, a popup appears that asks to “enable macros.” Once the macros have been enabled, an executable from a remote server is downloaded and run – this executable is the Locky Ransomware, which them begins to encrypt all the files on the computer and the network.
Source: The Hacker News
Nearly all file formats are encrypted and filenames are replaced with a “.locky” extension. Once encrypted, the ransomware malware displays a message that instructs infected victims to download TOR and visit the attacker’s website for further instructions and payments. The hackers then ask for a payment in order to receive the decryption key.
The Locky ransomware even had the capability to encrypt network-based backup files. This is one of the reasons that companies are encouraged to keep sensitive and important files in a third party storage as a backup plan.
As this example shows, ransomware can be extremely dangerous to companies. All of the examples of malware can be used to eventually hold a person or company ransom.
A Distributed denial-of-services (DDoS) attack is an attempt to make an online service unavailable by flooding it with traffic from multiple sources. BBC Tech has a good explanation in this video.
There are several types of DDoS attacks, as TechLog360 explains:
- TCP Connection Attacks – These attempt to use up all the available connections to infrastructure devices such as load-balancers, firewalls and application servers. Even devices capable of maintaining state on millions of connections can be taken down by these attacks.
- Volumetric Attacks – These attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet. These attacks are simply about causing congestion.
- Fragmentation Attacks – These send a flood of TCP or UDP fragments to a victim, overwhelming the victim’s ability to re-assemble the streams and severely reducing performance.
- Application Attacks – These attempt to overwhelm a specific aspect of an application or service and can be effective even with very few attacking machines generating a low traffic rate (making them difficult to detect and mitigate).
DDoS attacks can even be committed using a botnet of Internet of Things (IoT) devices. This happened recently with the Dyn cyber attack.
The DDoS attack on Dyn began at 11:10 UTC on October 21, 2016. At this point a volumetric DDoS attack was carried out on the DNS provider that sent an unreasonable amount of traffic toward the target, causing it to effectively run out of network resources.
What was unique about the DDoS attack on Dyn was that it was carried out using Internet of Things devices. A relatively new form of attack, Internet of Things presents is a particularly juicy opportunity for hackers. Any device connected to the web can potentially be utilized to carry out attacks.
For the Dyn attack, specifically, a Marai malware botnet was used to carry out the attack. The same botnet that was used on Krebs on Security. Hackers used devices like routers, webcams, security cameras, and DVRs in order to create the botnet and launch the DDoS attack. Over 100,000 devices were used in the Dyn attack, rendering the provider unable to process requests, and effectively locking down the sites that use Dyn services. The attacks came in traffic bursts 40 to 50 times normal flows, and lasted over 9 hours.
What’s so scary about Marai is that the code is available to the general public. The owner of the botnet published the source code online and now any hacker or group of hackers can utilize it to their advantage.
DDoS attacks come with a cost to companies:
How do we protect from viruses, malware, and the like?
Aside from best practices and staying vigilant, antivirus software is an absolute must in the battle against cyber criminals. From How to Geek:
Antivirus software runs in the background on your computer, checking every file you open. This is generally known as on-access scanning, background scanning, resident scanning, real-time protection, or something else, depending on your antivirus program.
When you double-click an EXE file, it may seem like the program launches immediately – but it doesn’t. Your antivirus software checks the program first, comparing it to known viruses, worms, and other types of malware. Your antivirus software also does “heuristic” checking, checking programs for types of bad behavior that may indicate a new, unknown virus.
Antivirus programs also scan other types of files that can contain viruses. For example, a .zip archive file may contain compressed viruses, or a Word document can contain a malicious macro. Files are scanned whenever they’re used – for example, if you download an EXE file, it will be scanned immediately, before you even open it.
It’s possible to use an antivirus without on-access scanning, but this generally isn’t a good idea – viruses that exploit security holes in programs wouldn’t be caught by the scanner. After a virus has infected your system, it’s much harder to remove. (It’s also hard to be sure that the malware has ever been completely removed.)
There are a number of antivirus software out there for personal use and enterprise use. AV-TEST is responsible for testing out multiple protection applications in antivirus software, and Tech Worm was able to categorize the best antivirus software depending on the reason for usage.
- Best Antivirus for Repairing Tools: The award for the best repair operations for tools built into security products went to Avira Antivirus Pro, while the second award, which was the best standalone repair and cleaning tools went to Virus Removal Tool.
- Best Antivirus for Performance: In the consumer class, the award was a tie between Bitdefender Internet Security and Kaspersky Internet Security, while on an enterprise level, the award was given to Bitdefender’s Endpoint Security.
- Best Antivirus for Usability: Avira Antivirus Pro and Kaspersky Internet Security won the awards for the consumer class. On the enterprise level however, the award was snagged by Intel Security’s McAfee Endpoint Security.
- Best Antivirus for Overall Protection: For the consumer and enterprise class, Symantec was the clear winner, with its Norton Security antivirus, which grabbed the best-in-class title in the consumer class while the company’s Endpoint Protection took the title in the corporate category.
Cloud security has become increasingly important to companies as cloud adoption has skyrocketed over the past several years.
According to TechCrunch, firewall and switching vendors will fade and companies that provide encryption and anti-malware technology will thrive due to the cloud computing environment.
As more companies move to off-premise cloud solutions, hackers will begin to attack the off-premise areas in order to steal data. Anti-malware technology is needed, but the tech needs to be specifically designed to be inserted into cloud systems. More APIs and frameworks from cloud providers will allow for third-party anti-malware integration.
Firewall vendors have traditionally focused on access control. Firewalls determine who can talk to what over which protocol, and are typically IP-centric. While the cloud is in need of the advanced functions that firewalls provide, core access control is often imbedded into a cloud provider’s system, meaning they don’t need the added protection firewall vendors provide.
Load balancers face the same problem. They have long distributed traffic across servers to handle high volumes of users or visitors. However, cloud providers already feature auto-scaling, so customers don’t need to pay a third party to provide it.
Encryption has typically only been deployed in certain scenarios by companies. With the cloud, however, everything always needs to be encrypted. In the past, agent-based encryption has been tough to deploy because it doesn’t work seamlessly with other infrastructure functions. With the cloud, vendors are incentivized to create solutions that overcome the limits of traditional encryption. While cloud providers offer built-in encryption, companies will want to bolster security with their own third-party choices.
Switching products offer complex features like VLANS, but these features aren’t necessary with cloud computing. Traditionally, switching products have used elaborate protocols to determine what can talk to what. In cloud computing, network control is defined up front and deployed automatically. So there is no need to set up network access control policies, and therefore less need for software switches.
Storage is a huge growth area with the cloud. Cloud computing provides readily accessible infrastructure to store data. Companies will need to leverage both public and private clouds in order to manage all of this data. So software storage vendors could see a lot of opportunity, especially when combined with the amount of data that will come with IoT devices.
All in all, cloud security will need to be handled differently than on-premise security has typically been handled.
Internet of Things Security
The Internet of Things (IoT) brings an entirely new wrinkle to the cyber security landscape.
No longer do we need to only worry about desktops, laptops and mobile devices being a gateway to our network. As IoT is further deployed, hundreds, thousands, and even millions of devices will be connected to the network for some companies.
The biggest problem is that IoT devices have extremely poor security on the whole, and there is a total and utter lack of standards to ensure that the devices you purchase are safe.
Here’s a good example from Ars Technica:
Shodan, a search engine for IoT, launched a feature that let users browse vulnerable web cams that use Real Time Streaming Protocol (RTSP) to share video. These cameras have no password authentication in place. Shodan searches the internet, finds susceptible webcams, and takes a screenshot. The results included images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.
This highlights the problem with IoT devices. They are becoming available, but the security is massively flawed and unregulated. As it stands there are multiple alliances. Open Connectivity Foundation, One M2M, IoT Forum, ISO, Industrial Internet Consortium, OpenFog, LoRa Alliance, OMA, AllSeen Alliance are some of them. There are multiple protocol standards: MQTT, COAP, DDS, AMQP, XMPP and so on. There are even multiple networking standards. Zigbee, WiFi, Bluetooth, Lte, SIGFOX, NB-IoT, and Z-Wave are only some of them.
When you have this many standards and protocols you really have none. Consumers and companies are unaware of the standard of security in these devices.
Security research Brian Knopf is trying to change this. He offers preliminary cireteria that his company, I Am The Cavalry, will use to judge IoT devices:
Source: Ars Technica
The US Air Force has also contracted Peiter “Mudge” Zatko of the L0pht hacker group to create a “Consumer Security Report” for IoT devices.
For now, there isn’t much more to say on IoT security. Be extremely careful. Make sure any device connected to the network is secure. Hire third party security firms to test them. Don’t let IoT devices be the cause of a cyberattack on your company.
Mobile Payment Security
According to TechCrunch, as of early 2016, only 20% of people with an iPhone that works with Apple Pay have ever tried Apple Pay.
Mobile payment is slow to adoption, but that doesn’t mean it’s something that companies don’t need to worry about.
Innovation in mobile payment is expected innovate in a number of ways in the next few years:
- Peer-to-Peer payments will allow users to transfer money directly to one another.
- Plastic will be replaced by smart phones, where all credit cards will be consolidated.
- Centralized awards points will have merchants accept loyalty rewards from one another.
- Charitable contributions will evolve to allow for donations to individuals.
- Virtual banks will replace brick-and-mortar institutions.
If you’re a company that receives payments, especially from consumers, you’ll need to ensure that your line of retrieval of these payments is totally secure. How so?
Some companies have turned to host cared emulations (HCE). This is a technology that emulates a payment card on a mobile device using software. At this point, many mobile payment credentials are stores on the device hardware as a secure element. HCE removes third-party involvement by moving credentials off the device.
Cryptocurrency may also be the way of the future for mobile payments. Cryptocurrency is a digital currency in which encryption techniques are used to regulate the generation of units of currency and verify the transfer of funds.
Cryptocurrency relies heavily on blockchain. According to the Wall Street Journal:
A blockchain is a data structure that makes it possible to create a digital ledger of transactions and share it among a distributed network of computers. It uses cryptography to allow each participant on the network to manipulate the ledger in a secure way without the need for a central authority.
This means that the ledger is incorruptible. It exists on its own, completely encrypted, and keeps a tally of every transaction made that cannot be altered after the fact. That means that, when multiple businesses are interacting on the same leger, exchanging capital, there doesn’t need to be multiple copies for each company. The single copy is kept for them all, saving time, money, and possible confusion as to transactions.
Currently, companies like IBM, Intel, Cisco, JP Morgan, Wells Fargo and State Street have created their own global online ledger known as the Open Ledger Project.
A recent 2016 survey found that 59 percent of organizations incorporate cyber insurance into their strategic plans to manage cyber risks, with the highest rate among large corporations.
According to TechCrunch, “Cyber insurance is a sub-category within the general insurance industry, offering products and services designed to protect businesses from internet-based risks.” The cyber insurance market has grown from 10 insurers to 50 in the past few years.
Cyber insurance policies typically include a combination of first-party coverage, which covers direct losses to the organization, and third-party coverage, which protects against claims against the organization by third parties.
There is, however, no standard form of cyber insurance on the market. Insurance companies seek to understand the client’s risk profile in order to determine a premium, based on the scale of the business and the sensitivity of the data it handles and stores.
A lack of history in this area means there is little known about whether policies are sufficient. A recent attack on health insurer Anthem is estimated to cost the company more than a billion dollars, while its insurance policy is estimated to pay out only between 150 million and 200 million dollars.
That isn’t to say you shouldn’t invest on a policy. Anthem still got back up to 200 million dollars in losses. That’s significant. Just understand that the market is still undefined, and ensure that you are getting sufficient coverage for what you’re paying.
The end user’s first and last stop for making technology decisions.