Day: October 6, 2015

Posted on

Understanding Global Application Usage and Threats to Enterprises

“A single arrow is easily broken, but not ten in a bundle.” – Japanese proverb

Is prevention of cyber attacks impossible? Is trying to prevent attacks a waste of time? Should we spend all our time focused on incident response?

These are constant questions in cybersecurity, and while the truth is that we can’t prevent everything, prevention of a significant majority of attacks is indeed possible. With the implementation of strong security policies, regular analysis of trends and tactics, and, most importantly, shared, actionable threat intelligence to feed into our defenses, this can be a reality.

Today we’re releasing our 2015 Application Usage and Threat Report (AUTR) for which the Palo Alto Networks threat intelligence team, Unit 42, examined application usage activity across over 7,000 organizations. What’s more, for this year’s edition, data was also examined from Palo Alto Networks WildFire for an even stronger understanding of the adversaries we all face and their common behavioral trends. Unit 42 strongly believes in, and remains committed to, sharing this type of data for the global community to better secure and defend itself against attacks.

Through Unit 42’s analysis of both application activity and WildFire data over a 12-month period, we now understand the following about global application usage and threats to enterprises:

  • The number of SaaS-based applications observed on enterprise networks has grown 46% from 2012 to 2015.
  • 79 unique remote access applications were found in use worldwide, with more than 4,400 organizations using five or more different remote access applications.
  • Over 40% of all email attachments examined by WildFire were found to be malicious.
  • Nearly 50% of all portable executables analyzed by WildFire were found to be malicious.
  • Over 10% of all malware activity as observed in WildFire was found to be related to macro-based malware.
  • The average time to weaponization of a world event – meaning the creation of cyber threats exploiting things everyone is talking about – was 6 hours.

In addition to these findings, this year’s AUTR includes dossiers on well-known adversaries, with breakdowns of their aliases, targeted industries and regions, specific tactics and tools used, and other details that may help organizations better understand attackers, in order to better secure themselves. Finally, Unit 42 has provided base recommendations on how to minimize the risk and attack surface associated with each finding.

To effectively defend against the adversaries who roam across our individual networks, we must come together and freely share the data and behaviors we are observing. We must defend ourselves not as individuals, but as a community.

Get your copy of the 2015 Application Usage and Threat Report here.

[Palo Alto Networks Blog]

Posted on

Understanding Cyberhacking Tools and Techniques

It seems like every day there is a new data breach or heist. Hackers break into corporate or government computers and swipe names, addresses, birth dates and those all-important US Social Security numbers. Consider these recent breaches:

  • Hackers hit the jackpot when they cracked the network at the US government’s Office of Personnel Management and accessed Social Security numbers, dates of birth and other personal information of more than 4 million federal workers.
  • Unidentified Russian hackers broke into an unclassified email system used by the US Joint Chiefs of Staff.
  • Gang members are using social media like many others do. In addition to the standard uses for social media, they post threats on social media that include a rival’s street—a practice known as online tagging. Posts and videos threatening rivals and others may accompany online postings.
  • In early February 2015, Anthem (one of the US’ largest health insurers) revealed that hackers had breached a database containing the personal information of 80 million customers and employees.

My recent Journal article focuses on Windows computers with an emphasis on all nonserver Windows computers. This includes Windows end-user devices, such as workstations, desktops, laptops, hybrids and tablets. Workstations are just as important to the security of an organization as servers. Of course, an insecure workstation only directly impacts one user (in most cases), while a server can impact thousands. But all of the biggest breaches in recent times have started with a compromised workstation, not a server. Even though servers and workstations run essentially the same Windows operating system, securing workstations is very different than servers.

The key differences that impact security include:

  1. Lack of physical security for workstations in general and the mobility of laptops and tablets.
  2. The usage of workstations (e.g., viewing videos) is different compared to the unattended background services dominant on servers.
  3. Workstations have much more interaction with untrusted web sites and parsing of Internet content.
  4. Workstations are used by less security-conscious and less technical end users.

Hardening servers is primarily about reducing the attack surface and keeping remote users from viewing more than the resources and services they are supposed to access. Hardening workstations, on the other hand, is very much about protecting end users from themselves. And there are usually many more applications installed on workstations than the typical server. Workstation security is actually more complex than server security.

As defenders, it is essential to understand these hacking tools and techniques. The idea of enforcing security policies at the workstation level and the use of active directory permissions to safely delegate administrative authority in a large enterprise offers the best strategy to cope with cybersecurity threats and other advanced attacks. Additionally, by providing corporate directors and government officials with meaningful intelligence on a regular basis, security professionals garner high-level support for building robust security systems and adopting processes and policies necessary to protect data.

Read Omar Y. Sharkasi’s ISACA Journal article:
Addressing Cybersecurity Vulnerabilities,” ISACA Journal, volume 5, 2015.

Omar Y. Sharkasi, CBCP, CFE, CRP

[ISACA Journal Author Blog]

English
English
Exit mobile version