Day: February 27, 2017

Your website needs to be well-designed, functional, and aesthetically reflective of your brand. But — don’t forget—it also needs to be safe. Website security is a vital path of development that makes your data less vulnerable to cybercriminals, and increases the security of your customers’ financial transactions.

You’ll also prevent the possibility of a massive consumer data breach—like the one faced by Target a few years back, which cost the company $39 million and even more in lost consumer trust. And, you’ll build your reputation and trustworthiness simply by having tighter security standards on display.

Getting Technical
Unfortunately, website security is a somewhat complicated issue. Top data security experts have decades of experience and work tirelessly to come up with ingenious new ways to protect against digital vulnerabilities. Today’s entrepreneur has access to tools like Website Setup that make it easy to launch and manage a website, but it’s difficult to match this level of dedication — especially when you don’t have the technical knowledge to back up your efforts.

Today’s website building tools and practically unlimited online resources make it easier to make your site safe — but you still must be familiar with your top priorities.

Website Safety Features
These are some of the most important website safety features to have integrated for your customers:

1. SSL encryption. SSL encryption is a relatively simple installation and basic security feature that encrypts the connection between a web browser and a web server. When customers input information (like credit card numbers), that information is passed from the customer’s browser to your web server; SSL encryption makes sure that information can’t be easily seen or intercepted by third parties. SSL-encrypted sites are designated by a “https” prefix that lets consumers know they’re safer.
2. Secure login and logout features. Simple, secure login and logout features also can make your site safer. For example, you could mandate that your customers re-sign in when they’re about to check out to avoid the possibility of fraudulent purchases made on an idly logged-in account. You could also have your site automatically log customers out after a period of inactivity. This helps prevent the possibility of infiltration and identity theft.
3. Mandatory password requirements. You can also increase the security of your logins by instituting mandatory password requirements. Many people opt to create simple, memorable passwords such as “password,” “123456,” pet names, birthdays, or other basic combinations. However, these are easy-to-guess and make it simple for a hacker to gain access to that user’s account. You could mandate that passwords be at least a certain number of characters, or that they contain multiple types of characters like lower-case letters, upper-case letters, numbers, and special symbols.
4. Multi-factor identification. Multi-factor security can also increase the safety of your site, though for the most part, this method is reserved for banks and other financial institutions where safety is of the utmost concern. With this setup, users are forced to identify themselves in multiple ways—such as with a signature device as well as a password-based login.
5. Updated software and platforms. One basic action you can take to keep your site safe is keeping your CMS system up-to-date. For example, WordPress routinely releases new software and new security protocols; making sure your site is updated will help you stay ahead of new potential threats and remain on the best system available to the public.
6. Hidden admin directories. Most template and basic CMS sites have a simple way to be accessed: the main domain, followed by a “/admin” or similar setup at the end. Hackers realize this and often try to break into the back end of a site by first accessing this admin directory. You can make your site more secure by “hiding” this admin directory, disguising it with a custom URL or otherwise masking your original directory.
7. Consumer information. Finally, keep your customers up-to-date with best practices for personal security. Let them know the advantages of choosing a strong, unique password, and encourage them not to stay logged into their accounts on public devices. There’s only so much you can do to your site to protect security breaches; arming consumers with information to protect themselves is the next step.

With these security factors in place, your company and your customers will both be better protected from digital threats. Your security doesn’t have to be top-of-the-line or ridiculously expensive to be effective; most cybercriminals spare effort by targeting only the most vulnerable companies, so even these simple features can help protect you.

Make the effort to step up your website’s security, and you’ll improve both customer acquisition and retention. What’s more, you will rest well knowing you have improved protection against possible attacks.

Larry Alton, Writer, LarryAlton.com

[ISACA Now Blog]

In the movies, data theft is usually the work of outsiders. You’ve witnessed the scene a million times: A cyber thief breaks into a business, avoiding security measures, dodging guards and employees, and making off with a USB stick of valuable data seconds before he or she would have been spotted. But in the real world, data theft is much more mundane. Most cyberattacks are carried out by someone within the company or someone posing as such. Sometimes they take data that’s essentially harmless, like personal files they feel entitled to keep. Other times, what they take is potentially much more harmful. According to a 2016 report from Deloitte, 59 percent of employees who leave an organization say they take sensitive data with them! With IP making up 80 percent of a company’s value, insider threat is something that every company should take seriously.

Some industries are much more at risk of insider threat than others. Is your industry one of the most vulnerable? The infographic below details the industries hit with the most instances of insider threat in 2015. If you work in one of these industries, perhaps it is time to revisit your cyber security policies.

Jeremy Zoss, Managing Editor, Code42

[Cloud Security Alliance Blog]

Overview

The majority of Internet traffic is now encrypted. With the advent of free SSL providers like Let’s Encrypt, the move to encryption has become easy and free. On any given day in the Zscaler cloud, more than half of the traffic that inspected uses SSL. It is no surprise, then, that malicious actors have also been using the SSL protocol in their activities over the last several years. The increasing use of SSL creates problems for organizations that are unable to monitor SSL traffic, as they must rely on less-effective techniques like IP and domain blocking in an attempt to identify and block threats.

In this report, we will outline trends we have seen in the use of SSL in the malware lifecycle and in adware distribution, based on a review of traffic on the Zscaler cloud from August 2016 through January 2017. What follows is a graphic illustrating our findings, and an analysis of recent activities.

 

Malicious SSL Activity
During the six-month period, the ThreatLabZ research team observed that the Zscaler cloud blocked an average 600,000 malicious activities each day that used SSL, including exploit kit traffic, malware and adware distribution, malware callbacks, and other malicious traffic.

Figure 1. Total SSL blocks, August 2016 – January 2017

In our cloud, we observed an overall increase in malicious SSL traffic in nearly all categories — a trend we expect to continue — with periodic spikes, such as those in early August and late November, when SSL malware blocks reached nearly two million a day.

Browser Exploits and Payload Delivery
Exploit kit (EK) authors are more frequently including SSL in the infection chain at some point. Previous malvertising campaigns have been observed in which EKs took advantage of SSL-enabled advertising networks to inject malicious scripts into legitimate webpages. EK authors may also abuse services that provide free SSL certificates to add HTTPS support to their maliciously controlled domains. This maneuver enables them to bypass the SSL integrity checks built into modern web browsers.

Figure 2. SSL web exploit monthly total hits, August 2016 – January 2017

Figure 3. SSL web exploit blocks, August 2016 – January 2017

During the observation period, we saw an average of 10,000 hits per month for web exploits that included SSL as part of the infection chain.

Phishing

Figure 4. Phishing blocks, August 2016 – January 2017

Phishing campaigns have been increasingly using SSL in their attacks. Many phishing attacks involve hosting the phishing page on a legitimate domain that has been compromised. Since the number of legitimate sites that support SSL is constantly increasing, so are the number of SSL-enabled phishing attacks. This rise presents a significant threat, because organizations, in an attempt to thwart ransomware and other phishing schemes, have implemented security hardware solutions to detect and block phishing, but few of them support SSL inspection.

Malware Families That Use SSL
Several years ago, it was rare to see malware using SSL to encrypt command-and-control (C&C) mechanisms. As malware design has become more sophisticated, and with the near ubiquity of SSL on the Internet, it made sense for malware authors to begin using SSL to hide their activities. Some malware families have gone further, using anonymity services such as Tor to hide the location of their C&C servers, connecting to (otherwise legitimate) HTTP Tor gateways via SSL.

Botnets typically use self-signed SSL certificates, frequently using the names and information of real companies to try to appear legitimate. The SSL Blacklist is a project that tracks the SSL certificates used by malware authors.

Figure 5. Malware callbacks over SSL, September 2016 – January 2017

Corresponding with the increase in malicious payload deliveries in November 2016, we also observed an increase in blocked malicious SSL traffic during that time.

In our analysis, we came across many malware families that were using SSL for malicious purposes. Some of the recent and notorious malware families actively using SSL are:

• Dridex/Dyre/TrickLoader: The Dridex, Dyre, and TrickLoader banking Trojans are capable of communicating to the C&C servers via SSL using its own SSL certificate. These family previously used the common browser hooking technique for callbacks, but the latest versions can perform redirects via local proxy or local DNS poisoning to fake websites, controlled by the attacker.
• Vawtrak: Vawtrak is a well-crafted piece of malware supporting the VNC and SOCKS proxies, screenshot and video capturing, and extensibility with regular updates from C&C servers. Vawtrak samples contain code for downloading and validating SSL certificates and are capable of initiating an HTTPS connection. The malware contains a list of HTTPS-secured hosts that contain updated lists of live C&C servers.
• Gootkit: Gootkit is a stealth banking trojan with backdoor and spyware capabilities that uses fileless infection and communications over SSL. Gootkit intercepts user data via web injections into HTTPS traffic.

Adware
A common function of adware is to inject unwanted advertisements into web traffic. These advertisements can also lead to malicious infections, as exploit authors frequently take advantage of less-scrupulous advertising networks to distribute exploit redirect scripts. Securing web traffic with SSL/HTTPS prevents this distribution in most cases. Adware installed on a client machine would not be able to perform a man-in-the-middle attack with a self-signed certificate due to the HTTPS safeguards included in modern browsers.

However, in several notable cases, major adware distributions have circumvented these safeguards to inject advertisements into HTTPS traffic. The two most high-profiles examples are the Superfish and PrivDog adware distributions, which were first abusing SSL in 2015. Both of these adware programs install a self-signed root CA certificate onto the victim’s computer, and intercept all web traffic in order to inject advertisements into web pages. PrivDog in particular was a serious concern because it did not validate SSL certificates on its end of the proxy, allowing users to inadvertently navigate to websites with invalid SSL certificates, exposing them to additional threats.

Adware variants have also started to host their files on HTTPS sites. We came across a family of adware called InstallCore, which was doing this kind of activity. InstallCore is a Potentially Unwanted Application (PUA) that installs a program to display and/or download unwanted advertisements and toolbars, and tracks a computer’s web usage to feed the victim undesired ad pop-ups; some versions can even hijack a browser’s start or search pages, redirecting the user to a different site or search engine.

InstallCore is often delivered by tricking the user into installing the Flash plugin or a Java update. In some cases, InstallCore is delivered by misdirected download buttons. These fake pop-ups of the Flash player or download buttons appear on content distribution sites, like torrent sites, or free software sites that work on HTTPS.

Figure 6. Fake Flash download pop-up

Conclusion
Due to the rising use of SSL encryption to hide exploit kits, malware, and other threats, it is important to have a security infrastructure that can detect and block these threats. The problem is that SSL inspection is compute-intensive, so even organizations whose security appliances support SSL inspection often disable this feature, as its use would slow traffic throughput to unacceptable levels. Dedicated appliances for SSL inspection are available, but their price puts them out of reach for many organizations. SSL inspection is built into the Zscaler security platform, which, due to its scale, can inspect all SSL traffic without latency.

Research by: Derek Gooley, Jithin Nair, Manohar Ghule

Derek Gooley, Security Researcher, Zscaler

[Cloud Security Alliance Blog]

The move to a paperless system to improve health and social care is an ambition central to many governments around the world. (ISC)² recently held a roundtable event in London, United Kingdom (UK) inviting several people who work within the sector and the country’s National Public Health Service (NHS) to explore a range of current issues, including the reasons why patients were showing a reluctance to trust efforts to protect their personal data.

The aim was to bring together perspectives from many areas of the healthcare industry and give them the opportunity to talk freely and anonymously about the opportunities and barriers they are facing as the sector undergoes digital transformation.

We are now pleased to publish a white paper detailing the main insights here, and share this assessment from one (ISC)² member who works for the NHS. 

Derrick Bates, CISSP, Information & Cyber Security Officer for the North Cumbria University Hospitals NHS Trust discusses the issues and what is required to overcome them.

The conversation that the white paper has outlined highlights some of the major issues that are at the core of the difficulties faced by the NHS in 2017, beyond the issue of funding that often dominates the conversation.

The definition of a patient record for example is still something that needs to be ironed out. At this stage in the sector, it is difficult to define something which is amorphous at best, and does not
actually exist as a single entity in any meaningful form. It has more definitions than the Oxford English Dictionary. Ideally it would be useful to have a single record of all the healthcare and social care a patient has ever had or required across the time from minus 9 months to end-of-life. Is this achievable? Yes, but it would take vision, money and around 20 to 30 years at the current pace that the sector operates in.

As a consultant I used to use the following metaphor to describe such a system: Imagine you are holding a large beach ball that is constructed from hexagonal panels, some of which are transparent so you can look inside the ball. Inside is a tiny patient. If you look in one window you see the patient in a particular way. Another window still shows you the patient but in a different aspect. Another is different yet again. But, there is only one ball, one data file, one patient, many, many uses and views.

You can control what is seen and who can see it. This is where we should be heading. It appears that this sentiment is also felt by the people who engaged in the conversation which led to the white paper – so it’s arguably widely felt in the healthcare sector.

In the case of the emergence of personal wearable devices, it’s still something that so far remains in the hands of a select segment of the population. Only when it becomes wholly ubiquitous will we have a dataset of really meaningful worth.

With all the other issues facing healthcare they are at present a distraction. Good as a way forward, but there are more fundamental things to be done first, some of which were identified by the white paper. There is also what I call the ‘Public Sector Paradox’ – whereby patients and other users of Public Sector services expect that agencies will both share their data and keep it private. We talk about empowering patients in the control of their data. However, with the greatest of respect, there is not enough understanding around this and many simply can’t be bothered with it. It is seen as ‘our job’ in the sector until it goes wrong.

Finally, there is the issue of trust. The NHS is an organisation that is about us. It sees into our mind, body and soul, our brains, bones and blood, the very stuff which makes us. It is far more precious to patients than any other type of information. The NHS is also an organisation that has suffered and continues to suffer from a level of political interference not felt by any other organisation. Other sectors are regulated – as is the NHS – however other sectors are not regularly reshaped, pummelled, sliced up and changed nearly as much as the NHS.

The vast majority of people trust the NHS to make them better and think, quite rightly, that we have a world class healthcare service. Unfortunately the people do not trust politicians and by extension, the NHS initiatives dreamt up by politicians. The Gordian knot that is today’s NHS needs to be decoupled from direct political control and funded at the correct level for the service it is being asked to deliver.

Apart from the obvious matter of funding, in order to move forward with the aspirations identified by the participants of the discussion on which this white paper is based, there will be a need for visionary leadership, and a freedom to act. It will be interesting to assess how near or far we are to achieving this by the end of year.

[(ISC)² Blog]