Report after report highlight that there is a gap between the number of skilled cyber security professionals in the workforce and the number of job vacancies.
What is needed to begin to bridge that gap is an increased focus combining education and experience with both federal and private sector job markets.
While this has been a difficult combination to obtain in the past, more and more countries are seeing the need for and instituting programs to fill the gap and stack their bench.
In the United Kingdom, the UK government’s CyberFirst Initiative will collaborate with private companies on not only providing the education but, more importantly, the experience needed for new cyber security professionals to succeed.
Israel is another country that applies this concept. In Israel, those selected for Talpiot are considered the best of the best, not just in hand-to-hand combat, or military tactics, but also in cyber warfare. This generates a labor force with a variety of skills and capabilities.
Even beyond government efforts, corporations are tackling the problem collaboratively. This can be seen by Lockheed Martin’s endorsement of the UK initiative, or the joint venture between an Israeli and Japanese company that set up a training facility to provide hands-on experience to cyber security professionals to help address the cyber security workforce shortage in Japan.
In contract, most US-led initiatives lack the experience and job components that would further incentivize individuals to obtain the required skills needed.
For instance, the National Institute for Standards and Technology’s National Initiative for Cybersecurity Careers and Studies provides a consolidation of course information, but unless you are currently working in the federal government or a veteran, most courses require fees to third parties, such as SANS.
A recent government report indicates that much more needs to be done to address the lack of skilled cyber security professionals. The US needs to build stronger relationships with industry knowledge centers such as ISACA and (ISC)², as well as private corporations, to ensure that individuals receive the training, experience and vocations needed to strengthen the cyber security workforce.
Cory Missimore, Senior Information Assurance Specialist, IMPAQ International, LLC
Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013.
In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities. The custom-developed malware is fully featured an includes these capabilities:
A mechanism for downloading and executing additional payloads of their choice
The ability to scan system drives for specific file types
The ability to capture screenshots
The ability to remotely execute commands on the system in the user’s security context
The Gamaredon Group primarily makes use of compromised domains, dynamic DNS providers, Russian and Ukrainian country code top-level domains (ccTLDs), and Russian hosting providers to distribute their custom-built malware.
Antimalware technologies have a poor record of detecting the malware this group has developed. We believe this is likely due to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes.
Previously, LookingGlass reported on a campaign they named “Operation Armageddon,” targeting individuals involved in the Ukrainian military and national security establishment. Because we believe this group is behind that campaign, we’ve named them the Gamaredon Group, an anagram of “Armageddon”. At this time, it is unknown if the new payloads this group is distributing is a continuation of Operation Armageddon or a new campaign.
Gamaredon: Historical Tool Analysis
The earliest discovered sample (based on compile times and sandbox submission times) distributed by this threat group resembles the descriptions of Gamaredon provided by Symantec and Trend Micro. Unfortunately, this identification is rather tenuous, as it seems to only identify the first variant of payloads used by our threat actors. Some samples of later payload variants also have been given the generic and brittle names of TROJ_RESETTER.BB and TROJ_FRAUDROP.EX.
Originally, the payloads delivered to targets by this threat group consisted of a password protected Self-extracting Zip-archive (.SFX) file which, when extracted, wrote a batch script to disk and installed a legitimate remote administration tool called tool Remote Manipulator System (Figure 1) which they would abuse for malicious purposes.
Figure 1 Remote Manipulator System Interface
One such self-extracting archive (ca87eb1a21c6d4ffd782b225b178ba65463f73de6f4c736eb135be5864f556dc) was first observed around April of 2014. The password (reused by many of the password protected SFX payloads) it used to extract itself is “1234567890__”. The files included in this SFX file we observed include a batch file named “123.cmd” and another SFX named “setting.exe”. This second SFX contains a .MSI installer package which installs Remote Manipulator System and a batch script which handles the installation.
Later payloads would write batch scripts to disk as well as wget binaries. The batch scripts would use the wget binaries to download and execute additional executables. The scripts would also use wget to send POST requests to command and control (C2) servers that would contain information about the compromised system. Some of these payloads included decoy documents that would open when the malware is executed.
We first observed these samples using wget in 2014. The filenames and decoy documents these samples used attempt to lure individuals by using the presidential administration of Ukraine, Ukrainian national security and defense, the Anti-Terrorist Operation Zone in the Ukraine, and Ukrainian patriotism as subjects. The text of one such decoy document is pictured below.
Figure 2 Ukrainian Decoy Document used by Gamaredon Group
Other observed payloads would, again, use SFX files to deliver a batch script and an executable that allowed remote access through the VNC protocol. These VNC exectuables would either be included in the SFX file or downloaded by the batch script. We found one URL (now taken down) that hosted a VNC executable that the malware would attempt to download and install at hxxp://prestigeclub.frantov.com[.]ua/press-center/press/chrome-xvnc-v5517.exe.
The batch script would then attempt to have the VNC program connect to a command and control (C2) server to enable the server to control the compromised system. All VNC installations on compromised systems that we observed have used the same configuration file, RC4 key file, and passwords.
One such sample, cfb8216be1a50aa3d425072942ff70f92102d4f4b155ab2cf1e7059244b99d31 first appeared around January of 2015. The batch script utilized in this sample ensures a VNC connection is available:
The path configured in the VNC configuration file across all implants employing VNC (UltraVNC.ini) is “Y:\ПРОБА\Создание троянов\создание RMS\vnc”. This isn’t the only place hardcoded Cyrillic file paths are used by implants. Many of the batch scripts also use hardcoded paths such as “Главное меню\Программы\Автозагрузка”. Many payloads also include a VBS script which raises a dialog box to the users asking them to run the malware again. It reads, “Ошибка при инициализации приложения (0xc0000005). Повторить попытку открытия файла?” (English Translation from Russian: Application failed to initialize (0xc0000005). Try to open the file again?).
Some of the SFX files also include another legitimate application called ChkFlsh.exe (8c9d690e765c7656152ad980edd2200b81d2afceef882ed81287fe212249f845). This application was written by a Ukrainian programmer and is used to check performance of USB flash drives. Its value to the attackers to the attackers isn’t clear but one possibility is that it is somehow used to steal or monitor files on USB devices. In our research, we found this application present in some SFX files along with VNC programs and in some SFX files that didn’t have VNC programs included.
Custom Implants
While the most recent samples observed still use batch scripts and SFX files, the Gamaredon Group has moved away from applications like wget, Remote Manipulator Tool, VNC and ChkFlsh.exe. Instead of using wget the attackers are distributing custom developed downloaders, and instead of Remote Manipulator or VNC the malware is using a custom developed remote access implant.
In June of 2015 a custom downloader used by many newer samples was first seen in the wild and is often included in SFX implants with the name “LocalSMS.dll”. This downloader makes requests to adobe.update-service[.]net (hardcoded in the sample) and is further discussed in Appendix A.
In February 2016, another custom tool now often included in SFX implants was seen in the wild. This SFX file (3773ddd462b01f9272656f3150f2c3de19e77199cf5fac1f44287d11593614f9) contains a new Trojan (598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824) we refer to as “Pteranodon.” Pteranodon is a custom backdoor which is capable of the following tasks:
Capturing screenshots at a configurable interval and uploading them to the attacker
Downloading and executing additional files
Executing arbitrary commands on the system
The earliest version of Pteranodon uses a hardcoded URL for command and control. It sends POST requests to “msrestore[.]ru/post.php” using a static multipart boundary:
————870978B0uNd4Ry_$
Newer versions of the tool also use hardcoded domains and multipart boundaries. They also share similar pdb strings. Other Pteranodon samples can be found in AutoFocus using the Pteranodon tag. The most recent variant of Pteranodon is analyzed in Appendix A.
We have only identified one delivery vector for the new implants thus far. A Javascript file (f2355a66af99db5f856ebfcfeb2b9e67e5e83fff9b04cdc09ac0fabb4af556bd) first seen in December of 2016 downloads a resource from http://samotsvety.com[.]ua/files/index.pht (likely a compromised site used for staging payloads) which previously an SFX file (b2fb7d2977f42698ea92d1576fdd4da7ad7bb34f52a63e4066f158a4b1ffb875) containing two of the Gamaredon custom tools.
A related sample (e24715900aa5c9de807b0c8f6ba8015683af26c42c66f94bee38e50a34e034c4) used the same distinct Mutex and contains a larger set of tools for analysis. The original name of the file is “AdapterTroubleshooter.exe” and the file uses icons which resemble those used by OpenVPN, as seen below.
Upon examining the sample’s file activity within AutoFocus it is clear the sample is a self-extracting executable.
Figure 3 Self Extracting executable behavior shown in AutoFocus
Opening the sample with 7zip inside of a virtual machine, all the files contents can be examined. Below is a table providing the SHA256 values, the filenames, the compile timestamps and the pdb paths of the contents of the SFX file.
The bootstrapping logic for the sample relies on the contents of “condirs.cmd”. Briefly, the logic within “condirs.cmd” follows:
1. Ensure “%LOCALAPPDATA%\Microsoft\Windows\” exists
2. Kill and delete processes, files, and scheduled tasks which may interfere with the sample executing
3. Copy “winrestore.dll” to “%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5win}.dll”
4. Copy “OfficeUpdate.dll” to “%LOCALAPPDATA%\Microsoft\Windows\UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5off}.dll”
5. Determine if the operating system is Windows XP or Windows 7
6. If the system is running Windows XP
a. Set the directory to copy files into as “%WINDIR%\Setup\State\Office”
b. Copy “UsrClass.lnk” to “%USERPROFILE%\Главное меню\Программы\Автозагрузка\”
c. Copy “SmartArtGraphicsLog.lnk” to “%USERPROFILE%\Главное меню\Программы\Автозагрузка\”
7. If the system is running Windows 7
a. Set the directory to copy files into as “%APPDATA%\Microsoft\Office”
b. Copy “UsrClass.lnk” to “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\”
c. Copy “SmartArtGraphicsLog.lnk” to “%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\”
Figure 4 Windows XP and Windows 7 logic within “condirs.cmd”
8. Copy “winrestore.dll” to the directory set in step 6 or 7a with the filename “MSO1234.win”
9. copy “LocalSMS.dll” to the directory set in step 6 or 7a with the filename “MSO1567.dls”
10. copy “OfficeUpdate.dll” to the directory set in step 6 or 7a with the filename “MSO5678.usb”
11. copy “MpClients.dll” to the directory set in step 6 or 7a with the filename “MSO8734.obn”
12. Execute the exported function “updater” within “MSO1234.win” using rundll32.exe
13. Execute the exported function “EntryPoint” within “MSO1567.dls” using rundll32.exe
It should be noted that “UsrClass.lnk” links to “%WINDIR%\system32\rundll32.exe UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5win}.dll,updater” and “SmartArtGraphicsLog.lnk” links to “C:\WINDOWS\system32\rundll32.exe UsrClass.dat{4f6fe187-7034-11de-b675-001d09fa5off}.dll,StartBackup”. These are the locations “winrestore.dll” and “OfficeUpdate.dll” were copied to in steps 3 and 4, respectively.
The “condirs.cmd” script then continues to:
1. Schedule the following tasks:
a. Task name “UpdatesWinRes”, invoke “MSO1234.win,updater”
b. Task name “UpdatesWinDLL”, invoke “MSO1567.dls,EntryPoint”
c. Task name “UpdatesWinUSBOOK”, invoke “MSO5678.usb,StartBackup”
d. Task name “UpdatesWinOBN”, invoke “MSO8734.obn,bitDefender”
2. Ensure the directory “%Temp%\reports\ProfileSkype\” exists
3. Kill processes named “skype.exe”
4. Copy the contents of “%AppData%\Skype” to “%Temp%\reports\ProfileSkype\”
5. Create subdirectories under “%Temp%\reports\%COMPUTERNAME\” with names: Z W P S V Q N M L K I J F H E G and D. These are drive letters.
6. Copy all files from all above drive letters with extensions “doc”, “docx”, “xls”, “xlsx”, “rtf” “odt” and “txt” into “%TEMP%\reports\%COMPUTERNAME%\%%d\” where %%d is the drive letter
7. Copy all files with the above extensions from all users’ “Desktop”, “Documents”, and “Downloads” folders to “%TEMP%\reports\%COMPUTERNAME%\Desktop\”, “%TEMP%\reports\%COMPUTERNAME%\Documents\” and “%TEMP%\reports\%COMPUTERNAME%\Downloads\” respectively
Figure 5 The document stealing logic inside “condirs.cmd”
8. Execute the exported function “StartBackup” within “MSO5678.usb” using rundll32.exe
9. Execute the exported function “bitDefender” within “MSO8734.obn” using rundll32.exe
10. Clean up temporary files, sleep, and delete itself
When this script has completed, a series of implants giving the attacker the ability to steal files, capture screenshots and evade detection are deployed on the system. These individual implants are analyzed in detail in Appendix A.
Trends Across Implants
While the payloads used to control compromised systems have evolved over time, many commonalities appear across the samples. While not every sample distributed by this group is described in this blog, hashes of the known samples are included in the Indicators of Compromise section. Some interesting behaviors from a few of the related samples include:
Many of the batch scripts include misspellings of common English words. One such example is the filename “cmd”. While another example, “domen”, is used as a variable name in a batch script which is likely meant to be “domain”
Almost all batch scripts in all samples ping localhost as a means of sleeping
Many of the batch scripts are named “cmd” and some include the string “Trons_ups” and “Treams”
Many of the batch scripts use the same commands for determining operating system version.
Many of the early samples used applications such as wget, UltraVNC, and ChkFlash. These utilities have been replaced with custom tools in the latest sample
Samples employing VNC used the same configuration and passwords
Additionally, the infrastructure used by this group has not changed much in the past three years. Many of the samples reused the same domains for implant communication. Also, many of the custom developed tools use hardcoded network locations.
Monikers used for filenames, exported DLL functions, domains, and variable names in scripts seem to be themed and consistent. By pivoting on indicators from one of the SFX implants within AutoFocus additional samples are easily identified by overlaps in these consistencies. Most samples were delivered in a similar fashion: an SFX dropping resources which are staged and loaded with a batch and/or VBS script. The reuse of SSL certificates between IPv4 addresses as well as the reuse of IPv4 addresses between domains names is apparent when viewing a large collection of entities involved in this campaign, as shown below.
Focusing in on one of the newest samples (analyzed in Appendix A), the reuse of file names as well as SFX content files becomes apparent.
Figure 6 Overview of the relationships between Samples and Network Infrastructure used by the Gamaredon Group
Final Word
The implants identified have limited, generic, and often conflicting detections on VirusTotal. The threat group using these implants has been active since at least 2014 and has been seen targeting individuals likely involved in the Ukrainian government. Some of the samples share delivery mechanisms and infrastructure with samples which are detected by a few antivirus vendors as Gamaredon. However, newer variants deliver more advanced malware which goes unnamed.
Periodically, researchers at Palo Alto Networks hunt through WildFire execution reports, using AutoFocus, to identify untagged samples’ artifacts in the hopes of identifying previously undiscovered malware families, behaviors, and campaigns.
This blog presents a threat group identified by the above process using AutoFocus. By actively hunting for malicious activity and files instead of waiting for alerts to triage, defenders can identify and building protections for new trends before they arrive on their corporate networks and endpoints. More details about this threat group can be found in the AutoFocus tag GamaredonGroup.
Palo Alto Networks customers are protected from this threat in the following ways:
WildFire identifies the malware described in this report as malicious.
Traps prevents execution of the malware described in this report.
The C2 domains used by this group are blocked through Threat Prevention.
Special thanks go out to Tom Lancaster for both his assistance in this investigation and for his charming good looks.
Appendix A: Custom Implant Analyses
USBStealer: MSO5678.usb / OfficeUpdate.dll
This file is a USB file stealer which can be also guessed by its internal name “USBgrabber.dll”. However, the implementation is sloppy which makes it a file stealer for any newly connected logical volume on a system. This is because the malware monitors the computer for messages WM_COMMAND and WM_DEVICECHANGE, but not verifying if a USB drive was connected.
The malware creates two mutexes “__Wsnusb73__” and “__Wsnusbtt73__”. Then, it creates the following folder in the temp path of the local user:
“C:\Users\<Username>\AppData\Local\Temp\reports”
This folder is used as a temporary location to copy all files from a newly connected logical drive to and upload them to the C2 server. The files are transferred to the hardcoded C2 server “195.62.52.93” one by one via HTTP POST method. The following request is used which also includes information about the victim, the file to be transferred as well as the source drive:
The malware also creates a SQLite database named “asha.dat” in the local users temp folder. Therein, it keeps track of files which were stolen by calculating the MD5 hash of the filename followed by the file length. Therefore, it creates a Unicode string of the original file path from the drive and concatenates the file size in bytes to it. Finally, it uses the API functions MD5Init(), MD5Update() and MD5Final() to calculate the hash and store it in the database.
Figure 7 Structure of the database created by the malware
It should be noted, that only hashes of files are added to the database that don’t have the following extensions:
DLL
BIN
CAB
EXE
ISO
Downloader: MSO1567.dls / LocalSMS.dll
This file is essentially a simple downloader which contacts the C2 server to send some user data and get an executable as response which will be executed. The DLL is written in C++ and contains all of the functionality is in an export function named “EntryPoint”. The file was compiled without any compiler or linker optimizations, thus the big file size and the remaining PDB path string.
At first, the malware retrieves the temp path of the local user (“C:\Users\<Username>\AppData\Local\Temp\”), the computer name (e.g. “WIN-MLABCSUOVJB”), the hardware profile GUID (e.g. “{826ee360-7139-11de-8d20-808e6f6e6263}”) and the volume serial number of C:\ drive (e.g. “1956047236”). Next, it takes the following hardcoded string:
To create the filename where the downloaded file will be saved, the malware tries to build a random string of 10 characters. However, due to an implementation error the string always ends up being the same, namely “frAQBc8Wsa”. This string gets concatenated with the retrieved local users temp path to the following file path:
C:\Users\<Username>\AppData\Local\Temp\frAQBc8Wsa
Then, it uses the API function URLDownloadToFileA() to download a payload to disk and executes it via CreateProcess(). Finally, it sleeps for 60 seconds before terminating the payload and the DLL exits.
Downloader: MSO8734.obn / MpClients.dll
This file is a slightly more advanced version of LocalSMS.dll downloader. Instead of downloading a payload directly to disk, this file requests a download command from the C2 server which contains the actual payload URL to be used. Therefore, it uses a basic network implementation based on the Winsock functions. All the functionality of this DLL is put into an export function named “bitDefender”.
It creates a socket, requests the address of the hardcoded C2 server “win-restore.ru” via gethostbyname() and connects to it. Thereafter, it also collects the volume serial number of C:\ drive, the computer name and the hardware profile GUID. With this information, it creates the following string used by a subsequent send() function call:
The response will be stored into a memory buffer via recv() and scanned for the string “urltoload={“. As the name suggests, the received data contains the actual URL of the payload inside curly brackets. The URL gets pulled out of the string and is used again as input for the API function URLDownloadToFile(). Again, the same file path will be used to store the payload on disk and execute it:
“C:\Users\<Username>\AppData\Local\Temp\frAQBc8Wsa”
Pteranodon: MSO1234.win / winrestore.dll
Pteranodon is a backdoor which also can capture screenshots based on a configuration file created on the disk. Further, it uploads the screenshots to the C2 server unencrypted. All the functionality of this DLL is put into an export function named “updater”.
At first, it retrieves the %APPDATA% folder of the local user to build the following file path:
Then, it checks if the file already exists and continues execution if so. If not, it runs a routine which checks if there is mouse movement as an anti-sandbox technique. If no mouse movement is detected the malware runs in an infinite loop checking for mouse movement.
If the file “desktop.ini” does not exist, the malware creates it and writes the following information into it:
” interval={60} msfolder={10} status={0}”
This information is used as configuration data to create the screenshots. There are also other commands possible which can be retrieved from the C2 server. The following commands are available:
exec={
This command is used to download and execute a payload from a URL present in the curly brackets. It creates a random file path in temp folder, calls URLDownloadToFile() and CreateProcess() to run the payload. Then, it waits 30s and terminates the payload.
interval={
This command is used to define the interval in seconds between the creation of two or more screenshots.
msfolder={
This command defines the number of screenshots to create.
command={ / command_c={
This command is used to execute a file present as a string between the curly brackets. The variant with the “c” uses the Windows tool cmd.exe with help of ShellExecute().
status={
This command contains the flag which defines if screenshots should be made (“1”) or not (“0”).
Next, it checks for a mutex named “asassin1dj” to verify if the system is already infected and creates it if this isn’t the case:
Figure 8 Mutex check and creation routine
Next, it creates the following folder, if not already present:
Next, according to the configuration data in “desktop.ini” it constantly creates 24-bit color depth JPEG screenshots without extension in the store folder with help of GDI32 and gdiplus API functions. The following file naming scheme for the screenshots is used:
<year><month><day>_<hour><minute><seconds>
After the last screenshot was created, it uploads all files from the “store” folder to the C2 server “win-restore[.]ru”. Then, it deletes all the files present in the folder and starts a new screenshot creation cycle. It should be noted that there is no check of what files are uploaded. The files are uploaded via POST HTTP method to the script “vvd.php”. For this, the following HTTP request is used which contains also data from the victim as well the JPEG files:
Finally, it checks if any new command information is available from the C2 server and updates the “desktop.ini” file according to it. Based on functionality, compile timestamps, and binary differencing this malware is likely an updated version of 598c55b89e819b23eac34547ad02e5cd59e1b8fcb23b5063a251d8e8fae8b824.
wmphost.exe
This file runs an infinite loop until mouse movement gets detected, then it exits. This file can be used to circumvent sandboxes that don’t simulate mouse movement. To detect if it’s running inside a sandbox, another file can scan the list of running processes to see if “wmphost.exe” is present or not.
For the second consecutive year, I’m happy to announce that TSIA, the Technology Services Industry Association, and J.D. Power have recognized Palo Alto Networks for providing our customers with an exceptional customer support experience. Receiving this award for two consecutive years is a true demonstration of the dedication and commitment of this talented team.
Achieving this high-level certification required Palo Alto Networks Services to undergo a rigorous evaluation process and audit and required customer satisfaction scores to be among the top 20 percent of companies globally that offer assisted technical support.
In addition to the team’s commitment to providing the absolute best possible customer experience, the services organization, under the leadership of Brett Eldridge, senior vice president of global customer services, has made significant commitment to the people, process and technology required to enable to the team to function most efficiently and effectively.
2015 & 2016 J.D. Power Certified Assisted Technical Support Program – Palo Alto Networks, Inc. has been recognized by J.D. Power for two consecutive years for providing “An Outstanding Customer Service Experience” for its Assisted Technical Support.
J.D. Power 2016 Certified Assisted Technical Support Program, developed in conjunction with TSIA. Based on successful completion of an audit and exceeding a customer satisfaction benchmark for assisted support operations. For more information, visit http://www.jdpower.com or http://www.tsia.com.
2015 & 2016 TSIA Global Rated Outstanding Assisted Certification – TSIA certification recognizes that Palo Alto Networks has achieved Global Rated Outstanding Assisted Support for a second consecutive year. Customers can purchase Palo Alto Networks products with confidence knowing that Palo Alto Networks meets the highest industry support standards.
To read more about these accolades, please visit the following links:
Despite an ever-changing threat landscape, one thing you can depend on is receiving the best possible support from Palo Alto Networks. We couldn’t be more proud to receive recognition for a second time from both TSIA and JD Power. We will continue our commitment to delivering an exceptional support experience for our customers.
Please let me know if you have any comments or questions, or contact me via Twitter anytime at @CicconeScott.
I was at a recent IDC security leaders’ dinner where the topic of GDPR came up again, with discussion on perceptions to it. The question was whether security leaders see it as a “glass half empty or full” scenario:
Do you see the regulation as an opportunity to embrace the opportunity to review and evolve your cybersecurity capabilities to leapfrog today’s requirements, building something that can scale for the future? Or is this another regulatory burden that companies must “get through” to move on to the next daily challenge?
Having been a strong advocate of the opportunities GDPR provides for the last couple of years, I’m still struck by the variety of emotional responses I get from security leaders when discussing the legislation. I draw the parallel to the five stages of bereavement.
For many the first response is denial. I’m struck by how many still either don’t believe it will impact them, or don’t believe penalties will be applied; therefore, they don’t need to take it seriously (at which I’m struck by why they don’t see the societal value). The reality is that, no matter how much we chose to ignore GDPR, it is happening; and we must make the positive decision on whether we choose to embrace it or not. Typically getting through this emotional state is a challenge of education.
This leads into the next stage of anger, which I would exemplify through the statement of “Just tell me what I need to do!”. Unlike standards like PCI, which is an industry-lead requirement that is very prescriptive (you must have X & Y), GDPR contains very few clear technical definitions. For example, what is “state of the art” or “security by design and default,” and when does a breach really start? Security practitioners like things black and white; the regulation is shades of grey. It requires each of us to work across our business teams to interpret and define exactly what it does mean to our business, and how we quantify and qualify this both to our business and third parties.
All too often I’m seeing this lead to bargaining. To quote one instance, “We have been working with our legal team and will argue the definition of a breach does not apply effectively”. Whilst I’m sure a few will gain some early successes with this, to me, it feels like swimming against the tide. I can only expect definitions to be tightened where needed, but the underlying intent of the regulation is clear: protect citizens’ personal information and drive confidence in the use of technology in today’s society.
Essentially, at some stage, most go through depression (the cup half empty, which is, “This is real and happening, and you can’t ignore it or wriggle around it”). This leads to the reality that we need to understand just what the gap is between where we are and where we need to be, gathering the budget and support to achieve this within the business. This is the point to switch to the half-full cup, if you haven’t already. How often do you get the opportunity to step back from the daily cyber grind and review and re-architect with an eye to the future? Most of us are stuck with a lot of legacy that this is a perfect opportunity to phase out.
The reality is that, whether we like it or not, we end up at acceptance: It is happening; GDPR goes live in 2018, and any one of our businesses could be held to account either as a result of an incident or, I suspect for many the most likely cause will be, a third party in your supply chain requesting evidence of your compliance as they look to achieve their own. I can share with you that I’m aware of companies already getting such requests.
So, what are the takeaways here? All too often cybersecurity is treated as a technical challenge. Yes, we are improving in the social attack aspects (social engineering/the insider attack). But in this instance, there is a human aspect we must factor in. As you map your business strategy to adhering to the new GDPR legislative requirements, you need to build in time for your own emotional journey, as well as realize that others in the business also need to go on their own emotional journey. Consider what you can do to help short circuit this; get educated and discuss with your peers both inside and outside your own business. Don’t assume that all your stakeholders are at the same point of the emotional journey you are, but take the time validate where they are and how you can nurture them through to maturity. GDPR is coming; it’s a positive opportunity to improve our own cybersecurity capabilities and a pivotal change to ensure confidence as we become an increasingly digital society.
Your website needs to be well-designed, functional, and aesthetically reflective of your brand. But — don’t forget—it also needs to be safe. Website security is a vital path of development that makes your data less vulnerable to cybercriminals, and increases the security of your customers’ financial transactions.
You’ll also prevent the possibility of a massive consumer data breach—like the one faced by Target a few years back, which cost the company $39 million and even more in lost consumer trust. And, you’ll build your reputation and trustworthiness simply by having tighter security standards on display.
Getting Technical
Unfortunately, website security is a somewhat complicated issue. Top data security experts have decades of experience and work tirelessly to come up with ingenious new ways to protect against digital vulnerabilities. Today’s entrepreneur has access to tools like Website Setup that make it easy to launch and manage a website, but it’s difficult to match this level of dedication — especially when you don’t have the technical knowledge to back up your efforts.
Today’s website building tools and practically unlimited online resources make it easier to make your site safe — but you still must be familiar with your top priorities.
Website Safety Features
These are some of the most important website safety features to have integrated for your customers:
SSL encryption. SSL encryption is a relatively simple installation and basic security feature that encrypts the connection between a web browser and a web server. When customers input information (like credit card numbers), that information is passed from the customer’s browser to your web server; SSL encryption makes sure that information can’t be easily seen or intercepted by third parties. SSL-encrypted sites are designated by a “https” prefix that lets consumers know they’re safer.
Secure login and logout features. Simple, secure login and logout features also can make your site safer. For example, you could mandate that your customers re-sign in when they’re about to check out to avoid the possibility of fraudulent purchases made on an idly logged-in account. You could also have your site automatically log customers out after a period of inactivity. This helps prevent the possibility of infiltration and identity theft.
Mandatory password requirements. You can also increase the security of your logins by instituting mandatory password requirements. Many people opt to create simple, memorable passwords such as “password,” “123456,” pet names, birthdays, or other basic combinations. However, these are easy-to-guess and make it simple for a hacker to gain access to that user’s account. You could mandate that passwords be at least a certain number of characters, or that they contain multiple types of characters like lower-case letters, upper-case letters, numbers, and special symbols.
Multi-factor identification. Multi-factor security can also increase the safety of your site, though for the most part, this method is reserved for banks and other financial institutions where safety is of the utmost concern. With this setup, users are forced to identify themselves in multiple ways—such as with a signature device as well as a password-based login.
Updated software and platforms. One basic action you can take to keep your site safe is keeping your CMS system up-to-date. For example, WordPress routinely releases new software and new security protocols; making sure your site is updated will help you stay ahead of new potential threats and remain on the best system available to the public.
Hidden admin directories. Most template and basic CMS sites have a simple way to be accessed: the main domain, followed by a “/admin” or similar setup at the end. Hackers realize this and often try to break into the back end of a site by first accessing this admin directory. You can make your site more secure by “hiding” this admin directory, disguising it with a custom URL or otherwise masking your original directory.
Consumer information. Finally, keep your customers up-to-date with best practices for personal security. Let them know the advantages of choosing a strong, unique password, and encourage them not to stay logged into their accounts on public devices. There’s only so much you can do to your site to protect security breaches; arming consumers with information to protect themselves is the next step.
With these security factors in place, your company and your customers will both be better protected from digital threats. Your security doesn’t have to be top-of-the-line or ridiculously expensive to be effective; most cybercriminals spare effort by targeting only the most vulnerable companies, so even these simple features can help protect you.
Make the effort to step up your website’s security, and you’ll improve both customer acquisition and retention. What’s more, you will rest well knowing you have improved protection against possible attacks.