Malware, Ransomware, and the Next Big Threat

    September 21, 2017

    Imagine the lost revenue for a major retailer if they needed to shut down all of their stores for a few days, or even a few hours, especially over the busy holiday season. It would be worth millions to have those systems unfrozen. It will not be long before cybercriminals utilize ransomware that freezes all of a business’ POS systems, and the ransom will not be for the release of data, it will be for the ability to get back in business. The impact would be devastating.
     
    “We are not far away from a major breach of a POS system that has nothing to do with stealing credit card data, but instead is intended to hold the business’ ability to conduct transactions hostage for a large ransom. Stealing credit card data takes months, whereas ransomware takes minutes.”
    - Kevin Watson, CEO, Netsurion1

    If it seems like there is a new data breach every day, you’re right. As of August 30, 2017, there have been 956 breaches reported and more than 19 million records exposed. Not all breaches make the news but when they do, it’s because countless individuals have been affected and a company’s or brand’s reputation has been destroyed.

    What exactly is malware and ransomware?

    Malware, or “malicious software,” can take on many forms including viruses, worms, Trojan horses, spyware, adware, scareware, and ransomware. Malware is any piece of code designed to infect a computer or mobile device for malicious purposes, such as recording or stealing personal data, passwords, credit card information, etc. The information is then studied for behavioral purposes, stored and used against a person or company, or sold online through the “Dark Web.”

    The universal purpose is financial. Malware allows hackers to steal personal identities, corporate or government secrets, and even unreleased movies, books, or music. There is no end to what information can be stolen and repurposed for illicit gain.

    It can also be used to access and control corporate, educational, recreational, healthcare, or government computer systems and alter the way those systems conduct business; anything from changing grades on report cards, to voter fraud, to cutting power to homes.

    Just as one strain of malware strikes, gets identified and a fix created, copycat variants begin appearing almost immediately, making it more and more difficult to combat. New complex strains are getting progressively more destructive to individuals and businesses, making it difficult to predict and prevent future attacks.

    Ransomware is the current trend and, potentially, the most dangerous to a company or brand. Often transmitted by email, it locks your computer and prevents access to your data until a ransom (usually in Bitcoin) is paid. While this type of attack is not new, it has become much more sophisticated by encrypting files and data with a coded “lock” and the hacker has the “key.” To get the key, you must pay the ransom. Of course, there’s no guarantee you will ever get your data or use of your computer system back, regardless if you pay.

    Imagine the Impact: 1 in 5 businesses that paid the ransom never got their files back
    If you sell goods or services, and accept credit card payment, you are at a high risk and held accountable by PCI DSS compliance regulations, no matter your industry.

    Point-of-sale (POS) malware continues to make headlines and inflict damage on brand reputation and profit margins alike. Cybercriminals can widely impact most or even all locations by exploiting the POS system itself. It’s not much of a leap to go from POS malware stealing credit card data to POS ransomware holding a business hostage. The difference: Typical credit card malware must successfully persist on the target’s network for months while it syphons off credit card data. A ransomware attack needs only minutes to execute its plan.

    What would the victimized retailer be willing to pay to unlock their POS systems? If a brand was bleeding millions per day in actual revenue and potentially more in resulting data breach fines, brand reputation, and loss of customer loyalty, one could easily foresee the company being willing to pay a ransom of $2 million, which may be less than what they’d lose if they successfully restored operations on their own in just two or three days.

    The best ways to protect yourself from an attack still ring true:
    • Backup all files and data regularly
    • Don’t open any attachments or click on any suspicious ads (the ones telling you to “click here for something important” or “install this now”)
    • Keep all software updated to the latest version, utilizing any patches from the manufacturer
    • If you think your computer is infected, disconnect it from any other system
    While this is good, sound advice, it is not enough for a corporate entity that has multiple endpoints and relies on many internal and external users, third-party software providers, and needs to have internet access.

    Why it still happens

    No matter what size of the business, it’s rare to find a truly robust and large InfoSec team prepared to handle every endpoint security threat. The hard reality is that distributed, or frequently referred to as “edge” locations, are usually far too small to have the kind of dedicated cybersecurity expertise and teams that are available at the corporate level. The result is that these independently owned stores and franchise locations are often the weak link, a fact that is not lost on cybercriminals.

    For most retailers, network security currently consists of a firewall and anti-virus installed on each workstation and server. Unfortunately, as cybercriminals have become more sophisticated in their attacks, these defense measures alone are not enough to protect the network. Specifically, firewalls and anti-virus software are vulnerable to compromised third-party remote access tools, zero-day malware, and abnormal user behavior, all of which have been seen before in major retail breaches.
    Network Vulnerabilities

    Since most ransomware is a form of a zero-day malware, firewalls and anti-virus software cannot prevent most ransomware attacks. To prevent these types of vulnerabilities, additional protection is required.

    Unfortunately, IT teams are overwhelmed just maintaining the current systems and no longer have time to review log files or track every suspicious incident. And most are not trained in cybersecurity. It is becoming impossible for companies to exist without dedicated security teams, either on staff or outsourced to a third party. Finding the budget and other resources for such a staff is no longer an option.

    Imagine the Impact: A company is hit with ransomware every 40 seconds
    In addition, the compliance industry standards in existence today, including PCI DSS, HIPAA, SOX 404, FISMA/NIST 800-53, SANS CAG, GLBA, NISPOM, etc., are constantly being updated to meet current security and economic needs.

    Regular IT teams are overwhelmed just maintaining the current systems and no longer have time to review log files or track every suspicious incident. And most are not trained in cybersecurity. It is becoming impossible for companies to exist without dedicated security teams, either on staff or outsourced to a third party. Finding the budget and other resources for such a staff is no longer an option.

    The best offense is a good defense

    Anti-virus and anti-malware are not enough. Firewalls are not enough. Security patches and endless updates are not enough. The solution is to go beyond bare-bones regulatory compliance-based security and begin implementing real security measures that predict, prevent, detect, and respond to advanced threats.

    If you want to prevent or stop a malware attack today, you need an extensive security network that includes a detailed road map, sophisticated software packages, and a team of experts that are certified in cybersecurity and dedicated solely to monitoring log files, analyzing data, recognizing threats and being able to combat those threats in real time while proactively working to prevent future attacks.

    A company’s or brand’s reputation is on the line every time there is a data breach or ransom attack. These attacks can target third-party providers that are used by dozens of recognizable companies. If you own a major hotel, for example, and your third-party POS provider is hacked, your customers and brand suffer. The same goes for every industry.

    To turn your defense into the best offense, it is recommended that you do the following:
    • Standardize security measures across the corporate perimeter and all edge locations, and implement the same security measures inside your corporate perimeter.
    • Segment network traffic and implement a managed firewall to protect both inbound and outbound traffic.
    • Lock down your POS systems by segmenting these systems and limiting traffic to only known addresses.
    • Add a managed security information and event management (SIEM) system for both corporate and remote locations to provide early warning of cyberattacks. Inside your perimeter, consider a co-managed SIEM to provide the necessary expertise and resources to make the technology effective.
    • Invest in a managed detection and response (MDR) system to monitor internal network traffic and shorten the active window of a breach and limit the damage.
    • A managed security services provider, backed up with 24/7 monitoring and a security operation center (SOC), to add expertise and resources to your IT security teams.
    Imagine the Impact: Global ransomware damages are predicted to exceed $5 billion in 2017
    Even with all of the latest, greatest software and security teams in place, another form of malware is just around the corner, waiting to break into some unsuspecting system. Companies today need to stay vigilant in the war on cyberterror, not just protecting themselves from known threats, but being proactive to defend against future threats. Cybersecurity and the protection of corporate and client data should be the top priority for 2018. Budgets and resources should be adjusted accordingly.

    These cyberterrorists won’t go away until things like ransomware cease to be profitable for them.

    Footnotes:
    1. Kevin Watson, CEO, Netsurion, Whitepaper: Imagine the Impact: POS Ransomware = Devastating Business Loss (July 2017) https://www.netsurion.com/Corporate/media/Corporate/Files/White-Papers/POSRansomwareWhitepaper.pdf

    References:
    -- Chris Hoffman 2017 Basic Computer Security: How to Protect Yourself from Viruses, Hackers, and Thieves How-To Geek https://www.howtogeek.com/173478/10-important-computer-security-practices-you-should-follow/
    -- CNN Money Infographic: What is Bitcoin? http://money.cnn.com/infographic/technology/what-is-bitcoin/
    -- ITRC 2017 Identity Theft Resource Center CyberScout http://www.idtheftcenter.org/images/breach/2017Breaches/ITRCBreachReport-2017.pdf
    -- National Institute of Standards and Technology (NIST) https://www.nist.gov/
    -- Norton 2015 When Were Computer Viruses Frist Written, and What Were Their Original Purposes? https://community.norton.com/en/blogs/norton-protection-blog/when-were-computer-viruses-first-written-and-what-were-their-original
    -- Virginia Harrison and Jose Pagliery 2015 Nearly 1 million new malware threats released every day CNN Tech http://money.cnn.com/2015/04/14/technology/security/cyber-attack-hacks-security/index.html
    -- Kaspersky
    -- Cybersecurity Ventures

    Comments
    Blog post currently doesn't have any comments.