5 Reasons to Focus on Malware Delivery Mechanisms

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Originally published by Security Magazine

Malware Delivery Mechanism

Defending against today’s pervasive web-based malware is not as straightforward and simple as it used to be. According to Symantec’s Monthly Threat report, the number of web attacks almost doubled in April of this year alone, up from 584,000 per day to 1,038,000 per day. Bad actors – seasoned cyber criminals, hacktivists, insiders, script kiddies and more – target premium, frequently whitelisted websites with varied motives such as financial, espionage and sabotage, to name a few. These web-based attacks are more targeted, complex and hard to detect, and when an employee visits an infected website, the damage to an enterprise network can be debilitating. Traditional security defenses like blacklists, whitelists, generic threat intelligence, AVs, web filters and firewalls fail to offer comprehensive protection. An alternative security approach is necessary, especially when working with malware data.

Managing malware data needs a paradigm shift

Currently, Information Security Professionals (InfoSec) and IT teams are trained to focus on the context of the web-based malware: What the payload might be; Is it replicating or morphing; Where’s the payload analysis; Who is targeting the website and why; along with a host of other variables. These are definitely valid questions, but should only be asked after action is taken to block it – not in order to take action.

Using existing analysis tactics to assess the ever-increasing volume of malware information is a Sisyphean task in the digital environment. The time it takes to agree that something is malicious is in direct proportion to your network’s exposure to web-based malware.

It’s time for InfoSec and IT teams to take a new, proactive approach to shielding customers and Internet real estate from web-based malware. It starts with adopting this simpler definition of malware: “Any code, program or application that behaves abnormally or that has an unwarranted presence on a device, network or digital asset.”

In essence, any code or behavior not germane to the intended execution of a web-based asset is considered malware. While this definition covers the obvious overt offenders it also includes seemingly non-malicious items including toolbars, redirects, bot drops, etc. Adopting a simple, yet broad definition enables you to focus on shielding your enterprise network from a wide range of active and potential malware attacks.

Understanding the digital environment is critical to breaking the analysis paralysis cycle and replacing it with a “block and tackle” approach. To do so, IT professionals need to focus on what matters: identifying the delivery mechanism in order to stop malware from penetrating the enterprise network. Here are five reasons why you should focus on the delivery mechanism:

Reason 1: Temporal malware is still dangerous

Web-based malware or malware delivered via the consumer internet (websites a typical person visits in the course of their daily activities, such as news, weather, travel, social and ecommerce sites) is fleeting and temporal. Research from The Media Trust reveals that in many scenarios web-based malware is active for as short as a few hours, giving little time for a deep dive analysis before blocking offending domains. If you spend time on analysis, you are a target for compromise because if the malware doesn’t infect your organization at the outset, it will most likely morph into another malicious domain or code to retarget the website with something more debilitating such as ransomware or keystroke logging.

Reason 2: Non-overt malware will turn on you eventually

Malware does not necessarily need to be complex or overtly malicious right from the start or upon initial detection. Annoying or seemingly innocuous behavior such as out-of-browser redirects, excessive cookie use, non-human clicks/actions or toolbar drops qualify as malware. While these behaviors may initially appear benign, they will frequently reveal their true intention upon a closer look at both Indicators of Threat (IOC) and Patterns of Attack (POA).

It happens quite often and reports suggest that every year researchers track 500+ malware evasion tactics used to bypass detection. For instance, a recent attack on several small and medium-tier ecommerce websites demonstrates malicious domains executing over varying time intervals and, in at least one instance, move from website to website across various geographies in order to avoid detection. In other instances, malware is specifically coded to look benign and only execute when certain conditions are met, e.g., geography, device, user profile or combinations of conditions. Taking weeks or months, this delayed execution is an effective technique to evade detection by most scanners. An auto-refresh ad on the browser or an alert to update software could be a red flag.

Reason 3: What’s in a name? 

While names are understandably necessary to tag malware, there is a tendency to initially fixate on labels rather than block the malware itself. For professionals in the frontlines of trying to stop web-based malware from infecting the enterprise network, focusing on the name can increase the dwell time and do more harm than good. Instead compromised domains will give teams better insight and allow them to block the malware from penetrating networks.

Reason 4: Past malware doesn’t predict future attacks

Just because malware is validated with a name or belongs to a recognized family; it does not always mean that information to defend against future attacks is necessarily reliable. The polymorphic nature of web-based malware allows it to propagate via different domains in various shapes and forms – embed malicious code on a web page through a particular CMS platform, execute an out-of-browser redirect, or present a fake system update alert. Not only is the delivery channel constantly changing, but also the actual intent and payload may change as well. Relying on past research is not a foolproof defense when it comes to ever-changing malware propagating in the digital ecosystem, which is a complex, mostly opaque environment.

Reason 5: Death by analysis

Extensive analysis of web-based malware before blocking it could have severe repercussions – either by way of a corrupted endpoint or a larger network breach. Once web-based malware reach endpoints, it is already past the security perimeter which means remediation efforts are necessary. According to reports, the average cost for an enterprise to clean up a web-based attack is estimated to be $96,000 and more.  Think of how many resources – people, time, money – could be saved if malware was immediately blocked upon detection.

By focusing on the delivery mechanism, security professionals can take a proactive stance to harden website defenses against web-based malware and also significantly reduce the time to action when it comes to securing endpoints and the enterprise networks. Real-time response is required or it provides the perfect window of opportunity for an attack to be successful.

Getting serious about malvertising with TAG

Authored by Alex Calic, Chief Revenue Officer, The Media Trust

3 steps to anti-malware certification

cmyk TAG Certified Against Malware

Malware is a serious problem in the digital advertising ecosystem. Not only is it a contributing factor to ad blocking adoption, but also a significant driver of ad fraud. The World Federation of Advertisers estimates that the total cost of ad fraud could exceed $50B by 2025. Clearly, something must be done.

Various groups have attempted to address this malware problem with little success, but one group is taking decisive action. The Trustworthy and Accountability Group (TAG)—supported by the IAB—recently launched a malware certification program. As an inaugural certification recipient, The Media Trust is fully behind this initiative—just ask for program details.

The certification program is open to any entity that touches creative as it moves through the digital advertising ecosystem, from buyer to intermediary to seller. Even malware scanners like The Media Trust have the option to participate and commit to industry efforts for creating a healthier advertising supply chain.

Benefits: Reap what you sow

TAG’s “Certified Against Malware” seal is awarded to enterprises that can demonstrate adherence to rigorous anti-malware standards, especially those delineated in TAG’s Best Practices for Scanning Creative for Malware.

The program yields a host of benefits for publishers and their upstream partners. Specifically, participating companies can:

  • Improve their enterprise security posture: Adoption of continuous, 24/7, client-side scanning of digital advertising campaigns detects malware before it propagates to consumer devices.
  • Speed incident response: By allowing The Media Trust to send simultaneous alerts to you and your business partners, you reduce the time needed to resolve the issue across your entire advertising value chain.
  • Satisfy upstream partner requirements: Demonstrate compliance with advertiser and/or buyer directed policies for security.
  • Protect your brand value: Receive a “Certified Against Malware” seal from TAG to signal your enterprise’s efforts to identify and remediate malware in the digital ecosystem, a key element in many value propositions
  • Prove digital asset governance: Discovery and validation of all parties executing in your digital ecosystem supports enterprise-wide governance and risk frameworks.

Requirements: Steps to anti-malware certification

Anti-malware certification program participants promise to adhere to malware scanning best practices, make best efforts to identify and terminate malicious activity, and submit to a TAG-directed audit.

You, too, can join industry efforts by following these steps:

  1. Complete TAG registration: If not already a TAG-registered company, fill out the registration form, signal interest in malware certification (fees may apply), and designate both a TAG Compliance Officer and a primary malware point of contact. Indicate anticipated anti-malware certification path:
  • Self certify: Enterprise submits forms and documentation directly to TAG
  • Independent validation: Accredited audit firm or digital media auditor submits forms and documentation to TAG on the enterprise’s behalf
  1. Evaluate digital advertising ecosystem: To determine a reasonable scanning cadence, companies need to understand existing inventory flowing through the environment and the involvement of all upstream partners. Review existing inventory and assess typical volume by in-house, direct and programmatic; and, also consider the volume percentage by display, mobile, video, header bidding, etc.

Upstream partners should be identified and points of contact for security violations documented. Appraise each partner according to their history of addressing malware incidents, industry reputation and general relationship experience. Especially if a direct contract is not involved, discuss respective malware scanning responsibilities.

  1. Scan inventory: Implement malware scanning according to TAG’s Best Practices for Scanning Malware and document the entire processes. As a Certified Against Malware scanner, The Media Trust provides documentation on the scanning protocol for your environment including resolution procedure for malware incidents (Red Flag event).

NOTE: Watch this quick overview of TAG’s recommended scanning cadence.

Terminate malware: What are you waiting for?

The future of the digital ecosystem rests on everyone’s shoulder—advertiser, agency, ad tech and publisher. Let’s make it a better place. Verify your inventory is malware-free. The Media Trust can show you how—Just ask.

GDPR Compliance Risks on Websites

Authored by Matt O’Neill, General Manager, Europe, The Media Trust. 

The way the cookie crumbles

Website-compliance-risks

Today’s websites and apps (your corporate website included) are powered by sophisticated technology. After all, in order support consumer expectations—content consumption, search, social networking, shopping carts, travel booking, banking, news, gaming and so much more—websites incorporate robust solutions on the backend.

These solutions aren’t news to most InfoSec professionals, but it is where security problems start. Think about it. Almost 80% of a typical website’s functionality is outsourced to vendors providing specialized services such as data management platforms, marketing analytics, customer identification, image or video hosting, payment processing, content delivery and more. This third-party code operates outside the purview of your IT and security infrastructure, which means that you control less than 25% of the code executing on your website. As the website operator, you have no insight into when this code is compromised to act as a conduit for malware propagation and unauthorized audience data collection. Considering the current regulatory environment around data compliance, the above statistics should make you nervous.

Cookie crumbs

To put it bluntly: You can’t control what you don’t see, and the third-party code enabled functionalities on your digital properties are compromised more often than you think. Also, you have more third-party code than you realize.

As the security provider of choice for the world’s largest digital properties, The Media Trust scans websites for security and policy violations and actively manages more than 500 incidents at any one time. Some of the simplest websites average 10 third-party vendors, but most have dozens. The vendors continuously change and so do their actions.

The Media Trust’s website security and scanning team often detects persistent or unauthorized cookies with a lifespan of 30 years or more; one brand name ecommerce website recently dropped a 7,000+ year cookie. This is a huge issue with the EU’s General Data Protection Regulation (GDPR) which goes into effect in less than a year. Compliance to GDPR requires detailed, real-time, knowledge of executing digital partners and their activity, including the type of data collected and how long the partner remains on the user’s device, i.e., browser, phone, tablet, etc.

If you are wondering how GDPR affects your business, then you’ve got a lot of catching up to do. GDPR supports the data protection rights of every EU resident, therefore every business with EU interests—in the form of customers, legal entities, business infrastructure, etc.—needs to comply. And, the global nature of the internet means any business with EU website traffic or app users needs to comply as well.

Clearly, enterprises should make some changes to digital operations in order to reduce exposure to GDPR violations. At a minimum, you need to do the following for all your digital properties—websites (desktop and mobile) and mobile apps included:

1. Communicate privacy policy

  • Write a clear privacy policy that explains use of third-party code and outlines any data collection activity
  • Place banner on homepage
  • Deliver Internal training

2. Provide easy-to-use opt in/ opt out mechanism

  • Explain need for tracking and how cookies are used to drive digital operations
  • Share links to individual privacy policies of all in-scope vendors on your site
  • Allow individuals to explicitly agree and/or refuse tracking

3. Understand how website/app-generated data is acquired, used & stored

  • Identify data: Registration, Cookies, IP addresses, device IDs
  • Assess the legal basis to collect data and determine if consent is necessary, e.g., Personally Identifiable Information (PII) vs. transaction functionality, etc.
  • Evaluate need for a specific policy regarding data collection of minor activity (16 years old in GDPR; under 13 years old in U.K. and U.S.)

4. Support data portability

5. Incorporate website intrusion in data breach reporting

While the GDPR mandate for websites has been clearly laid out, meeting it is easier said than done! With the fines for noncompliance enumerated in the regulation (between 4% of global revenues or €20 Million), InfoSec is under pressure from internal risk and compliance professionals to ensure all data elements are documented, assessed and controlled.   

Ignorance is real. So is anarchy.

With such a tall order, it is disturbing that so many InfoSec professionals overlook the perils of third-party vendor code going unchecked. Companies desperately need to incorporate digital vendors into their vendor risk management program. Most website/app operators are in the dark about how many direct and indirect vendors contribute to code on their site and who these vendors are, let alone know how many domains and cookies these vendors use to track website visitors.

Digital vendor risk management will highlight the security and compliance gaps inherent in the digital environment. For example, there really isn’t a clear chain of command when it comes to authorizing the presence of third-party vendors executing on a website. It is a fairly decentralized process, with departments like marketing, sales, IT, risk and legal all making decisions regarding the vendors they would like to use for various website functionalities. This makes creating accountability challenging, with most issues relegated to the IT and security departments to solve.

Putting the “Digital” in Vendor Risk Management

Yes, the odds are stacked against website operators, but creating a holistic digital vendor risk management program isn’t impossible. To create a risk management and GDPR compliance program for your digital properties, you should be able to answer the following:

Within 2 weeks:

  1. How many third-party vendors execute in websites and mobile apps
  2. What are the names of these vendors?
  3. What exactly are they doing, i.e., intended purpose and also additional, out-of-scope activity?

Within 1 month:

4. Do we have contracts to authorize the scope of the work?
5. How does third-party vendor activity affect overall website/app performance?
6. What are the risks to data privacy?
7. What is my exposure to regulatory risk via vendor behavior?

Within 3 months:

8. Am I maintaining encryption throughout the call chain?
9. As these vendors change over time, what is the process to identify new vendors and their activity on websites and apps?
10. If the corporate website isn’t fully secure, what happens when employees visit the site? Is the enterprise network at risk?

Once you’ve been able to answer the above questions, within a year’s time, you should be able to create comprehensive digital vendor governance process that looks like this:

GDPR Complian Blog Post Image

Ecommerce: Payment card stealing malware

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Malware compromise demonstrates how payment security standards are in dire need of an update for the digital environment.credit cards falling as dominoes

A bad actor has upped the stakes in his campaign to collect consumer payment card information by expanding his reach to mid-tier ecommerce providers across the US, UK and India, covering a range of industries including apparel, home goods, beauty and sporting event registrations.

Echoing a similar scenario observed over Memorial Day weekend in 2016, the bad actor injected a transparent overlay on top of the credit/debit card information block on a payment page so that a victim’s financial information is surreptitiously collected and sent to another party, not the e-retailer.

Considering these ecommerce firms earn anywhere from a $10,000 to $400,000 a day, the ecommerce firms risk significant revenue loss and negative consumer confidence. In addition, they also demonstrate inadequate security processes, even though these processes may comply with Payment Card Industry (PCI) standards.

[Please note, The Media Trust has a policy of not revealing the names of websites experiencing an active compromise. Affected ecommerce site operators were, however, notified of this breach.]

The big picture

The infection gradually spread to a number of small and mid-tier ecommerce sites in the US, UK and India, over the last few days. Upon analysis, The Media Trust discovered that each ecommerce provider uses the same open source content management system (CMS) to serve as the consumer-facing front end. The CMS platform’s master page script is infected with one of the several malicious domains. The malicious domain is present in the website’s footer section which means that it permeates every page of the site and not just the checkout page.

In addition, researchers detected multiple domain pairs, which were registered by the same bad actor within the past few months and labeled as suspicious by The Media Trust within two weeks of creation. The domains are now overtly malicious. To avoid detection, the malicious domains execute over varying time intervals and, in at least one instance, move from website to website across the three regions.

Scenario breakdown

In the course of supporting our clients, The Media Trust first detected the malicious actor via client-side scans of advertising-related content, i.e., creative, tags and landing page. The ecommerce site serves as the landing page for an advertising campaign.

The actor used multiple techniques to carry out his attack. In the following scenario, the landing page contains <assetsbrain[dot]com>, extraneous code unnecessary for the proper execution of a payment.

Image 1Malicious domain in the website’s footer

When the victim chooses to make a purchase via the checkout page, <assetsbrain[dot]com> performs two distinct actions: executes JavaScript to inject a transparent overlay on top of the payment card information block and drops a user-identifying cookie.

Ecommerce Post Image 2.pngExecution of transparent overlay

After input of card details, the malicious domain sends the information to <bralntree.com/checkPayments[dot]php>, an obvious spoof of a common payments platform.

Because the ecommerce operator doesn’t receive the card details, the shopper receives an error message and/or request to re-submit their payment information. The unauthorized cookie identifies the user and therefore does not execute the malicious script when the user re-enters the payment card information.

Online transactions remain a risky endeavor

In the realm of compromises, this infection highlights the inadequacy of current PCI security standards. Issued by the Payment Card Industry Council in 2005, the PCI Data Security Standard (PCI DSS) aims to protect cardholder data used during online financial transactions. Backed by the world’s largest credit card issues, PCI DSS requires online merchants to conform to a set of standards such as regular website and server vulnerability checks.

The affected ecommerce sites do not have certifications or seals demonstrating PCI compliance. Their privacy policies declare regular scanning and website security policy review; however, these processes are insufficient, since traditional web application security (appsec) solutions are not able to effectively detect malicious behavior executing via third-party code.

Proving the fallibility of traditional web application scanning utilities, all domains (ecommerce providers, initial malicious domain and spoofed payments platform) are considered clean by VirusTotal as of early morning May 16.

Protect your business by securing your revenue stream

Any size ecommerce provider can protect their revenue and reputation by adopting the following website risk management strategies:

  • Secure your CMS platform: Review security processes with the CMS platform and keep all code and plugins up to date.
  • Surpass PCI DSS standards. Demand more rigorous scanning of the entire website to identify compromise of both owned and third-party code not visible to the website operator.
  • Audit operations. Document all vendors and their actions when executing on your website. This helps you quickly identify anomalous behavior and establishes a remediation path.

Agencies and the Ad Quality Quandary

Authored by Chris Olson, CEO and Co-Founder, The Media Trust.

Increasing advertiser demands turn the wheels of change for agencies.

Media buyers and ad quality

There’s no denying that two major phenomena are actively reshaping the existing digital advertising supply chain:

  1. Accountability is being pushed upstream

Not long ago, digital publishers bore the brunt of the blame, shame and liability (financial and legal) for ad-related problems such as performance issues, unauthorized collection of audience data, and security concerns (malvertising). Today, armed with more public awareness (in the form of ad blocking, among others), industry best practices (e.g., TAG, IAB LEAN) and regulations (GDPR anyone?), publishers are finally pushing back on upstream partners when policy-flouting ads are served to their digital environments. And, many partners are listening. Now, several other ad tech players on the buy side of the digital supply chain are joining this publisher revolt and to direct accountability for creative issues to their upstream partners.

  1. Advertisers have spoken

Earlier this month, in an interview with The Wall Street Journal, P&G’s chief brand officer, Marc Pritchard didn’t mince words when it came to expressing his irritation with everyone’s acceptance of serious flaws with the digital advertising supply chain. While he highlighted the complexities of digital advertising and confusing agency contracts, what stood out were his comments on the quality of the digital ad experience for consumers:

“Sometimes we deliver a high-quality media experience, but all too often the experience is, well, crappy. We bombard consumers with thousands of ads a day, subject them to endless ad load times, interrupt them with pop-ups and overpopulate their screens and feeds…”

This comment from the world’s biggest advertiser underscores the importance of digital ad quality in regards to what is being “presented” to audiences today and rightfully so. According to recent research, the consumer packed goods (CPG) industry spends almost 20% of their $225 billion annual marketing budget on digital advertising, yet retailers and shoppers alike gave digital advertising low marks for effectiveness. This provides further impetus for more advertisers to focus on improving the digital ad experience, thus putting the sell-side is under immense pressure to not just launch high-quality ads into the digital supply chain but to prove that those are high-quality ads.

New priorities, New challenges

As the digital ad ecosystem evolves, agencies and media buyers need to re-establish trust with both consumers and advertisers. The first step is adopting industry best practices and standards for ad quality and security. This includes being judicious about audience data collection activity and keeping abreast of the ever-evolving guidelines for a plethora of ad formats.

Agencies have a lot of work to do. As depicted in the image 1, most media buyers today need to take a more farsighted approach to campaign development and scanning. The assumption that an ad, upon entrance into the digital ecosystem, is exactly the same when it renders on a website showcases this ignorance. To meet changing advertiser demands for a better digital ad experience, agencies need to look at:

Creative vs. Total Ad Experience Characteristics

Image 1

Simply put: agencies need to adopt a more comprehensive view of the entire ad experience – creative + ad (the actual creative with all the corresponding analytics code) + landing page, not just the creative. 

A paradigm shift in agency priorities is required. Agencies and media buyers are under unprecedented scrutiny to address ad quality as they are where creatives originate. Their inability to meet the changing demands of both advertisers and publishers directly impact the following areas:  

  • Ability to Launch and Serve Ads

As ad formats and standards continue to evolve, meeting these specs across publishers, platforms, and networks impact your ability to serve ads

  • Ad Spend and Campaigns

Delays in launching campaigns jeopardize ad spend and campaign metrics. Also, the inability to verify the campaign and its success – is the ad getting served the way it should be and to the target audience – could damage relationships with advertisers

  • Brand Image

Noncompliance with complex and changing regulations damage brand image and lead to penalties potentially for the advertiser, publisher and the agency itself

Pressure changes the status quo

While the brief to media buyers about what to do and what is expected is clear, it will be interesting to see how agencies actually adapt to the changing digital advertising landscape. Balancing advertiser demands while trying to achieve operational efficiencies and scale and trying to win a turf war against big consulting firms can prove to be a heavy lift for agencies. These bi-directional pressures coming from advertisers on one end and published on the other end of the digital ad supply chain will force revolutionary change. If done right, the end result is a transformed digital advertising ecosystem: positive UX via an optimized and profitably monetized channel.

Malware is Malware… except when it isn’t

So block anomalous activity first and ask questions later (please).

malwareoptions-700x148

As IT professionals (and logical human beings) we have been taught to analyze a situation first and then act based on knowledge gained from the analysis. Acting without an understanding of the full picture is considered impulsive and oftentimes, even foolish.

This is not always the best strategy in today’s fast-paced environment of ever-evolving and growing security threats. When working with malware, security professionals need to unlearn the “think twice” philosophy – they need to act first on qualified intelligence and then, if needed, analyze the data in more detail. This is especially true in the temporal world of the internet where web-based malware needs to be treated like harmful parasites that must be terminated immediately upon detection to stop propagation. Frequently, web-based threats initially present as benign code or operations; however, they easily morph into overt threats without your knowledge.

Going against the grain is a good thing

Today, Google reports more than 495,000 monthly searches for the term malware, producing around 76.4 million results. This should come as no surprise considering that there are nearly 1 million new malware threats detected every day.  

This high level of interest in the topic of malware combined with the aggressive growth of the security software market (valued at $75 billion in 2015) indicate that enterprises struggle to analyze and come to terms with the increasingly complex digital threat landscape. As studies consistently report on this lack of understanding about cybercrime and threats, it is high time that enterprises do something about it.

(Re)Defining Malware

First, let’s get back to basics and clarify the definition of malware:

“Any code, program or application that displays abnormal behavior or that has an unwarranted presence on a device, network or digital asset.”

This means any code or behavior not germane to the intended execution of a web-based asset is considered malware. Malware does not need to be complex, overt or malicious right from the time it is detected.

This definition means annoying or seemingly innocuous behavior, such as out-of-browser redirect, excessive cookie use, non-human clicks/actions or toolbar drops qualify. Most of these behaviors may seem benign now, but a close look at both Indicators of Threat (IOC) and Patterns of Attack (POA) typically suggest another story altogether.    

Don’t question the malware, question yourself  

IT professionals who’ve spent thousands of dollars and hours of learning to develop a knowledge base find it difficult to simply act without questioning and possibly over-analyzing ready to utilize data sources.

Working with qualified intelligence sources will make it much easier to change the “endless analysis” paradigm. If you must ask questions, question yourself and not the malware (at least not before blocking it first).

IT professionals need to reflect on the rapidly evolving web-based threat landscape. On a frequent basis, ask yourself:  

  1. Where are the vulnerabilities in my enterprise network?
  2. Are the tools used to secure my organization effective enough to handle increasingly sophisticated web-based attacks?
  3. What kind of threat intel resources are available? What is our experience with each source?
  4. What does my incident response look like? Is it swift and cost-effective?
  5. Where and how can I increase my operational efficiencies around my threat intelligence strategy?

Block first, ask questions later

The idea is simple, shield yourself against web-based breaches by being more proactive about the enterprise security posture. If and when breaches do occur, you should have at least limited the level of damage caused by loss of data, reputation and business continuity.

Before you spend all your time, money and effort on a full payload analysis of every malware alert, oftentimes, trying to verify the impossible, remember to block it first. What’s the worst that can happen? You block something that an employee needs? Trust me, they’ll let you know.

 

Ransomware and the small/medium-sized enterprise

When the “cost of doing business” is no longer an option.

hand is coming out of Computer screen front

“It’s the cost of doing business.” Over the long holiday season, I heard this phrase several times while socializing with family, friends and business acquaintances. My usually optimistic social group bemoaned the annoying effect ransomware has had (and continues to have) on their day-to-day business.

The topic isn’t a surprise. Around the country, similar professionals at small/medium-sized enterprises (SMEs) echo their sentiments. What surprised me was their passive reaction to the problem. Even the current President Barack Obama and the President-elect Donald Trump recognize the threat of cybercrime to businesses and the public.

It’s not just you, Mr. SME

Ransomware has undoubtedly been on the rise, with some groups such as the FBI claiming 4,000 attacks a day. These high numbers affirm the fact that ransomware is a financially motivated, equal opportunity malware; it wants to lock down any device that has an owner, whether the owner is a teenager, a global business tycoon or a small business owner.

Unfortunately, ransomware can be debilitating for small/medium-sized businesses (SMEs) whose viability hinges on access to customer lists, financial records, product/service details, legal contracts and much more. Most SMEs don’t have the resources or a sophisticated technology infrastructure to adequately secure their business. In fact, almost a third of SME don’t employ an information security professional. And, considering more than 70% of businesses actually pay up, ransomware is the perfect exploit for SMEs.

Clearly, it’s a big problem that needs a big solution, right?

Backups, backups, backups

From hospitals and medical offices to accounting firms and ecommerce shops, ransomware has proven to be a successful criminal endeavor, with many paying more than $10,000 for each incident to regain access to their business data. And, SMEs seem to have learned to accept it as a cost of doing business.

“It’s not a big deal, Mark. We just do more frequent backups.” Yes, this was an overwhelmingly common approach to the problem. It seems my discussion partners spend several hours a week making backup copies of files. When asked about the costs (storage, time resources, duplicate systems, access to backups, energy usage, etc.) the response was a casual shoulder shrug. Really? Frequent backups is your security strategy? At a time when businesses are getting leaner in every way, spending time and resources on backups isn’t a good use of ever-thinning IT budgets or the scarce security talent.

Beyond backups – seal the entryway

Backups are good, but they are just one piece of a more holistic security strategy against ransomware. The biggest challenge is helping my fellow IT professionals understand that ransomware—and any malware for that matter—can penetrate the best of defenses. The key is knowing how it enters: basic everyday Internet usage at work (think about email, websites, apps, out-of-date software/patches, etc.

“We use anti-virus software, blacklist the typical non-business sites, installed ad blockers, and repeatedly train staff about the perils of email links and attachments. What else is there?”

First, anti-virus (AV) and blacklisting isn’t enough as these defenses assume the bad guy is known; his signature is captured and stopped from executing. With thousands of new malware variants entering the digital ecosystem each day it’s nearly impossible for AVs to keep their protection levels up. Blacklisting is good for general business purposes. (I mean, if coworkers need to access porn, gambling or gaming during the work day you’ve got bigger problems!) But this doesn’t mean that all other websites are good, even the Alexa 1,000. Some of the largest web-based attacks occur on legitimate, premium websites.

Second, enterprise ad blocking isn’t all it seems. You may think that all ads are blocked, but this isn’t true. Large advertising networks pay a fee to whitelist their ads in exchange for agreeing to fit a stilted format. Media website owners (Facebook anyone?) are adopting technology to detect ad blockers and then re-insert their ads or content.

“Well, dammit, what should we do?”, you ask.

All is not lost – A new year has dawned

Now’s the time to take stock of your business’s information security plan. Conducting a full-scale audit can be daunting. To kick-off the process, I recommend the following initial steps:

  1. Identify all data sources (employee, vendors, customer). Increasingly, enterprises are asking their partners about security processes as part of their own security governance.
  2. Document how data is collected, used and stored. This includes mapping data input sources, e.g. website forms, emailed contracts, customer portals, payroll, etc.
  3. Estimate costs to collect and store data.
  4. Assign an owner to each data element, e.g., financial information to Finance, marketing data to Sales/Marketing, legal information to Contracts/Finance, etc.
  5. Score data value. On a scale of 1-100 assess the data’s criticality to business, e.g. if it’s lost what is the impact from financial, brand, relationship perspectives.
  6. Consider a Threat Intelligence Platform (TIP) to streamline data management and terminate threats before they penetrate the business.

Once you have this information you can then start to evaluate weaknesses, reinforce existing security processes and align IT budgets accordingly.

Ransomware isn’t as hard to tackle as many SME information security teams think.