Ransomware and the small/medium-sized enterprise

When the “cost of doing business” is no longer an option.

“It’s the cost of doing business.” Over the long holiday season, I heard this phrase several times while socializing with family, friends and business acquaintances. My usually optimistic social group bemoaned the annoying effect ransomware has had (and continues to have) on their day-to-day business.

The topic isn’t a surprise. Around the country, similar professionals at small/medium-sized enterprises (SMEs) echo their sentiments. What surprised me was their passive reaction to the problem. Even the current President Barack Obama and the President-elect Donald Trump recognize the threat of cybercrime to businesses and the public.

It’s not just you, Mr. SME

Ransomware has undoubtedly been on the rise, with some groups such as the FBI claiming 4,000 attacks a day. These high numbers affirm the fact that ransomware is a financially motivated, equal opportunity malware; it wants to lock down any device that has an owner, whether the owner is a teenager, a global business tycoon or a small business owner.

Unfortunately, ransomware can be debilitating for small/medium-sized businesses (SMEs) whose viability hinges on access to customer lists, financial records, product/service details, legal contracts and much more. Most SMEs don’t have the resources or a sophisticated technology infrastructure to adequately secure their business. In fact, almost a third of SME don’t employ an information security professional. And, considering more than 70% of businesses actually pay up, ransomware is the perfect exploit for SMEs.

Clearly, it’s a big problem that needs a big solution, right?

Backups, backups, backups

From hospitals and medical offices to accounting firms and ecommerce shops, ransomware has proven to be a successful criminal endeavor, with many paying more than $10,000 for each incident to regain access to their business data. And, SMEs seem to have learned to accept it as a cost of doing business.

“It’s not a big deal, Mark. We just do more frequent backups.” Yes, this was an overwhelmingly common approach to the problem. It seems my discussion partners spend several hours a week making backup copies of files. When asked about the costs (storage, time resources, duplicate systems, access to backups, energy usage, etc.) the response was a casual shoulder shrug. Really? Frequent backups is your security strategy? At a time when businesses are getting leaner in every way, spending time and resources on backups isn’t a good use of ever-thinning IT budgets or the scarce security talent.

Beyond backups – seal the entryway

Backups are good, but they are just one piece of a more holistic security strategy against ransomware. The biggest challenge is helping my fellow IT professionals understand that ransomware—and any malware for that matter—can penetrate the best of defenses. The key is knowing how it enters: basic everyday Internet usage at work (think about email, websites, apps, out-of-date software/patches, etc.

“We use anti-virus software, blacklist the typical non-business sites, installed ad blockers, and repeatedly train staff about the perils of email links and attachments. What else is there?”

First, anti-virus (AV) and blacklisting isn’t enough as these defenses assume the bad guy is known; his signature is captured and stopped from executing. With thousands of new malware variants entering the digital ecosystem each day it’s nearly impossible for AVs to keep their protection levels up. Blacklisting is good for general business purposes. (I mean, if coworkers need to access porn, gambling or gaming during the work day you’ve got bigger problems!) But this doesn’t mean that all other websites are good, even the Alexa 1,000. Some of the largest web-based attacks occur on legitimate, premium websites.

Second, enterprise ad blocking isn’t all it seems. You may think that all ads are blocked, but this isn’t true. Large advertising networks pay a fee to whitelist their ads in exchange for agreeing to fit a stilted format. Media website owners (Facebook anyone?) are adopting technology to detect ad blockers and then re-insert their ads or content.

“Well, dammit, what should we do?”, you ask.

All is not lost – A new year has dawned

Now’s the time to take stock of your business’s information security plan. Conducting a full-scale audit can be daunting. To kick-off the process, I recommend the following initial steps:

1. Identify all data sources (employee, vendors, customer). Increasingly, enterprises are asking their partners about security processes as part of their own security governance.
2. Document how data is collected, used and stored. This includes mapping data input sources, e.g. website forms, emailed contracts, customer portals, payroll, etc.
3. Estimate costs to collect and store data.
4. Assign an owner to each data element, e.g., financial information to Finance, marketing data to Sales/Marketing, legal information to Contracts/Finance, etc.
5. Score data value. On a scale of 1-100 assess the data’s criticality to business, e.g. if it’s lost what is the impact from financial, brand, relationship perspectives.
6. Consider a Threat Intelligence Platform (TIP) to streamline data management and terminate threats before they penetrate the business.

Once you have this information you can then start to evaluate weaknesses, reinforce existing security processes and align IT budgets accordingly.

Ransomware isn’t as hard to tackle as many SME information security teams think.

---

 

You know nothing, CISO

Shadow IT can stab you in the back

Disclaimer: This blog post contains strong references to Game of Thrones. Memes courtesy of ImgFlip. 

You, CISO, are a brave warrior who fights unknown threats from all corners of the digital world. You, CISO, try with all your might to manage an increasingly complex digital ecosystem of malware, exploit kits, Trojans, unwanted toolbars, annoying redirects and more. You, CISO, wrangle a shortage of security professionals and an overload of security solutions. You, CISO, have lost sleep over protecting your enterprise network and endpoints. You, CISO, are aware of the lurking threat of shadow IT, but you CISO, know nothing until you understand that your own corporate website is one of the biggest contributors of shadow IT.

Beware of your Corporate Website

Did you know it’s likely you are only monitoring around 20–25% of the code executing on your website? The remaining 75-80% is provided by third-parties who operate outside the IT infrastructure. You may think website application firewall (WAF) and the various other types of web app security tools like Dynamic Application Security (DAST), Static Application Security (SAST), and Runtime Application Self-Protection (RASP) adequately protect your website. News flash: these applications only monitor owned and operated code. In fact, they can’t even properly see third-party code as it’s triggered by user profiles. There is a dearth of security solutions that can emulate a true end user experience to detect threats.

Think about it, if there are so many traditional website security solutions available, why do websites still get compromised? This third-party code presents a multitude of opportunities for malware to enter your website and attack your website visitors–customers and employees alike–with the end goal to ultimately compromise endpoints and the enterprise network.

Avoid the Shame!

Practical CISOs will keep these hard facts in mind:

1.  There is no true king

You could argue that marketing is the rightful king to the Iron Throne of your corporate website since it is responsible for the UX, messaging, branding and so forth. But the enterprise website requires so much more. Every department has a stake: IT, legal, ad ops (if you have an advertising-supported website), security and finance, to name a few. Each department’s differing objectives may lead to adoption of unsanctioned programs, plugins and widgets to meet their needs. As a result, the website’s third-party code operates outside the purview of IT and security. Further complicating matters, there is no one department or person to be accountable when the website is compromised. This makes it hard for security teams to detect a compromise via third-party code and easier for malware to evade traditional security tools. In the absence of ownership, the CISO is blamed.

2.  Malware is getting more evil

Bad actors continue to hone their malware delivery techniques. They use malicious code to fingerprint or steal information to develop a device profile which can be used to evade detection by security research systems and networks. Furthermore, web-based malware can also remain benign in a sandbox environment or be dormant until triggered to become overt at a later date.

3. You’re afraid of everyone’s website…but your own

You know the perils of the internet and have adopted various strategies to protect your network from the evils of world wide web. From black and white listing to firewall monitoring and ad blocking, these defenses help guard against intrusion. But what about your website?

As previously stated, everyday web-enablement programs such as a video platform or content recommendation engine operate outside the IT infrastructure. The more dynamic and function rich your website is, the more you are at risk of a breach from third-party vendor code. Below is a not so exhaustive list of apps and programs contributing third-party code:

• RSS Feed
• News Feed
• Third Party Partner Widgets
• Third Party Content MS Integrations
• Third Party Digital Asset MS Integrations
• Third Party ECommerce Platforms
• Image Submission Sites
• Ad Tags
• Video Hosting Platform
• Crowd Sharing Functionality
• File Sharing Functionality
• Customer Authentication Platforms
• Third-Party Software Development (SD) Kits
• Social Media Connectors
• Marketing Software
• Visitor Tracking Software

Stick ‘em with the pointy end

Yes, we know, what lies beyond the realm of your security team’s watchful eye is truly scary. But now that you know that your website’s third-party vendor code is a major contributor of shadow IT, you can more effectively address website security within your overall IT governance framework.

 

Your Threat Intelligence Isn’t Working

False positives undermine your security investments. 

The rapid adoption of threat intelligence data by enterprises signals an increased emphasis on preventing targeted malware attacks. While few question the strategy fueling this boom, it is the quality of this intelligence that is debatable. Recent news of organizations suffering brand damage due to false positives in their “compiled” threat feed, puts the quality of numerous threat intelligence feeds under scrutiny.

In simple terms, a compiled threat intelligence feed aggregates data from various open sources and may also include observed data from the security vendor. The pitfalls of these multiple dependencies are many, the most debilitating of which is the quality of this so-called “intelligence.” In most cases, a compiled threat intelligence feed is a minefield of false positives, false negatives and unverified data.

To make your digital threat intelligence work for you, consider these factors:

Go for original source

Compiled isn’t conclusive

Many vendors use the euphemisms like “comprehensive” or “crowdsourced” threat intelligence to characterize the value of their data. These euphemisms typically describe data compiled from multiple sources. Very few (most likely none) reveal the fact that this aggregated data hasn’t been thoroughly vetted for accuracy – a process that requires significant manpower hours for the volume of data within the feed. In fact, the time needed to properly assess the data would delay an enterprise’s receipt of and action on the intelligence. Needless to say, this time lag is all it takes for serious damage to be done by cyber criminals.

Avoid Costly Cleanups
False positives can be damning

The inherent inaccuracies in a compiled threat intelligence feed can lead to false positives and duplicate threat alerts. It is a well-established fact that malware alerts generate around 81% false positives and average 395 hours a week of wasted resources chasing false negatives and/or false positives.

A critical by-product of false positives is alert fatigue, which induces enterprise security professionals to not react in a timely manner – fatal behavior when an actual breach or violation does occur. In this “boy who cried wolf” scenario, the enterprise is vulnerable from two perspectives. Failure to react to a “positive” alert could expose the entity to malware. On the flip side, reaction to a “false positive” expends countless resources. Whatever the situation, the consequences could damage careers, cripple the security posture, and tarnish the enterprise’s image. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur.

Focus on patterns, not just appearances
Both IOCs and POAs are important

Another aspect to deciphering the value of  threat intelligence is what actually goes on behind the scenes. Most threat intelligence feeds factor in indicators of compromise (IOCs) to describe a malware alert is valid  or is marked with “high confidence” in its accuracy. However, what is harder to determine is the actual behavioral pattern of a threat or the method of malware delivery, which is what patterns of attack (POAs) depict. By understanding the POAs, high-quality threat intelligence can also detect new threat vectors, hence allowing enterprises to block suspicious malware before it becomes overt.

The key determining characteristic between IOCs and POAs is that IOCs contain  superfluous, easy-to-alter data points that are not individual or specific to the bad actor, whereas POA data points are difficult to mask. To put it in simpler terms, think of a bank robbery. Information describing the appearance of the robber, such as a shirt or hair color, could be easily changed for the robber to evade detection and be free to commit additional heists. However, more specific, innate information regarding the robber’s gait or voice, would make the individual easier to detect and block their ability to commit the same crime again. These inherent factors or POAs are difficult and expensive to alter. Therefore, threat intelligence data should factor in both IOCs and POAs in order to provide a more conclusive picture of a threat and minimize false positives.

Security Buyer Beware

Yes, factors such as real-time data, number of data points on threat vectors, easy access, and seamless integration with TIP/SIEM are important in determining the overall quality of a threat data feed. However, inaccurate data and false positives are fundamental flaws in many market solutions for threat intelligence. By using an original source digital threat intelligence feed vendor, you maximize the level of intel accuracy and minimize the margin for false positives to occur. Choose wisely.

Ecommerce can be bad for your financial health

Compromised landing page allows unauthorized collection of credit card information. 

A holiday weekend will prove more memorial for some visitors to several ecommerce sites. Customers wishing to purchase athletic gear or sign up for a competition risked having their credit card information collected by an unauthorized third party.

Detecting the infection

In the United States, Memorial Day signals the start of summer and the three-day holiday weekend kicks off with numerous large-scale promotions and sales campaigns pitching outdoor-related goods and services. Consequently, the digital advertising ecosystem usually experiences a jump in campaigns to drive traffic to ecommerce sites—a ripe opportunity to leverage.

The Media Trust team detected extraneous JavaScript code executing on the payment landing page for several medium-sized, sports-oriented ecommerce websites.

First detected in the early afternoon of Saturday, May 28, legitimate advertising creative directed users to legitimate ecommerce sites which happened to be compromised. The “angular” domain (angular.club) injected superfluous JavaScript throughout the sites to collect information input by a user, such as race registration or financial details associated with a purchase.

Diagnosing the financial headache

The angular domain injected UTF-8 encoded script throughout the entire ecommerce site and obfuscated itself by adopting the name of the site into its script, i.e., angular.club/js/site-name.js. Searching on the root domain “angular.club” redirects to “AngularJS.org”, a valid Google JavaScript framework and another attempt at misdirection to hide the true intention.

It’s likely the bad actor penetrated the content management system (CMS) or website theme template in order to ensure the code executed on all pages, especially the payment landing page.

Example of JavaScript

This code collects a range of financial and personally identifiable information (PII) including billing name, address, email, telephone number, credit card number, expiration date, and CVV.

The information is then sent to another server unassociated with the ecommerce site owner. The host of the angular domain and the web service that collects the credit card information are owned by the same entity, whose host server is in Germany and registered to someone in Florida.

Per The Media Trust team, there is no valid coding reason for this JavaScript to be on the website. The script’s sole purpose is to inject a block of code into the web page to collect credit card information and send it to another server where it can be used for future use—purchase online goods, sold on the dark web, used to buy domains to launch additional attacks, etc.

Assessing the health of the ecommerce site

The ecommerce site operators removed the code from there sites late on Tuesday, May 31. Frankly, the damage was already done.

During a strong promotional period, several small- to medium- sized ecommerce sites did not realize their expected traffic. Due to the malicious nature of the landing page associated with these campaigns, The Media Trust alerted our ad tech clients to block the serving of the ads. In one instance, seven different creative supporting more than 200 ad impressions did not execute. In addition, one of the campaigns promoted an event with an expiration date of Wednesday, June 1.

Prescribing the cure

The Internet can be a scary place, full of bad actors looking to make a quick buck by preying on the good nature of others—consumers and website properties alike. Holiday periods are when the online ecosystem experiences a surge in attacks, and no business or organization is immune.

The lesson learned is that brand and corporate websites are just as vulnerable to attack as ad content. And, ecommerce is especially vulnerable due to the direct impact to revenue.

The best defense is to be on constant alert, a security posture that is difficult for most to assume. That’s why many firms leave it up to the experts to continually scan their online and mobile ecosystem. Continuous website monitoring will alert you to an anomalous or unexpected behavior of third-party vendors and first-party, website operator code. Upon detection, these issues can be immediately resolved thereby keeping your ecommerce operation alive and kicking.

The Blind Spot in Enterprise Security

Website security is overlooked in most IT governance frameworks. 

Managing a website isn’t as easy as you think. Sure, you test your code and periodically scan web applications but this only addresses your first-party owned code. What about third-party code?

Considering more than 78% of the code executing on enterprise websites is from third-parties, IT/ website operations departments cannot truly control what renders on a visitor’s browser. This inability to identify and authorize vendor activity exposes the enterprise to a host of issues affecting security, data privacy and overall website performance. And, your website isn’t immune.

Masked vulnerability: What you don’t know can hurt you

The fact that the majority of the code executing on an enterprise website is not seen, let alone managed, does not absolve the enterprise from blame should something go wrong—and it does.

Much publicized stories about website compromises and digital defacement point to the embarrassing reality that websites are not easy to secure. But that’s not all.

Digital property owners—websites and mobile apps—are beholden to a series of regulations covering consumer privacy, deceptive advertising, and data protection. The U.S. Federal Trade Commission U.S. has dramatically stepped up enforcement of deceptive advertising and promotional practices in the digital environment over the past few years and recently signaled interest in litigating enterprises found to be violating the Children’s Online Privacy Protection Act (COPPA).

Data privacy regulations don’t only apply to minors accessing the website. The recent overturning of EU-US Safe Harbor and resulting EU-US Privacy Shield framework calls attention to the need to understand what data is collected, shared and stored via enterprise digital operations.

Don’t forget that these third parties directly affect website performance. Problematic code or behavior—too many page requests, large page download size, general latency, etc.—render a poor experience for the visitor. Potential customers will walk if your website pages take more than two seconds to load, and third parties are usually the culprits.

The problem is that the prevalence of third-party code masks what’s really happening on a public-facing website. This blindness exposes the enterprise to unnecessary risk of regulatory violations, brand damage and loss of revenue.

Seeing through the camouflage

This is a serious issue that many enterprises come to realize a little too late. Third-party vendors provide the interactive and engaging functionality people expect when they visit a website—content recommendation engines, customer identification platforms, social media widgets and video platforms, to name a few. In addition, they are also the source of numerous back-end services used to optimize the viewing experience—content delivery network, marketing management platforms, and data analytics.

Clearly, third parties are critical to the digital experience. However, no single individual or department in an organization is responsible for everything that occurs on the site—marketing provides the content and design, IT/web operations makes sure it works, sales/ecommerce drives the traffic, etc. This lack of holistic oversight makes it impossible to hold anyone or any group accountable for when things go wrong that can jeopardize the enterprise.

Case in point: can you clearly answer the following:

• How many third-party vendors executing on your website?
• How did they get on the site, i.e., were they called by another vendor?
• Can you identify all activity performed by each vendor?
• What department authorized and takes ownership of these vendors and their activity?
• How do you ensure vendor activity complies with your organization’s policies as well as the growing body of government regulations?
• What is the impact of individual vendor activity on website performance?
• What recourse do you have for vendors that fail to meet contractually-agreed service level agreements (SLA)?

Questions like these highlight the fact that successfully managing an enterprise website requires a strong command of the collective and individual technologies, processes and vendors used to render the online presence, while simultaneously keeping the IT infrastructure secure and in compliance with company-generated and government-mandated policies regarding data privacy.

Adopting a Website Governance strategy will help you satisfy these requirements.

Take back control

What happens on your website is your responsibility. Don’t you think you should take control and know what’s going on? It’s time you took a proactive approach to security. The Media Trust can shine a light on your entire website operation and alert you to security incidents, privacy violations and performance issues.

 

Malvertising: The story behind the story

Security firms make mountains out of molehills

Malware alert! Malware alert! It seems every time you turn around there’s a news story or report exposing the presence of malware in the online and mobile advertising ecosystem. The vector, exploit kit or function may change, but the story is the same—some industry expert uncovers new ad-based malware or malvertising and the media sounds the alarm. Preying on cyber-related anxieties, these stories typically present an exaggerated synopsis of the situation and focus on a single instance, spotlight one industry provider, and don’t offer actionable information for the reader. As a result, these provocative articles often make mountains out of molehills and end up missing the real story: Why does the industry expert believe this particular malware incident is news?

 

Keeping it real

Malware serves as an umbrella term for any intrusive software program with malicious or hostile intent, and covers a variety of forms including viruses, Trojans, and worms. Diagnosing malware provides critical insight into identifying current system vulnerabilities and mitigating future compromises and the classic approach used by traditional security researchers requires the collection of malware samples and days of analysis by experts.

Ad-related malware behaves differently from other forms of malware and requires a distinct approach. Anyone that truly understands the advertising ecosystem recognizes that ad-based malware delivers through a publisher website for a very brief time period, typically for an hour or less, before it terminates and moves on in a mutated form to infect hundreds of other sites. In addition, the infected ad must first render on a browser before it deploys—automatically or through site visitor action—and there’s no guarantee that it will impact every browser or deploy every time rendered.

For these reasons, it’s misleading to report on one malvertising incident captured on one site. In addition, it’s irresponsible to call out a publisher for something that cannot be replicated, and these reports cause unnecessary panic among advertisers, ad networks, exchanges and publishers who spend countless resources addressing a malware event that no longer exists.

Diagnosing the motivation

Publishing incident-specific ad-based malware reports provides very little useful information and does very little to eliminate malvertising from the advertising ecosystem. Yet, this reporting persists for two primary reasons—extortion or publicity.

Known as “White Hat Ransomware”, disreputable security analysts mine websites for malvertising incidents and present the findings to the site/publisher hosting the bad ad. They offer to sell the vector information so the publisher can shut down the infection, with the understanding that the malware incident could be publicly released should the publisher choose to not pay. Usually perpetrated by obscure individuals or groups, this type of extortion proves very lucrative as many publishers purchase the information in order to avoid the time-consuming fallout of negative publicity.

The more reputable network, endpoint and intelligence security firms try to extend their traditional malware analysis skill set to malvertising and digital content. However, it doesn’t work. Effective analyses requires continuous, real-time monitoring of the advertising environment from the browser or consumer point of view which requires scanning active ad placements using simulated users set up with the exact geographic and behavioral profiles that the ad is targeting—something that can’t be accurately replicated after the fact. In addition, the ever-shifting nature of malvertising means that capturing a screen shot of an incident found on a single site is misguided—if it exists on one site, it exists on hundreds or thousands of other publisher sites and ad networks—and the post-incident analysis offers no valuable benefit to the consumers already exposed. By publishing malvertising-related reports about something that happened days, weeks or months ago, these firms unleash chaos in the ad tech industry as the publisher and its partners attempt to locate a vector that no longer exists.

Protecting the advertising ecosystem

Malware in the ad tech industry is not news. Admittedly, the ad tech industry plays a central role in the propagation of malware in the online and mobile advertising ecosystem, however, this fact is not ignored by responsible industry players who fiercely combat it every day. From establishing working groups to creating “good ad” certifications to performing extensive due diligence on buyer clients, the industry works hard to tackle the presence of malware. In fact, many of largest, most-visited websites actively scan their advertisements to identify and remove anomalous vectors before they morph and become overt malware drops. Unfortunately, a few ad-based malware vectors get through, but that number is minuscule in comparison to the billions of ads successfully rendered every day.

In effect, malvertising isn’t a new trend. In fact, it emerged shortly after the birth of banner ads 20+ years ago. What’s new is that traditional security companies are finally realizing that digital properties—websites and mobile apps—can be compromised. If you want to know how malvertising really works, ask The Media Trust. We’ve been detecting malware in the online and mobile environment for close to a decade, not the past few months.