4 Tips for Detecting Data Breaches

4 Tips for Detecting Data Breaches

When a data breach happens on one of your systems, how fast do you think you can prevent it from spreading? Moreover, how fast do you think you need to act?

A recent threat report found that hackers from Russia were able to access critical systems in 20 minutes, the fastest in the world.

Finding and containing a breach in less than 20 minutes is not easy. In fact, the average time it takes for an organization to detect a breach is about 6.5 months (197 days), while the average time to contain a breach is 69 days. This is why when a data breach is disclosed, it’s often months after it actually occurred.

Being able to limit a data breach can prevent more data from being lost and decrease associated costs, including compliance fines. This means that companies should aim to find and contain breaches as soon as possible.

Source: Ponemon Institute

Who Detects Breaches

Being able to internally detect security alerts is important for your company. Internal detection (from security systems, IT/security experts, employees, etc.) can save your business embarrassment from lack of security self awareness and perhaps put a stop to the breach earlier. However, a majority of breaches are usually detected by external parties, such as third-party providers, law enforcement and in some cases, consumers.

Why Does Breach Detection Take So Long?

When Marriott disclosed their data breach in November last year, they said that they first learned of the breach in September 2018. That’s about two months between the disclosure and discovery. They also found that hackers had been accessing their systems since November 2014. That’s a four year gap between the initial compromise and the time they discovered the breach!

The amount of time it takes to discover a data breach depends on the type of attack. For example, stolen credit card information is often not detected until fraudulent activity is determined. In the case of a third-party breach, a company won’t know they’re at risk until they are told by the third party.

On the other hand, a cyber criminal who manages to hack privileged credentials can get away with snooping around their victim’s network undetected.

How Can I Protect My Business Data?

1. Identification: It’s important to be aware of key indicators of compromise and know how to identify them. Such signs can include: multiple log in attempts, slow internet traffic, unusual log in activities (i.e. from strange countries, unknown devices etc.), unauthorized users trying to access confidential data, etc. It’s important to teach your employees these types of signs so that they can help prevent potential attacks.

2. Detection: Using automated security tools like a SIEM system is vital in detecting potential attacks. SIEM uses behavioural analytics to detect suspicious activity across your network. It does this by collecting data from all your devices and correlating it with global threat intelligence feeds and use cases. SIEM can detect behaviours like multiple log ins, access from suspicious IP addresses and more. Automated tools like SIEM are faster than solely relying on teams to help detect threats and are therefore important in protecting your data.

3. Monitoring: In order to determine what seems suspicious, you need to monitor your networks to establish a baseline. Our Monitor IT solution provides real time reporting on your IT infrastructure and systems to ensure your infrastructure uptime availability and performance. The technicians in our Network Operations Centre will monitor your infrastructure and bring attention to availability and operating performance.

4. Prevention: Active prevention through human insight and security solutions like next generation firewalls is a continuous process. Threats are always changing and evolving, which is why it’s important to stay up-to-date. As part of your prevention process, you should conduct regular cyber awareness training for your employees so they can spot common attacks and navigate the web safely. In conjunction with that, using preventative security solutions like firewalls to block malware from entering your network.

Threats of the Week – March 18, 2019

Threats of the Week – March 18, 2019

Ursnif banking Trojan

 

 

A new variant of an infamous banking Trojan malware with a history going back over ten years has emerged with new tactics to ensure it’s harder to detect.The malware aims to hunt out financial information, usernames, passwords and other sensitive data.

The Ursnif banking Trojan is one of the most popular forms of information-stealing malware targeting Windows PCs and it has existed in one form or another since at least 2007, when the its code first emerged in the Gozi banking Trojan.

Now researchers at security company Cybereason have uncovered a new, previously undocumented version of Ursnif which applies different, stealthier infection tactics than other campaigns.

This includes what researchers refer to as “last minute persistence” – a means of installing the malicious payload which tries to ensure a lower chance of being uncovered.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Ursnif banking Trojan and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7095

 

 

Adobe has released a security update for Adobe Digital Editions.  This update resolves a critical vulnerability.  Successful exploitation could lead to Arbitrary Code Execution in the context of the current user. Affected versions are 4.5.10.185749 and below.

Source: Adobe

How do you protect yourself?

Update Adobe Digital Editions to version 4.5.10.186048.

 

GlitchPOS Malware

 

 

A new insidious malware bent on siphoning credit-card numbers from point-of-sale (PoS) systems has recently been spotted on a crimeware forum.

Researchers at Cisco Talos said in a Wednesday analysis that they discovered the malware, dubbed “GlitchPOS,” being peddled on the Dark Web for $250. The malware first appeared on Feb. 2, and researchers said they don’t know yet how many cybercriminals bought it or are using it.

The malware is spread via email, purporting to be a game involving “various pictures of cats.”

Source: ThreatPost

How do you protect yourself?

Proper security measures must be in place to defend against GlitchPOS Malware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

3 Reasons Why Cybersecurity Is Everyone’s Responsibility

3 Reasons Why Cybersecurity Is Everyone’s Responsibility

Cybersecurity affects every employee – from the executive team to HR, sales, marketing, etc. For this reason, cybersecurity should be everyone’s responsibility. But not all employees understand this. A survey by Citrix found that 40% of employees believe that they bear no responsibility for securing information. Cybersecurity is often thought of as a job for a company’s IT department; it makes sense as they are the tech experts who would most understand how to keep a business secure. But your employees are at risk every time they log onto their computers. Therefore, a company shouldn’t rely solely on one team for security. Everyone must work together to achieve security. Here are three reasons why cybersecurity is everyone’s responsibility.

Source: Help Net Security

Every Employee Is A Potential Target

Employees engage in activities that put them at risk, whether they realize it or not. Coming across a suspicious link while browsing or receiving a spam email can happen to anyone.  Those who work with confidential information may find themselves more likely to be a target.

The first step of a cyber attack is reconnaissance, where hackers research their targets beforehand. A simple LinkedIn search can show a hacker a wealth of people to target. From there they can find other social media accounts to further get information on how to tailor their attacks. They can target employees through a variety of ways such as phishing, impersonation and other social engineering tactics. Employees need to understand that their actions have an impact on your company’s security. They should be trained regularly on the cyber threat landscape and learn to engage in cyber safe habits.

Technology Isn’t a One Stop Solution

Having next generation security technologies like Firewalls and SIEM systems are key to limiting cyber attacks and protecting your data. But technology can only do the initial blocking of an attack. Whether a person clicks on a malicious link in their email or responds to an email containing CEO fraud is up to them.

There are also some attacks that technology may not be able to prevent, such as vishing. Vishing is a form of phishing where hackers call their targets to extract information instead of emailing them. Thus, your employees must work in conjunction with technology to protect themselves.

Cybersecurity Policies and Procedures Apply to Everyone

Having a strong cybersecurity culture is key to engaging employees with cybersecurity. A solid cybersecurity culture will include procedures and policies that ensure all employees meet the same security standards, such as every employee needing to change their password every 30 days. This will also show employees that they are a vital part in keeping your business safe. Updating your procedures and policies regularly will help reinforce your security mandates with your employees.

Threats of the Week – March 11, 2019

Threats of the Week – March 11, 2019

StealthWorker Malware

 

 

Hackers are running a new campaign which drops the StealthWorker brute-force malware on Windows and Linux machines that end up being used to brute force other computers in a series of distributed brute force attacks.

As later discovered, the malware is capable of exploiting a number of vulnerabilities in to infiltrate Magento, phpMyAdmin, and cPanel Content Management Systems (CMSs), as well as brute force its way in if everything else fails.

While previously the StealthWorker payload was observed while being dropped on targeted servers with the help of the double-packed WallyShack Trojan downloader, the new campaign switched to a brute force-only approach aiming for any vulnerable host with weak or default credentials.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against StealthWorker malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2019-7816

 

 

Adobe has released security updates for ColdFusion versions 2018, 2016 and 11. These updates resolve a critical vulnerability that could lead to arbitrary code execution in the context of the running ColdFusion service.

Adobe is aware of a report that CVE-2019-7816 has been exploited in the wild.

Source: Adobe

How do you protect yourself?

Adobe recommends customers apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.

 

CryptoMix Ransomware

 

 

A new CryptoMix Ransomware variant has been discovered that appends the .CLOP or .CIOP extension to encrypted files. Of particular interest, is that this variant is now indicating that the attackers are targeting entire networks rather than individual computers.

This variant is currently being distributed using executables that have been code-signed with a digital signature. Doing so makes the executable appear more legitimate and may help to bypass security software detections.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against CryptoMix Ransomware and similar threats. Backing up your data and having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.

The Formjacking Threat Explained

The Formjacking Threat Explained

Last year, several retailers fell victim to a cyber attack that exposed the payment information of several of their customers. One well known example is the British Airways breach that affected more than 380,000 passengers. All of these retailers were targets of an attack known as formjacking. Formjacking is not a new attack but it is seeing a rise in the threat landscape. According to a new report by Symantec, formjacking attacks affect an average of more than 4,800 websites each month. As companies start to get more savvy in blocking attacks, hackers will be looking to use more creative ways, like formjacking, to target businesses.

formjacking

Source: BleepingComputer

What is Formjacking?

Formjacking is a type of website hijacking, which is when hackers inject malicious codes into websites to steal user information. Formjacking tends to target retail websites in order to steal credit card information. It’s important to note that formjacking is not an infection that spreads to your network, but a code injection embedded in websites.

How Formjacking Works

A hacker will inject malicious script into the payment section of a website. When a user on the infected website uses the payment form to check out, the script will copy the details entered by the user and send it to the hackers. These attacks go undetected because the website continues to operate normally. Thus, users are giving their information to hackers without even realizing it.

4 Preventative Measures You Can Take

1. Don’t enter payment information directly:  When making online purchases, try to avoid using the website payment form by using a payment service like PayPal instead. Customers who use PayPal are redirected to the PayPal website when making the purchase. Since your payment information is entered in a separate website, your information will not be compromised. Using mobile payment options like Apple Pay or Google Pay will also help hide your payment information, which makes it harder to steal.

2. Monitor Outbound Traffic with SIEM: Security Information and Event Management (SIEM) systems use behavioural analytics to detect threats with the help of use cases. Using a SIEM system like Secure IT – SIEM can help detect suspicious activity like increased outbound traffic. If your traffic activity is looking suspicious, it might be time to investigate your website for malicious code.

3, Review third party scripts: Formjacking attacks are also affecting businesses via third party providers. Ticketmaster was breached last year via a third party chat bot it uses for customer support. It’s important for businesses to do their research when partnering with a third-party and ensure they are properly audited. Companies should also look to reduce the amount of third-party scripts on their websites and only keep those that are essential.

4. Conduct a vulnerability assessment: Vulnerabilities tend to be discovered once they start doing damage. A vulnerability assessment will analyze your systems and networks to help you detect and address security gaps. This can help your organization address security gaps and issues before they become a larger problem. Catching malicious script in your website before it can do damage to your brand and customers is key. Have your websites scanned for malicious code when doing your assessment. If you’d like to conduct a vulnerability assessment, contact Jolera today.

Threats of the Week – March 4, 2019

Threats of the Week – March 4, 2019

Farseer Malware

 

 

A new brand of malware has been developed to give a threat group the tools required to attack Windows operating systems alongside their usual Android targets.

On Tuesday, cybersecurity researchers from Palo Alto’s Unit 42 said the malware, dubbed Farseer, has connections to HenBox, a cyberespionage malware detected in 2018 in attacks against Google’s Android operating system.

HenBox primarily targets the Turkish Uyghur group in order to steal data including personal and device information, including any phone numbers with a Chinese prefix. The malware is also able to compromise smartphone cameras and microphones.

Generally focused on smartphones, the hackers have now expanded their horizons with the launch of Farseer. The malware is spread through phishing campaigns and malicious .PDF files which employ social engineering tactics through the copy-and-paste of news articles sourced through a Myanmar website.

Source: ZDNet

How do you protect yourself?

Proper security measures must be in place to defend against Farseer malware and similar threats. Having proper up-to-date endpoint and firewall security provides a cross-generational blend of threat defense techniques to protect systems from malware.

 

CVE-2018-20250

 

 

A critical 19-year-old WinRAR vulnerability disclosed last week has now been spotted actively being exploited in a spam campaign spreading malware.

The campaign, discovered by researchers with 360 Threat Intelligence Center, takes advantage of a path-traversal WinRAR vulnerability, which could allow bad actors to remotely execute malicious code on victims’ machines simply by persuading them to open a file.

Source: ThreatPost

How do you protect yourself?

Researchers urge WinRAR users to update as soon as possible to the newest version of the software, 5.70 beta 1.

 

B0r0nt0K Ransomware

 

 

A new ransomware called B0r0nt0K is encrypting victim’s web sites and demanding a 20 bitcoin, or approximately $75,000, ransom. This ransomware is known to infect Linux servers, but may also be able to encrypt users running Windows.

In a BleepingComputer forum post, a user stated that a client’s web site was encrypted with the new B0r0nt0K Ransomware. This encrypted web site was running on Ubuntu 16.04 and had all of its files encrypted, renamed, and had the .rontok extension appended to them.

Source: BleepingComputer

How do you protect yourself?

Proper security measures must be in place to defend against B0r0nt0K Ransomware and similar threats. Having proper up-to-date endpoint security provides a cross-generational blend of threat defense techniques to protect systems from malware.