[BreachExchange] Phishing, ransomware the new norm

Audrey McNeil audrey at riskbasedsecurity.com
Mon Aug 1 18:41:24 EDT 2016


http://www.fosters.com/article/20160731/NEWS/160739967

It seems like every week there is a new threat that needs to be confronted.
We have all become accustomed to viruses and malware, but phishing and
ransomware are the new norm.

Phishing is an attempt to obtain sensitive information via electronic mail
by masquerading as a trusted entity. I’m sure you’ve seen it yourself. You
receive an email seemingly from someone you know. It may ask you for
sensitive information or try to trick you into opening an attachment or
clicking a link. In its simplest form, the person who sent the message
wants you to reply with the sensitive information they seek. In its more
sophisticated form, the message tries to get you to open a file or click a
link that will look legitimate, but in actuality will download malware to
your computer that will harvest the sensitive information the perpetrator
is after.

Ransomware, which is often delivered via a phishing message like that
described previously, is malware that installs on a computer and invokes
malicious software code that encrypts all the data it can reach. In doing
so, files you use every day are no longer accessible and you are presented
with a pop-up that tells you your data has been encrypted and in order to
regain access to your data, you have to pay a ransom. Thus, the name
ransomware.

Combating these threats is complex and fluid. Most traditional anti-virus
and anti-spyware software are not enough to block these threats. Nor is
your email spam filter. They may have some success, but they will not be
able to stop every attempt, not alone.

This is where content filtering and traffic inspection become critical
security layers to employ. Most companies allow unfettered access to the
Internet. This is not a best practice and in this day and age it could be
considered irresponsible. Most companies are accustomed to restricting what
may pass through the corporate firewall and enter the company network.
However, far fewer are accustomed to restricting traffic allowed to leave
the company network through the firewall to any destination on the Internet.

Here’s the root of the problem. By not restricting and monitoring outbound
traffic, you run the risk of your employees not just going to websites that
will waste their time, but to websites and other resources that will
download dangerous or damaging malware to your network, often undetected.

A good content filtering system will help mitigate this risk. There are
numerous types of content filtering technologies available. Some run on
hardware devices on the perimeter of your network, most often a firewall.
Others are Cloud based. Both have advantages and disadvantages. They key is
how responsive they are to new threats, often defined as “zero day” threats.

A “zero day” threat is a flaw or other vulnerability that once discovered,
provides zero days for the manufacturer to fix before it will be exploited.
There are entire communities of hackers who share information on zero day
threats, as they discover them, in an effort to exploit the threat to
obtain sensitive information or do damage.

Content filtering, especially highly responsive content filtering is able
to identify many of these threats, phishing, ransomware and zero day, by
identifying the unique communications and patterns these threats employ to
do their work. Either by blocking known Internet sites that support these
threats, or by identifying the type of behavior these threats exhibit, the
filter is able to block the activity and alert system administrators of the
threat. This allows for more immediate identification and most importantly
response, either automated or manual, depending on the type of threat.

While some view these types of filters as a heavy handed “big brother,”
they are a necessary defensive tool in the fight to keep your digital
assets secure. The main concern is that these filters may be used to
restrict what employees may do online and when, as well as provide
management with detailed reporting about what any employee is doing or
trying to do online. Unfortunately, we have all seen people who take
advantage of the computing resources they are provided and in some cases,
this aggressive type of monitoring and reporting is necessary to ensure
productivity. In reality, this is not the primary purpose of these filters.
The primary purpose is to protect the company network and in so doing, they
also provide a digital footprint for what people do as well as controls
management may wish to deploy to keep online activity focused and
appropriate.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160801/47e70588/attachment.html>


More information about the BreachExchange mailing list