WHITE PAPER SPON. Best Practices for Dealing with Phishing and Next-Generation Malware. Published April An Osterman Research White Paper

Transcription

1 WHITE PAPER N Best Practices fr Dealing with Phishing and Next-Generatin An Osterman Research White Paper Published April 2015 spnsred by spnsred by SPON spnsred by Osterman Research, Inc. P.O. Bx 1058 Black Diamnd, Washingtn USA Tel: Fax: inf@stermanresearch.cm twitter.cm/msterman

2 EXECUTIVE SUMMARY An attrney in the greater San Dieg area pened an attachment in a phishing that he thught was sent t him by the US Pstal Service. The attachment installed malware n his cmputer, and shrtly thereafter he fund that $289,000 had been transferred frm his firm s accunt t a bank in China i. Best Practices fr Dealing with Phishing and Next-Generatin An attack n Fazi Mechanical, an HVAC cntractr in Sharpsburg, VA, was able t penetrate the rganizatin s defenses and infected at least ne cmputer with a variant f the ZeuS banking Trjan. Abut tw mnths later, that infiltratin was used in the attack n Target Crpratin that resulted in the breach f infrmatin fr apprximately 110 millin custmers ii. A law firm in Charltte, NC transferred $387,000 t a bank in Virginia Beach, VA after it clsed a deal. Shrtly thereafter, cybercriminals transferred mst f this amunt t the law firm s bank in Charltte, which transferred the funds t a bank in New Yrk and then t a bank in Mscw. The victim rganizatin believes it had been infected with keystrke lgging sftware frm a phishing that captured all f the critical infrmatin necessary t initiate the wire transfer iii. These are all examples f the types f the phishing and malware threats that are becming mre cmmnplace as cybercriminals becme mre adept, stealthier, and mre able t penetrate crprate security defenses. The cnsequences f even a single such attack can be enrmus, resulting in the ptential lss f millins f dllars frm crprate financial accunts, the lss f sensitive custmer data, the lss f intellectual prperty like trade secrets r marketing plans, and pssibly the disslutin f a business. KEY TAKEAWAYS T cmbat phishing attempts and next-generatin malware, rganizatins f all sizes shuld cnsider a variety f issues related t security: Cybercriminals are getting better, users are sharing mre infrmatin thrugh scial media, and sme anti-phishing slutins threat intelligence is nt adequate. This makes rganizatins mre vulnerable t phishing attacks and ther threats. Mrever, malware is imprving and is harder t detect and remediate. Fr example, malware is better able t detect when it has been placed int a sandbx, attackers can crdinate their attacks, threats can remain drmant fr an extended perid and are therefre less likely t be detected, ne piece f malware can perate anther, and sme malware requires user interactin befre ging int actin. Users shuld be cnsidered the first line f defense in any security infrastructure, and s rganizatins shuld implement a rbust training prgram that will heighten users sensitivity t phishing attempts and ther explits. IT shuld implement rbust and layered security slutins based n gd threat intelligence, including hw the clud shuld be used as part f a rbust security infrastructure. IT and business decisin makers shuld implement best practices t help users mre carefully screen their electrnic cmmunicatin and cllabratin fr phishing and ther scial engineering attacks. IT shuld deply enterprise-grade alternatives t the cnsumer-fcused file sync and share, file-transfer, real time cmmunicatins, and ther applicatins that are cmmnly used tday Osterman Research, Inc. 1

3 Decisin makers shuld cnduct a thrugh analysis f the entire rganizatin t understand where data is stred and wh has access t it, as well as the tls that emplyees are using t access crprate data and netwrk resurces. Best Practices fr Dealing with Phishing and Next-Generatin IT shuld establish detailed and thrugh acceptable use plicies fr the use f every type f cmmunicatin r cllabratin system that is in place nw r might be used in the freseeable future. ABOUT THIS WHITE PAPER This white paper fcuses n the current security prblems with and ther systems, and it ffers recmmendatins abut hw t imprve security. This white paper was spnsred by KnwBe4 infrmatin n the cmpany is prvided at the end f the white paper. PRIMARY SECURITY CONCERNS SECURITY PROBLEMS DURING THE PAST 12 MONTHS Security decisin makers are cncerned and rightly s abut the effectiveness f their security defenses t prevent infiltratin f malware. As shwn in Figure 1, is the leading surce f malware infiltratin int an rganizatin, fllwed clsely by the Web in secnd place. Mre disturbing, hwever, is the significant prprtin nearly ne in fur that have seen malware enter the crprate netwrk thrugh a surce they have yet t discver. Figure 1 Infiltratins That Have Occurred During the Past 12 Mnths Surce: Osterman Research, Inc. If rganizatins cannt identify a successful security cmprmise, decisin makers may never knw that a particular event tk place until it s t late. As a result, while decisin makers have crrectly acknwledged the security cmprmises f which they are aware, thse abut which they are nt aware pse a mre significant prblem. It is likely that the actual rate f successful infiltratins r ther leakage events is much higher than reprted in the figure abve because f pr rganizatinal systems fr tracking successful threats Osterman Research, Inc. 2

4 MALWARE INFILTRATIONS OVER TIME infiltratin is generally getting wrse ver time, as shwn in Figure 2. In 2015, hwever, we discvered that has nce again becme the mst serius incursin pint fr malware. Interestingly, while the Web was the primary threat vectr fr malware fr several years, reclaimed its place as the leading entry pint fr malware in The grwing use f phishing as an attack vectr leads us t believe that will remain the mst imprtant entry pint fr malware fr the next several years. Best Practices fr Dealing with Phishing and Next-Generatin Figure 2 Infiltratins fr the Perid 2007 t 2015 Surce: Osterman Research, Inc. FALSE POSITIVE REMAIN AN ISSUE There is significant rm fr reducing the false psitive rati generated by anti-spam systems. Clearly, even a very small percentage f false psitives can result in a large number f valid messages being misclassified and unavailable fr their intended purpse. While false psitives generated by anti-spam slutins are nt cnsidered a sexy prblem t vercme by many decisin makers, this is a prblem that must be addressed fr tw reasns: users must spend time searching thrugh their spam quarantine fr mischaracterized valid s in rder t make sure that imprtant business cntent, such as client inquiries r purchase rders, is nt missed. This nt nly wastes emplyee time, but valid s can still be missed because users d nt recgnize them as nn-spam s. An user may identify a phishing attempt r ther malicius as valid and remve it frm the quarantine, thereby ptentially expsing the rganizatin t the paylad it cntains r the malicius cntent t which it links. ISSUES THAT CONCERN DECISION MAKERS MOST Our research revealed that while malware incursins arising frm emplyees use f the Web was the single mst serius cncern f security-fcused decisin makers and influencers, the next five cncerns all fcused n phishing and phishing-related activities, and/r the cnsequences f a phishing attack, as shwn in Figure 3. The 2015 Osterman Research, Inc. 3

5 greater cncern abut Web-based malware as ppsed t phishing may be due t the fact that while the Web was the primary threat vectr fr several years, sme decisin makers have nt reacted quickly enugh t the reemergence f as an increasingly serius infiltratin pint fr malware. This underscres the need t refcus as threats change, and t cnsider just hw dangerus is as a threat fr malware entry. Best Practices fr Dealing with Phishing and Next-Generatin Figure 3 Decisin Makers and Influencers Cncerns Abut Key Security Issues % Respnding a Serius r Very Serius Cncern Cncern % being intrduced frm emplyees Web surfing 49% Phishing attacks 45% Emplyees clicking n links within which dwnlad malware 44% Emplyees clicking attachments which dwnlad malware 44% Breaches f sensitive custmer data 39% Breaches f sensitive internal data 37% Virus/wrm/malware infectins 37% being intrduced frm emplyees persnal Webmail 33% Data lss frm emplyees sending cnfidential inf via clud-based tls like Drpbx 29% The lag between new virus utbreaks and when ur AV vendr issues an update t deal with these utbreaks 27% Data lss frm emplyees sending cnfidential inf via 26% Direct hacker attacks 24% Spam - yur IP address getting blacklisted due t utbund mail attack 23% Mbile malware 23% Spam the amunt f unslicited yur rganizatin receives 22% Data lss frm emplyees sending cnfidential inf via scial media 22% Denial-f-service attacks 20% Users ff-netwrk creating security prblems 19% Graymail the amunt f users slicited (pted int) and nw perceive as spam 18% Time spent by administratrs dealing with malware 18% being intrduced frm emplyees hme cmputers 17% being intrduced frm emplyees use f clud apps 16% Emplyees viewing inapprpriate cntent n the Web 16% Spam the amunt f false psitives caused by yur anti-spam system 16% Time spent by administratrs dealing with spam 15% Time spent by emplyees dealing with spam 11% Surce: Osterman Research, Inc. It is als imprtant t nte that while spam ranks fairly lw n decisin makers list f cncerns, the use f spam as a delivery vehicle fr phishing attempts is rampant. Cnsequently, its accurate detectin and remediatin must be a tp pririty in any security infrastructure Osterman Research, Inc. 4

6 SECURITY NEEDS SIGNIFICANT IMPROVEMENT PHISHING IS A CRITICAL ISSUE As discussed in the previus sectin, five f the six mst serius cncerns f securityfcused decisin makers and influencers are directly related t phishing attacks r the aftermath f a successful such attack. Mrever, as shwn in Figure 4, the phishing prblem has remained mre r less static ver the past twelve mnths fr nearly ne-half f rganizatins, but has becme decidedly wrse fr ne-third f them. Fr nly ne-fifth f rganizatins has the phishing prblem becme a less significant security issue. Best Practices fr Dealing with Phishing and Next-Generatin Figure 4 Over the past year, has the phishing prblem yu experience gtten better, wrse, r stayed abut the same? Surce: Osterman Research, Inc. SECURITY SOLUTIONS ARE IMPROVING ONLY SLIGHTLY The ability fr rganizatins t blck spam, malware and Web-based threats iv is imprving fr between 36% and 40% f rganizatins ver time. Hwever, as shwn in Figure 5, the ability t blck these threats is remaining relatively static ver time fr between 47% and 51% f rganizatins, and is actually getting wrse fr abut ne in eight rganizatins. It is imprtant t nte that spam, malware and Web threats cannt be cnsidered as distinctly separate threats. Fr example, many spam messages cntain links t malicius Web sites that can infect an endpint with malware r can be used t transmit a malicius attachment, while Web-based threats will als include the infectin f endpints with malware. Mrever, it is als imprtant t nte that while the data in Figures 4 and 5 may seem t be smewhat at dds, there is a significant difference between them: the data shwn in Figure 4 is fcused n the verall phishing prblem ver the past 12 mnths the amunt f phishing attempts received, users respnses t them, and the security team s ability t prevent them frm reaching end users while the prblems shwn in Figure 5 deal nly with the ability t blck these threats ver a lnger perid Osterman Research, Inc. 5

7 Figure 5 Imprvement in Prprtin f Threats Blcked Over Time Best Practices fr Dealing with Phishing and Next-Generatin Surce: Osterman Research, Inc. SECURITY EFFECTIVENESS VARIES WIDELY The effectiveness f rganizatins security defenses varies widely, as shwn in Figure 6. Fr example, fr mre traditinal defenses like detecting and remediating spam and sme frms f malware, security-fcused decisin makers and influencers believe their rganizatins d a reasnably gd jb: 51% rate themselves as gd r excellent when it cmes t eliminating spam, while 47% believe they are this effective at eliminating mre traditinal frms f malware. Hwever, as the threat vectrs becme mre cmplicated and sphisticated dealing with security n persnally-wned devices, preventing malware incursins delivered via users wh emply file sync and share tls, r dealing with phishing cnfidence in the efficacy f existing security defenses declines substantially. Mst ntably, rganizatins believe that their training effrts fr helping users t detect and avid security threats are fairly ineffective Osterman Research, Inc. 6

8 Figure 6 Security Defense s Effectiveness Against Varius Threats/Prblems Best Practices fr Dealing with Phishing and Next-Generatin Surce: Osterman Research, Inc. WHY IS PHISHING SO SUCCESSFUL? Althugh the success f phishing attempts varies based n the victim s gullibility, their training, their rganizatin s security defenses and ther factrs, there are three imprtant reasns that phishing is s successful tday: Cybercriminals are getting better at their craft. Their use f lgs, prfessinally crafted messages, and persnalizatin f cntent makes phishing attempts mre believable, and s prspective victims are mre likely t click n the links and attachments cntained within them. Users are sharing an increasing amunt f infrmatin thrugh scial media, thereby prviding cybercriminals with the fdder they need t craft persnalized and mre believable messages. Sme anti-phishing slutins are nt supprted with a sufficiently rbust database f real-time messaging intelligence, and s can fall prey t the latest techniques used by phishers. MALWARE IS IMPROVING Cybercriminals are becming mre adept at accmplishing their gal f stealing financial r ther data. Fr example, sme malware variants can detect when it has been placed int a sandbx and s will nt execute its cde. Attackers can crdinate their attacks amng varius delivery venues, including , the Web, scial media, files, etc. Threats can remain drmant fr an extended perid and are therefre less likely t be detected by many traditinal anti-phishing and anti-malware slutins. One piece f malware can perate anther that appears t be inncuus. Sme malware requires user interactin, such as clicking n a buttn in a dialg bx, befre ging int actin. The bttm line is that malware, phishing and ther threats are becming mre challenging and mre difficult t address Osterman Research, Inc. 7

9 MANY VIEW THE CLOUD AS A BEST PRACTICE TO IMPROVE SECURITY Our research revealed that spending fr clud-based security will increase significantly by early 2016, grwing frm 21% f all security spending in 2015 t 30% by early 2016, as shwn in Figure 7. While n-premises security infrastructure and spending will cntinue t dminate fr the freseeable future, the trend is clearly mving away frm n-premises systems as a prprtin f ttal spending, althugh Osterman Research anticipates that bth will grw substantially as rganizatins deply hybrid clud and n-premises slutins t create a mre layered infrastructure. Best Practices fr Dealing with Phishing and Next-Generatin Figure 7 Spending fr Clud and On-Premises Security, 2015 and 2016 Surce: Osterman Research, Inc. The use f clud-based slutins t thwart phishing attempts and ther malicius cntent frm reaching endpints can be an imprtant best practice in either blstering an existing, n-premises security infrastructure r adding anther layer f defense t a clud security slutin. Many rganizatins have enugh t deal with when it cmes t phishing and malware, and s use f clud-based slutins is viewed by many decisin makers as an imprtant supplement t existing defenses. CURRENT AND PREFERRED SECURITY DELIVERY MODELS A separate Osterman Research survey fund that rganizatins have a much strnger preference fr a small number f security systems that can be managed via a single interface, and that they have a lwer preference fr the use f best-f-breed slutins that are managed using different interfaces, as shwn in Figure 8. This includes bth clud-based and n-premises slutins Osterman Research, Inc. 8

10 Figure 8 Current and Preferred Delivery Mdels fr Security Best Practices fr Dealing with Phishing and Next-Generatin Delivery Mdel Current Preferred ON-PREMISES security slutins ffered by ne r nly a small number f vendrs and all f them 22% 32% managed thrugh a single interface ON-PREMISES, pint, best-f-breed slutins frm multiple vendrs, each f which is managed 60% 26% thrugh a different interface CLOUD-BASED security slutins ffered by ne r nly a small number f vendrs and all f them 15% 22% managed thrugh a single interface CLOUD-BASED, pint, best-f-breed slutins frm multiple vendrs, each f which is managed 4% 8% thrugh a different interface Nt sure -- 12% Surce: Osterman Research, Inc. There is a significant difference between the types f security slutins that many rganizatins use tday and what they wuld like t use. Three ut f five rganizatins presently use n-premises, best-f-breed pint slutins frm several vendrs, each with a different management interface. Hwever, nly ne-quarter f rganizatins wuld actually prefer t d s. In cntrast, while just ver ne-fifth f rganizatins currently have n-premises slutins ffered by a single r small number f vendrs with a single management interface, ne-third want t have such a slutin. There is a similar difference between the current and preferred situatin with clud-based slutins frm a single r small number f vendrs at 15% currently t 22% preferred. This is ften an issue f market and prduct maturity. When prducts are nt as mature as they shuld be and are being updated quickly, there is nrmally a significant difference in prduct effectiveness between established and new entrant vendrs. Decisin makers then have t chse between prduct effectiveness (and supprt multiple prducts frm different vendrs) r fewer vendrs (generally with less prduct efficacy). As the market matures and vendr cnslidatin takes place, the dminant vendrs wrk t integrate their varius prducts and deliver imprved integratin. As this takes place, there is a transitin perid fr rganizatins as they migrate frm multiple systems t mre integrated alternatives. The results in the figure abve with regard t the use f best-f-breed reflects, t sme extent, the fundamental difference between n-premises slutins and cludbased alternatives. When the infrastructure is maintained n-premises, different vendrs best-f-breed slutins can be emplyed because is passed frm ne t the ther efficiently and quickly. Hwever, the same mdel cannt be efficiently applied t the clud: sending fr filtering r ther management functins frm ne clud prvider t anther intrduces significant latency int message prcessing and delivery, creates an additinal number f ptential failure pints, and cnsumes significant bandwidth. LOW CONFIDENCE FOR USER-FOCUSED PHISHING DEFENSES As nted earlier, security-fcused decisin makers and influencers rated their security training as less effective than ther aspects f their security defenses. The lw rating fr security training is further demnstrated in Figure 9, which shws that ne-half f rganizatins have little cnfidence (scring less than 60 n a scale f 0-100) in their rganizatins training prgrams fr phishing training, while an even larger prprtin has this lw level f cnfidence in their emplyees chsing nt t click n links r attachments that appear in phishing s Osterman Research, Inc. 9

11 Figure 9 Cnfidence in Emplyee Training and Behavirs Related t Phishing Rated n a scale f 0 (n cnfidence) t 100 (very cnfident) Best Practices fr Dealing with Phishing and Next-Generatin Surce: Osterman Research, Inc. VARIED APPROACHES TO SECURITY TRAINING The appraches t security awareness training vary substantially, as shwn in Figure 10. Fr example, 30% f the rganizatins surveyed fr this white paper use the Break Rm Apprach, an infrmal apprach t security training that prvides instructin n hw t detect and avid prblems with phishing s r basic Web surfing. A smaller prprtin shw shrt vides t their emplyees t make them mre aware f security issues and best practices, while abut ne in five rganizatins prvides n security awareness training whatsever. Hwever, ur research did find that slightly mre than ne in five rganizatins take a mre practive and frmalized apprach t security awareness training, cnducting training n security awareness, fllwing up with testing f varius kinds t determine hw well this training wrked, and prviding further fllw-up, as necessary Osterman Research, Inc. 10

12 Figure 10 Appraches t Security Awareness Training % f Organizatins Best Practices fr Dealing with Phishing and Next-Generatin Apprach % The Break Rm Apprach: We gather emplyees fr a lunch r special meeting and tell them what t avid when surfing the Web, in s 30% frm unknwn surces, etc. The Mnthly Security Vide Apprach: We have emplyees view shrt security awareness training vides t learn hw t keep the netwrk and 26% rganizatin safe and secure. The D Nthing Apprach: We dn t really d security awareness 21% training. The Phishing Test Apprach: We pre-select certain emplyees, send them a simulated phishing attack, and then see if they fall prey t the 14% phishing attack. The Human Firewall Apprach: We test everyne in the rganizatin find the percentage f emplyees wh are prne t phishing attacks, and 8% then train everyne n majr attack vectrs, sending simulated phishing attacks n a regular basis. Surce: Osterman Research, Inc. KEEPING UP IS INCREASINGLY DIFFICULT One f the fundamental prblems in managing security tday is the speed with which malware variants are created and distributed. Fr example, n average there are 10,000+ new malware threats discvered every sixty minutes. This means that even if a malware engine is updated n an hurly basis, many new variants will nt be detectable and s will have the ptential t infect endpints. A key element in the success f phishing attempts using links is the rapidity with which dmains can be created. Fr example, a phishing attempt cntaining a link is sent t victims, but the link pints t a Web site that cntains n malicius cntent. Cnsequently, many anti-phishing slutins will assume that the link is inncuus because the link pints t a safe lcatin. Only after the has been sent and the link destinatin verified as safe will cybercriminals intrduce malware t the site, thereby infecting visitrs wh click n the link in the . The stealthiness f a grwing prprtin f malware is increasing. Fr example, sandbx technlgy is increasingly used t evaluate suspicius files r untested cde t determine if it cntains malware r therwise represents a threat. The gal f the sandbx, which is nrmally run n a virtual machine, is t allw malware t becme manifest in a secluded envirnment where it can d n harm. Hwever, malware authrs can nw detect if their cntent is running in a sandbx envirnment and s the suspect files will either stp wrking r wait t execute until after the cntent has been determined t be safe. Anther very serius issue is the ptential fr malware t remain despite any attempts t eradicate it. Fr example, the Equatin Grup has develped malware that can infect hard drive firmware and that cannt be eradicated v. While this frm f malware is extremely rare given the Equatin Grup s fcus n nly very high value targets, it represents a trubling develpment that culd ptentially impact a mre mass-market victim base in the future Osterman Research, Inc. 11

13 KEY THREATS TO CONSIDER Organizatins f all sizes face a wide variety f threats, ranging frm seemingly inncuus incursins like spam that create strage prblems and general annyance, t highly targeted attacks that can create majr breaches f sensitive r cnfidential infrmatin. Amng the range f threats t cnsider are the fllwing: Best Practices fr Dealing with Phishing and Next-Generatin Phishing s Phishing s are cmparatively unfcused messages that are designed t elicit sensitive infrmatin frm users, such as lgin credentials, credit card infrmatin, Scial Security numbers and ther valuable data. Phishing s purprt t be frm trustwrthy surces like banks, credit card cmpanies, shipping cmpanies and ther surces with which ptential victims already have established relatinships. Mre sphisticated phishing attempts will use crprate lgs and ther identifiers that are designed t fl ptential victims int believing that the phishing s are genuine. The impact f phishing s shuld nt be underestimated. An Osterman Research survey cnducted in late 2014 fund that there have been a variety f security incidents that were attributable t malicius s, such as 41% f rganizatins that have lst sensitive data n an emplyee s cmputer and 24% that have lst sensitive data frm the crprate netwrk. Spearphishing s A spearphishing is a targeted phishing attack that is generally directed at a small grup f ptential victims, such as senir individuals within a cmpany r ther rganizatin. Spearphishing s are generally quite fcused, reflecting the fact that a cybercriminal has studied his r her target and has crafted a message that is designed t have a high degree f believability and a ptentially high pen rate. One f the reasns that spearphishing is becming mre effective is that ptential victims prvide cybercriminals with the fdder they need t craft believable messages. Fr example, Facebk, Twitter, LinkedIn and ther scial media venues cntain enrmus amunts f valuable infrmatin abut travel plans, persnal preferences, family members, affiliatins, and ther persnal and sensitive infrmatin that can be incrprated int spearphishing s. Remte users accessing crprate resurces Emplyees, cntractrs and thers wh access resurces n the crprate netwrk, such as thse wrking frm hme r in anther remte site, are a key surce f threats. An unprtected user accessing a crprate asset, such as Outlk Web Access that is nt accessed via a VPN, r a laptp cmputer that becmes infected and later is cnnected t the crprate netwrk, can cnstitute a serius threat. This is becming a serius prblem fr mst rganizatins as users emply persnally wned devices like their wn smartphnes, tablets and ther traditinally cnsumer devices in a wrkplace setting. Cnsumer file sync and share tls Clsely related t the pint abve is the widespread and grwing use f cnsumer file sync and share tls like Drpbx, Micrsft OneDrive and Ggle Drive, amng many thers. These tls are cmmnly used by emplyees t make their files available n all f their desktp, laptp and mbile platfrms fr access when traveling, when they wrk frm hme, r when they are therwise away frm the ffice. While these tls are quite useful and generally wrk as they are intended, they represent an imprtant incursin pint fr malware. Fr example, an emplyee wh accesses his r her crprate files n a hme cmputer, many f which d nt have the latest anti-virus updates and whse use is nt cntrlled by any srt f sphisticated security infrastructure, can inadvertently infect these files with malware. When the files are synced back t the emplyee s desktp cmputer, malware can readily infect the netwrk 2015 Osterman Research, Inc. 12

14 because it may have bypassed crprate , Web gateway and ther defenses. In an alternative infectin scenari, an emplyee wrking frm hme can have files infected frm their hme cmputer and then send these files t a client r business partner withut the files ever having passed thrugh the crprate security infrastructure. Best Practices fr Dealing with Phishing and Next-Generatin Watering hles This is a type f scial engineering attack in which cybercriminals will identify key Web sites that are frequented by individuals r grups they wuld like t infiltrate, such as mbile app develpers. These targeted Web sites are then infected with malware, the gal f which is t infect members f the affinity grup. An example f ne such attack was an ios mbile develpers frum that hsted malware and was targeted against Apple and Facebk vi. Emplyee errrs Emplyees will smetimes inadvertently install malware r cmprmised cde n their cmputers. This can ccur when they dwnlad a cdec, install ActiveX cntrls, install varius applicatins that are intended t address sme perceived need (such as a capability that IT des nt supprt r that a user feels they must have), r when they respnd t scareware/fake anti-virus (rgue AV r fake AV) sftware. Scareware is a particularly dangerus frm f malware because it preys n users wh are attempting t d the right thing t prtect their platfrms frm viruses and ther malware. Even users wh are quite experienced can be fled by a well-crafted scareware message. Malvertising Malicius Internet advertising is intended t distribute malware thrugh advertising impressins n Web sites. An Online Trust Alliance brief discussed hw a single malvertising campaign can generate 100,000 impressins, with apprximately 10 billin malvertising impressins ccurring in 2013 via mre than 200,000 malvertising incidents vii. Underscring just hw serius the malvertising prblem has becme, a study by RiskIQ fr the perid January t September 2013 fund that 42% f malvertising is carried ut by drive-by explits that did nt require interactin by end users (58% f malvertising invlves users clicking n malicius advertisements) viii. Mbile malware The grwing use f smartphnes and tablets, particularly persnally wned devices, is increasingly being explited by cyber criminals. Fr example, Alcatel- Lucent fund that 16 millin mbile devices were infected with malware during 2014, an increase f 25% frm 2013 ix. This represents an infectin rate f 0.68%, meaning that in an rganizatin f 1,000 emplyees, each f whm has an average f 1.5 mbile devices, there will be a ttal f 102 infected mbile platfrms at any given time. The vast majrity f infectins impact Andrid devices the Alcatel-Lucent research suggests that under 1% f iphne and BlackBerry devices are infected with malware. Mbile cpycat applicatins Many develpers distribute their mbile apps thrugh vendr and third party stres that ffer varying levels f security, much f it inadequate. Sme app stres are highly secure peratins and require that develpers satisfy rigrus standards befre their apps can be ffered. Others standards, hwever, are less stringent and create the pprtunity fr serius security risks. The result is that many third-party app stres are susceptible t a number f security and related prblems like the distributin f cpycat apps and malware distributin. Cmprmised search engine queries Valid search engine queries can be hijacked by cybercriminals t distribute malware. This frm f attack relies n pisning search queries, resulting in the display f malware-laden sites during Web searches. Search engine pisning is 2015 Osterman Research, Inc. 13

15 particularly effective fr highly ppular search terms, such as infrmatin n celebrities, airline crashes, natural disasters and ther newsy items. Best Practices fr Dealing with Phishing and Next-Generatin Btnets Btnets are the cause f a large number f successful hacking and phishing attacks against many high-prfile targets. Fr example, Sny, Citigrup, the US Senate, Lckheed Martin, the Internatinal Mnetary Fund, Nrthrup Grumman, and RSA have all been victimized by btnet attacks. The result has been that millins f recrds have been expsed that will result nt nly in the disclsure f persnal and sensitive infrmatin, but als lawsuits and ther expensive remediatin effrts. Hacking This is a frm f specialized cyberattack in which cybercriminals use a number f techniques in an attempt t breach crprate defenses. An example f a successful hacking attack is the recent incursin against Sny Pictures that may have been carried ut by an peratin f the Nrth Krean gvernment. Gullible users Users can represent a majr security threat because f a cmbinatin f their specific persnality types and inadequate training. Fr example, 100 students frm an undergraduate psychlgy at the Plytechnic Institute f New Yrk were sampled x. These students a) cmpleted a survey fcused n their beliefs and habits with regard t nline behavir; b) asked abut hw likely they thught they wuld be the victim f nline crime, such as passwrd theft; and c) cmpleted a persnality assessment survey. After cmpleting these activities, these students were then sent bvius phishing s. One ut f six f thse tested mst f whm were engineering r science majrs fell fr the scam s. Ignring the gender differences f thse wh were mst likely t fall fr the phishing s in this study, the researchers fund that thse with the mst pen persnalities i.e., thse wh are mst extrverted were mre likely t fall fr phishing scams. The findings strngly suggest that peple wh vershare n Facebk r Twitter, fr example, are mre likely t becme victims f phishing scams and ther nline fraud than thse wh are mre intrverted, share less r wh dn t have scial media accunts. Anther study fund that yunger students (aged 18-25) were mre likely t fall fr phishing scams than their lder cunterparts xi. Ransmware One f the mre cmmn recent examples f ransmware is the CryptLcker malware that encrypts victims files and then demands ransm t decrypt them. Victims wh chse nt t pay the ransm within a shrt perid f time will have their files remain encrypted permanently. Cryptlcker typically extrts a few hundred dllars per incident and is nrmally delivered thrugh with a PDF r.zip file disguised as a shipping invice r sme ther business dcument xii. RECOMMENDATIONS T address the risks assciated with phishing and next-generatin malware, Osterman Research recmmends a variety f actins that any rganizatin shuld undertake: Understand the risk that yur rganizatin faces The critical first step in develping a best practices apprach t security is t understand, at least at a high level, the risks that an rganizatin faces. Many decisin makers d nt sufficiently appreciate these risks because they are t busy, they dn t have enugh budget, r they have nt fcused enugh n the grwing number f risks they face. Cnsequently, Osterman Research recmmends that security decisin makers study the grwing variety f security 2015 Osterman Research, Inc. 14

16 risks in detail and realize that they represent a serius threat t their rganizatin. While this sunds simplistic, t many decisin makers take a defensive apprach, waiting until bad things happen until they take actin, when they shuld be much mre practive in rder t prevent them t the greatest extent pssible. Best Practices fr Dealing with Phishing and Next-Generatin As just ne example, rganizatins must mnitr the risk levels assciated with their data assets, crprate systems and ther tls that users may emply in respnse t regulatry requirements, advice frm legal cunsel, recent data breaches, cybercriminal activity and ther factrs. Fr example, a database might cntain nn-sensitive data that can safely be accessed using nly a username and passwrd. Hwever, a change in an rganizatin s fferings r a new industry regulatin may mean that sensitive data will be added t the database, thereby increasing the risk f inapprpriate access f that cntent stre. Understand the breadth f tls that might be used (and maybe shuldn t be) There are a number f capabilities that emplyees use that can create significant risks. Fr example: Persnal Webmail accunts that users emply when the crprate system is dwn r when they need t send files that are t large t be sent by the crprate system. Cnsumer-fcused file sync and share tls that give users access t all f their files frm any platfrm, but that typically d nt scan cntent fr malware r ther threats. File-transfer tls that are designed t send very large files independently f the crprate system, and s d nt get scanned fr malware. Persnally wned smartphnes r tablets that can be the target f mbile malware. Scial media tls that can be used t send crprate cntent r that can allw malicius cntent t enter an rganizatin via shrt URLs r malvertising links. Emplyees hme cmputers, which ften are shared by family members wh dwnlad nn-secure cntent, and fr which anti-virus defenses are ften ut-f-date. The grwing variety f mbile apps, clud-based applicatins and ther tls that can subject crprate data t infiltratin by malware r expse sensitive data t exfiltratin by cybercriminals. Cnduct a cmplete internal audit Organizatins need t cnduct a thrugh audit t understand where all f their data is lcated, wh has access t this data, the specific legal and regulatry bligatins t which this data is subject, the identity f the data stakehlders, and ther relevant infrmatin. This is essential in rder t build a map f srts that will help decisin makers t understand the security risks they face and hw t priritize their resurces in clsing the security gaps that exist. Establish detailed and thrugh plicies Mst rganizatins have nt yet established sufficiently detailed and thrugh plicies fr the varius types f , Web and scial media tls that their IT departments have deplyed r that they allw t be used. Cnsequently, we recmmend that an early step fr any rganizatin shuld be the develpment f detailed and thrugh plicies that are fcused n all f the tls that are r 2015 Osterman Research, Inc. 15

17 prbably will be used in the freseeable future. These plicies shuld fcus n legal, regulatry and ther bligatins t: Best Practices fr Dealing with Phishing and Next-Generatin Encrypt s and ther cntent if they cntain sensitive r cnfidential data. Mnitr all cmmunicatin fr malware that is sent t blgs, scial media, and ther venues. Cntrl the use f persnally wned devices that access crprate resurces. Creating detailed and thrugh plicies will help decisin makers nt nly t determine hw and why each tl is being and shuld be used, but it als will help decisin makers determine which capabilities can r cannt be migrated t clud-based security slutins and which shuld be retained in-huse. Implement best practices fr user behavir The next step is t implement a variety f best practices t address the security gaps that have been identified. Fr example: Emplyees need t emply passwrds that match the sensitivity and risk assciated with their crprate data assets. These passwrds shuld be changed n an enfrced schedule, and shuld be managed by IT. Emplyees shuld be strngly encuraged and cntinually reminded t keep sftware and perating systems up-t-date t minimize a knwn explit frm infecting a system with malware. Emplyees shuld receive thrugh training abut phishing and ther security risks in rder t understand hw t detect phishing attempts and t becme mre skeptical abut suspicius s and cntent. It is imprtant t invest sufficiently in emplyee training s that the human firewall can prvide the best pssible initial line f defense against increasingly sphisticated phishing and ther scial engineering attacks. Emplyees shuld be tested peridically t determine if their anti-phishing training has been effective. Emplyees shuld be given training abut best practices when cnnecting remtely, including the dangers f cnnecting t public Wi-Fi ht spts r ther unprtected access pints. Emplyees need t be trained n why nt t extract ptentially suspicius cntent frm spam quarantines that might end up being phishing s. Emplyees need t be given a list f acceptable and unacceptable tls t emply fr file sync and share, scial media and ther capabilities as part f the verall acceptable use plicies in place. Ensure that all emplyees maintain rbust anti-virus defenses n their persnally managed platfrms if access t any crprate cntent will take place n them. Emplyees shuld be reminded cntinually abut the dangers f versharing cntent n scial media. The wrld will nt be a better place if it knws that yu had breakfast in Cancun this mrning, but it culd give cybercriminals a piece f infrmatin they need t craft a spearphishing . Deply alternatives t slutins that emplyees use tday Decisin makers shuld seriusly cnsider implementing tls that will replace 2015 Osterman Research, Inc. 16

18 many f the emplyee-managed slutins in place tday, but that will prvide users with the same cnvenience and ease f use. Fr example, IT may want t deply an enterprise-grade grade file sync and share alternative fr the cnsumer versin f Drpbx that is s widely used tday. They may want t implement a business cntinuity slutin that will enable crprate t be used during utages instead f users falling back n their persnal Webmail accunts. They may want t cnsider deplying an enterprise-grade file-sharing system that accmmdates very large files if the crprate system des nt allw these files t be sent. Best Practices fr Dealing with Phishing and Next-Generatin Implement rbust and layered security slutins based n gd threat intelligence It almst ges withut saying that it is essential t implement a layered security infrastructure that is based n gd threat intelligence. Ding s will minimize the likelihd that malware, hacking attempts, phishing attempts and the like will be able t penetrate crprate defenses. An essential element f gd security is starting with the human cmpnent. As we discussed abve, users are the initial line f defense in any security system because they can thwart sme ptential incursins like phishing attempts befre technlgy-based slutins have detected them. Cnsequently, we cannt veremphasize the imprtance f gd and frequent user training t blster this initial line f defense, the gal f which is t heighten users sensitivity t phishing and related threats, and t help users t be less gullible. By n means are we suggesting that users can be the nly line f defense, but they shuld be incrprated int the verall security mix. Determine if and hw the clud shuld be used A critical issue fr decisin makers t address is whether r nt internal management f security, as well as ther part f the IT infrastructure, is a cre cmpetency that is central t the success f the rganizatin. Key questins that decisin makers must answer are these: Will ur security imprve if slutins remain n-premises? Will managing security n-premises and managed by in-huse IT staff cntribute mre t the bttm line than using a clud-based prvider? Shuld a hybrid security apprach with bth n-premises and clud-based slutins be use? If s, fr which systems? Many rganizatins are cnsidering clud delivery fr the varius types f security services they manage because f their lwer and mre predictable csts; the ability t free internal IT staff fr ther initiatives; and the advantage f blcking unwanted and dangerus cntent befre it can reach the crprate netwrk. Plus, the use f a hybrid security architecture enables mst unwanted cntent t be eliminated in the clud, while leaving deeper cntent inspectin fr n-premises systems. Clud-based and n-premises security slutins are ften viewed as cmplementary appraches, rather than as an either/r prpsitin. A duble layer f prtectin r a triple layer if bth desktp and server/gateway appraches are used n-premises decreases the likelihd f a successful attack being registered against the crprate netwrk. This principle is particularly relevant fr anti-virus and anti-malware slutins, but less s fr ther systems, such as data lss preventin systems, where a single apprach can be effective when acting alne. An imprtant requirement in accurately evaluating the use f clud-based security slutins is fr decisin makers t understand the actual and cmplete ttal cst f wnership fr managing the current, n-premises infrastructure Osterman Research, Inc. 17

19 Osterman Research has fund cnsistently that many decisin makers d nt fully cunt all f these csts and are nt cnfident in their estimates. If decisin makers d nt understand accurately what it csts their rganizatin t prvide a particular service t their users, this leads t prly infrmed decisin-making, as well as an inability t determine the ptential cst savings and the return-ninvestment frm cmpeting security slutins. Best Practices fr Dealing with Phishing and Next-Generatin SUMMARY Despite the billins f dllars spent each year n anti-phishing, anti-malware, antianti-spam and ther security slutins, threats still find their way int mst rganizatins despite the best effrts f security teams t stp them. In fact, fr many rganizatins the prblem is actually getting wrse ver time. The cnsequences f these incursins can be severe, and in sme extreme cases cause a business t g bankrupt. T cmbat phishing, next-generatin malware and ther threats, rganizatins shuld implement a variety f best practices, including effective training fr users t detect phishing attempts, the creatin f detailed and thrugh crprate plicies that will address acceptable user behavir, the deplyment f enterprise-grade alternatives t the less secure cnsumer-fcused tls widely used tday, and the deplyment f a layered security slutin that will thwart malware, phishing attempts and ther threats t the greatest extent pssible. SPONSOR OF THIS REPORT ABOUT KNOWBE4 KnwBe4 prvides yu with the wrld s mst ppular integrated Security Awareness Training and Simulated Phishing platfrm. Well ver 1,000 enterprise accunts are using it with great results. Based n Kevin Mitnick s 30+ year unique firsthand hacking experience, yu nw have a tl t better manage the urgent IT security prblems f scial engineering and phishing. This platfrm allws yu t create yur human firewall This is a high quality web-based interactive training cmbined with frequent simulated phishing attacks, using case-studies, live dem vides and shrt cmprehensin tests. Kevin Mitnick Security Awareness Training specializes in making sure emplyees understand the mechanisms f spam, phishing, spear-phishing, malware and scial engineering, and are able t apply this knwledge in their day-tday jb. Yu are able t send unlimited simulated phishing attacks t yur emplyees year-rund using ur extensive library f phishing templates. The training cmes in three flavrs: The new, full 45-minute training which is split in 4 mdules that an emplyee can d ver time; A 25-minute versin which ges int Advanced Persistent Threats, cvers the new ransmware threat and has tw new case studies; and A cndensed 15-minute versin which specifically fcuses n Advanced Persistent Threats and phishing and nw is available in 9 languages. We prvide this prgram in three ways; Clud-based SaaS, SCORM cmpliant training mdules fr yur wn LMS and as a fully Managed Service. Learn mre at Osterman Research, Inc. 18

20 2015 Osterman Research, Inc. All rights reserved. Best Practices fr Dealing with Phishing and Next-Generatin N part f this dcument may be reprduced in any frm by any means, nr may it be distributed withut the permissin f Osterman Research, Inc., nr may it be resld r distributed by any entity ther than Osterman Research, Inc., withut prir written authrizatin f Osterman Research, Inc. Osterman Research, Inc. des nt prvide legal advice. Nthing in this dcument cnstitutes legal advice, nr shall this dcument r any sftware prduct r ther ffering referenced herein serve as a substitute fr the reader s cmpliance with any laws (including but nt limited t any act, statute, regulatin, rule, directive, administrative rder, executive rder, etc. (cllectively, Laws )) referenced in this dcument. If necessary, the reader shuld cnsult with cmpetent legal cunsel regarding any Laws referenced herein. Osterman Research, Inc. makes n representatin r warranty regarding the cmpleteness r accuracy f the infrmatin cntained in this dcument. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. REFERENCES i ii iii iv v vi vii viii ix x xi xii in-hacker-scam-by-debra-cassens-weiss/#.voa79t5nla.linkedin We did nt define spam, malware r Web-based threats fr the respndents in the survey cnducted fr this white paper, but instead relied n the generally understd definitins fr these terms amng the IT decisin makers and influencers with whm we spke. Crwn-Creatr-f-Cyber-Espinage advertising_risk_evaluatin_framewrk.pdf Surce: Alcatel-Lucent Mtive Security Labs divisin d/d-id/ ? Osterman Research, Inc. 19