Cyber liability threats, trends and pointers for the future

Cyber liability threats, trends and pointers for the future Tim Smith Partner, BLM t: 020 7865 3313 e: tim.smith@blm-law.com February 2013

Cyber liability threats, trends and pointers for the future The European Network and Information Security Agency (ENISA) has recently reviewed the security threat Landscape. ENISA had identified the current top threats as follows: Drive-by exploits. This refers to the injection of malicious code in HTML coded websites which exploits vulnerabilities in user web browsers (also known as drive-by download attacks ). These attacks target software residing in internet users computers (such as web browsers, browser plug-ins and operating systems) and infects them automatically when visiting a drive-by download website, without any user interaction. ENISA had identified these as the top web threat, with attackers moving into targeting browser plugs-ins such as Java, Adobe Reader and Adobe Flash. The attacks are almost exclusively launched through compromised legitimate websites which are used by attackers to host malicious links and malicious codes. The first drive-by download for Android was identified in May 2012, demonstrating that drive-by download attacks are a mobile threat as well. This threat is regarded as being an increasing one. Worms/trojans. Worms and malicious programmes have the ability to replicate and redistribute themselves by exploiting the vulnerabilities of their target systems. Trojans (trojan horses) are malicious programmes that are injected into users systems and can let in other programmes (remote access trojans) or steal user data and credentials. ENISA has identified data theft trojans as being widely used by cyber criminals. Trojans are the most reported type of malicious code. Social networks have been identified as an appealing distribution channel for those preparing malware. Again, this is regarded as an increasing threat. The Downadup worm which emerged in early 2008 caused one of the largest epidemics of all time and managed to infect more than 12 million computers in less than 12 hours. Social networks present a vehicle for malware authors to distribute their programmes in ways that are not easily blocked. The Koobface worm infiltrated Facebook, MySpace and other social networking sites. More than three years after its initial release the Conficker worm is still the most commonly encountered piece of malicious software. The Android marketplace has been targeted by cyber criminals luring users into installing trojans disguised as legitimate apps. This has also happened to Apples App Store and, to a lesser extent, Google s Play Store. Code injection attacks. These consist of attacks against web applications with the aim of extracting data or stealing credentials or taking control of the targeted web server. These are popular among hacktivist groups such as Anonymous. Again this is regarded as a threat that is increasing. The ENISA Report indicates that the hacktivist groups, Anonymous and Lulzsec, had a major presence in SQL injection tactics early in 2011 and will continue to hone their skills with new injection attack methods (according to an IBM Mid Year Trend and Risk Report for 2012). Trustwave ranked SQL injection as the number one web application risk. Cyber liability - threats, trends and pointers for the future 1

Exploit kits. Exploit kits are ready to use software packages that automate cyber crimes. They mostly use drive-by download attacks (where malicious crypt code is injected into compromised websites). ENISA has identified Malware as a service (MAAS) as a new and emerging criminal business model. Cyber crime has clearly become more professional and commercial through this kind of threat which is viewed as increasing. According to an AVG Community Powered Threat Report from the first quarter of 2012 Blackhole is a sophisticated and powerful exploit kit, mainly due to its polymorphic nature and the fact that it is heavily disguised to evade detection by anti-malware solutions. AVG reported that Blackhole had a 63% malware market share and its consequences included social networks being overwhelmed by malicious advertising for uncompromised ad servers and normal graphics images containing malicious script. It was predicted that new versions of Blackhole would result in an upsurge in larger scale attacks. The attraction for cyber criminals is that Blackhole can be used to make money through credit card and banking frauds and by installing rogue security products or through Ransomware and other payloads. Botnets. A botnet is a group of compromised computers under the control of an attacker. The compromised system communicates with the person controlling it who can use it, for example in spamming, identity theft or infecting other systems or for the distribution of malware. ENISA has noted that botnets are increasingly used as a commodity with interested parties able to rent botnets in order to achieve their purposes. ENISA has also noted that malware authors appear interested in turning android mobile phones into bots/zombies. Again, this regarded as an increasing threat. The report (looking at an IBM Trend and Risk Report in 2011) noted that spam was declining, the view being that this was the result of several botnet take-downs. It was felt (according to a report by the Italian Information Security Association in 2012) that mobile systems would constitute an escalating proportion of botnets as they had valuable processing power and bandwidth and most of them were not provided with effective antimalware protections. Users often tampered with them to unlock some advanced functions, which often made them even more vulnerable. The Kaspersky Lab reported that those controlling botnets were targeting the mobile and Mac sectors. It noted that few users appear to realise that their smartphones were fully functional computers which contained valuable data that might be of interest to cyber criminals. Denial of service. A denial of service attack is an attempt by multiple attackers to make a service unavailable to its users. The multiple attackers use simultaneous attacks with as much intensity as possible (usually through compromised computer systems/botnets) in order to make the attack difficult to defend. ENISA expects future attacks to abandon a simple flood based approach and to increase in sophistication and the number of applications they target. Although this is regarded as a stable area of threat there was a significant increase in the prevalence of very substantial denial of service attacks. Cyber liability - threats, trends and pointers for the future 2

Phishing. Phishing is the combined use of fraudulent e-mails and legitimate looking websites by cyber criminals in order to gain user credentials. Whilst financial institutions account for most active phishing sites, payment services, social networking, ISP, non profit organisations, parcel services and government websites are also among those most commonly utilised. ENISA reported that the up times of phishing sites dropped to a record low in the first half of 2012. It regards the current trend as being stable. From 2010 to 2012 the e-mail scam/phishing volume went up nearly 400% according to an IBM Mid Year Trend Report in 2012. Financial institutions were once again the most targeted businesses. Generally speaking either the phishing e-mail itself would contain a malicious attachment or the attachment would contain a URL that led to malware. One of the most widely used attacks was to forward website addresses via SMS messages on a smartphone. According to IBM in 2012 the volume of spam and the volume of scam behaved contrarily. Compromising confidential information. This refers to data breaches that occur via intentional or unintentional information disclosure by external or internal threats. Data breaches are usually achieved through some form of hacking, malware, physical attacks, social engineering attacks and misuse of privileges. ENISA categorised 2011 as the year of the security breach. The number of data breaches detected at healthcare organisations has increased. The adoption of electronic health record systems storing personally identifiable information has attracted the attention of cyber criminals. Data breaches have become more targeted. Negligent insiders and external malicious attacks are the main causes of data breaches. More than nine out of ten breaches would have been prevented if organisations had followed data protection and information security best practices. Web application vulnerabilities are key to many data breaches. Enterprises that suffer data breaches not only lose money but also reputation and customers. ENISA regards this trend as increasing. According to a FireEye Report for the first half of 2012, between January 2012 and June 2012 the number of events detected at healthcare organisations almost doubled. As healthcare organisations moved towards the adoption of electronic health record systems and began to digitally store and manage personally identifiable information, these sensitive assets were coming under increasing attack by cyber criminals. Hackers are responsible for 40% of breaches. According to Symantec (in an Intelligence Report dated August 2012), in the last eight months of 2011 the average number of identities stolen was 1,311,629 per data breach. In 2012 this went down to 640,169. Bitdefender reported that in the first half of 2012 popular web services such as Last. FM, LinkedIn and Yahoo Voice were compromised and had their user database stolen and shared online. In some instances the database leaks were followed by phishing attempts sent to victims. A Data Breach Investigation Report analysing 855 security incidents in 2011 exposing 174 million records showed that 63% could have been prevented with measures categorised as simple and cheap. Another 31% could have been prevented with measures deemed intermediate. In effect nine out of ten breaches would have been thwarted if organisations had followed best practice (Verizon 2012 Data Breach Investigations Report). According to Verizon hacktivism surpassed organised crime in the amount of data stolen. The Ponemon Institute reported that 96% of all healthcare organisations surveyed had experienced at least one data breach in the previous two years. Trustwave reported Cyber liability - threats, trends and pointers for the future 3

that the majority of their analysis revealed that the third party responsible for system support, development and/or maintenance introduced the security deficiencies exploited by attackers. Rogueware/scareware. Rogueware deliberately imitates the graphical user interface and branding of established legitimate antivirus or anti Spyware programmes (in some cases even copying the designs or logos). The most typical scenario for Rogueware infections starts with the user being shown a fake system scam warning. Sophos reported that fake antivirus was still a big problem. Whilst there had been little technical change in the products there had been changes in their distribution methods (eg, via search engines, spam and drive-by downloads). Scareware is rogue security software which tries to infect computers by providing false security alerts. ENISA reports that whilst fake security software is still a big problem the threat has fallen off as a result of increased user awareness as well as more effective international cooperation. As a result it regards the current trend as being stable. Spam. Spam is the use of e-mail technology to flood mailboxes with unsolicited messages. ENISA reported that spam activity was significantly lower in 2011 due to coordinated activities at national and international level and that this trend continued in 2012. Spam content mostly included fake medication, sex/dating content, compulsive gambling and participation in criminal activities and malware. It is regarded by ENISA as a decreasing threat. Pharma spam had fallen out of favour as a result of law enforcement activities and botnet shutdowns (according to Sysco s 2011 Annual Security Report). However, whilst the volume of spam had reduced it was increasingly targeted and accordingly the risk potential remained high. IBM reported in their Trend and Risk Report in 2011 that spam was taking advantage of topical news or other hot topics by promising more details when a link was clicked resulting in the users machine being infected. Targeted attacks. A targeted attack consists of an information gathering phase and the use of advance techniques to achieve the attacker s goal. During the first half of 2012 an increase of target attacks was reported. More and more targeted attacks against small companies have been registered. One of the major events during 2012 was the detection of the Flamer Malware, a powerful cyber weapon similar to Stuxnet and Duqu. Flamer was designed for perpetrating targeted attacks and it is estimated that its the development could have taken more than 10 years of work. These types of attacks are regarded as increasing. There was an increased prevalence of limited use domains in spear phishing attacks. With spear phishing the average theft per victim could be forty times that of a mass attack (according to a Cisco report). More than 36% of all targeted attacks were aimed at small companies (double that at the end of 2011) according to Symantec in a June 2012 Report. Most of the Advanced Persistent Threat (APT) launched in recent times had attempted to insert a backdoor into a corporate network via e-mail, instant messages or SNS. Many APT attacks were made by using files with vulnerabilities attached to e-mails. Such e-mails regularly contained a social issue or an interesting topic in the message to persuade the user to open the attachment. In relation to the Flame virus which was particularly used for information gathering and espionage in the Middle East a striking feature was that it could Cyber liability - threats, trends and pointers for the future 4

steal data in multiple ways (even by turning on victims microphones to record conversations). Flame had managed to evade antivirus detection for five years. Physical theft/loss/damage. The ENISA Report found that due to the popularity of mobile computing the probability of data loss (potentially of sensitive data) and device theft is increasing. An increasing number of corporations are encouraging people to bring their own device to work and this had had an impact on corporations since in the case of theft or loss of mobile devices, potentially sensitive corporate data will be disclosed. The loss or theft of mobile devices and equipment by staff is a major threat for organisations. Corporations having experienced a data breach reported that one of the top three causes was physical theft of devices containing sensitive data. Lack of encryption on mobile devices is an issue that needs to be addressed. ENISA consider this type of attack to be increasing. In a survey by Kaspersky Lab 10% of respondents said they had experienced critical information leaks due to the loss or theft of a mobile device. Identify theft. Identity theft is an attack that occurs when an adversary steals user credentials and uses them to achieve malicious goals, generally related to financial fraud. The ENISA Report states that cyber criminals have a very professional approach towards exploiting home banking. There has been an increase in advanced trojan malware designed for identify theft and identity fraud. This is regarded as an increasing threat. Zeus and SpyEye and other banking trojans specialise in stealing online banking credentials. The Zeus Banking Trojan had become an open source crime kit. A VeriSign Report on Cyber Threats and Trends in 2012 predicted that the release of the Zeus source code was going to have a dramatic impact on the production of new and dangerous banking trojans. Other reports noted that in the first half of 2012 attack schemes had become increasing professional. A new SpyEye variant was able to activate the victims webcam and use the video stream for its purposes. Abuse of information/leakage. This relates to the deliberate revealing of information, making it available to an unauthorised party. The report states that user data tracking and GPS location data can be leaked and misused in order to breach privacy on mobile platforms. Aggressive advertising networks on mobile applications have access to mobile user data without notifying the user. This is regarded as an increasing threat. The Cloud Security Alliance reported that data leakage through poorly written third party Apps was one of the top mobile threats. Search engine poisoning. This exploits the trust between internet users and search engines. Attackers deliver bait for searches to particular topics with users searching for such items being diverted to malicious content. This is regarded as being a stable threat. Cyber liability - threats, trends and pointers for the future 5

After social networks, search engines are the primary means used by attackers to lure users to malicious sites. Rogue certificates. Attackers steal, produce and circulate rogue certificates to evade detection. This is regarded as an increasing threat. ENISA conclusions The emerging areas are: a b c d e f Mobile computing with increased use of mobile services such as social networking business applications and data and use of cloud services. Social technology and use of social media is one of the main activities performed by private users. Social networking is playing an increasingly significant role in business. Critical infrastructures. Trust infrastructure. Cloud computing. Big data 1 Mobile computing The ENISA Report states that there has been an almost exponential increase in threats predicted. It is thought that mobile devices will take over the role PCs previously performed. The increase in threat is due to the nature of mobile systems and devices. All communication takes place over poorly secured (GSM) or unsecured channels (Wi-fi). The software using such systems, both operating system and applications, are of a rather moderate maturity level. In addition, the mobility of devices makes them vulnerable to theft and loss. As a result of increasing processing power and bandwidth, mobile devices will be targets for attacks that were traditionally aimed at PCs (eg, botnets and phishing). The top threats are thought to be drive-by exploits, worms/trojans, exploit kits, physical theft/loss/damage and the compromising of confidential information. It is thought that there will be an increase in proximity based hacking (for example based on wireless communication). In addition, the increasing use of mobile platforms for financial transactions, such as payments and banking, will make attacks on these platforms more attractive to cyber criminals. The report states that advancements in App Store security need to be introduced to improve security. 2 Social technology The main entry points to social networks are via mobile devices. In addition, social networks have low to medium maturity of security control. Combined with possible security gaps at entry points and the low security awareness of end users social networks are therefore regarded as offering a relatively large surface for any type of attack on privacy, data theft, identity theft and misuse. The report identifies the top emerging threats as worms/trojans, abuse of information, physical theft/loss/damage, phishing attacks and spam. 3 Threat trends in critical infrastructures These structures are complex systems which are important for individuals and national security. ENISA has identified the emerging threats as drive-by exploits, worms/trojans, code injection, exploit kits and denial of service. ENISA notes that attack methods and tools have reached the maturity that could be used for cyber warfare. Cyber liability - threats, trends and pointers for the future 6

4 Threat trends in trust infrastructure Trust infrastructure refers to information systems that provide strong authentication and aim to establish trust and create secure connections between two end points. They are usually based on strong encryption technology and key management. They are extremely important for information security. The emerging threats have been identified as denial of service, rogue certificates, compromising confidential information, targeting attacks and physical theft/loss/damage. ENISA says that the security of trust infrastructures will need to be taken more seriously in the future. It recommends permanent security monitoring. It has stated that providers of App Stores will need to pay special attention to the implementation of trust and security functions in order to avoid serious impact on user trust. ENISA has stated that operators of trust infrastructures need to undergo much more extensive, intensive and frequent security testing than any other infrastructure. 5 Threat trends in cloud computing Cloud computing is the commission and delivery of various infrastructure services based on a virtualised environment that is accessible over a web browser. The concentration of vast amounts of data in a few locations means that cloud computing presents an attractive target for attackers. The top emerging threats have been identified as code injection, worm/trojans, driveby exploits, abuse of information and compromising confidential information. The ENISA Report states that the risk to the cloud environment emanating from the increased use of mobile devices will grow. 6 Threat trends in big data Big Data is a reference to large volumes of a wide variety of data collected from various sources across an enterprise. The top emerging threats are drive-by exploits, worms/trojans, exploit kits, phishing attacks and compromising confidential information. The ENISA Report considers that risk management will converge with corporate governance and will better interfaced with business objectives, detection of possible attacks and operational security data. The ENISA Report conclusions The report concludes that it is important to: collect and develop better evidence about attack types collect and develop better evidence about the impact achieved by those carrying out attacks. collect and maintain more qualitative information about threats. collect security intelligence. perform a shift in security controls. Tim Smith Partner Berrymans Lace Mawer LLP 2013 Disclaimer This document does not present a complete or comprehensive statement of the law, nor does it constitute legal advice. It is intended only to highlight issues that may be of interest to clients of Berrymans Lace Mawer. Specialist legal advice should always be sought in any particular case. Information is correct at the time of release. HTTP://THESOURCE/IMAGES/UPLOADED/FILE/BLMCXPINFO/BRANDVALUES/PRESENTATIONTEMPLATES/DOC_BEGINNING_0113.DOCX Cyber liability - threats, trends and pointers for the future 7