by Kay Ewbank
We investigate the new landscape of security threats and find out what you can do to protect yourself.
HardCopy Issue: 70 | Published: November 4, 2016
It’s no secret that if a computer can access emails or the Internet, it’s at risk of external attack. What’s less easy to understand is how you can be sure you can prevent such attacks being successful. One reason for this is that there are just so many ways a computer can be attacked, from the basic sending of spam, through dangers such as ransomware, all the way to targeted cybercrime. Knowing what threats you face, and how to guard from them, is key to staying safe. We’ll assume you don’t connect to the wider world without using a firewall, and that you have good anti-virus and anti-spam measures in place. So what other threats do you face and how can you mitigate against them?
Ransomware is a form of software that, once installed, stops you using your computer and then demands you pay a ransom before you are allowed to use your PC again. The harsh truth is that paying up is no guarantee that you’ll actually regain use of your PC.
There are several ways in which ransomware can stop you using your PC. The most common is sometimes called scareware. This appears as fake anti-virus or system clean-up tools that pop up on your screen with messages telling you that your PC has a variety of problems, and that paying up (possibly by buying the full version of the fake software) will solve these problems. You’ll continue getting alerts and pop-ups but will most likely still be able to use your computer.
EU Data Protection Regulations
Keeping the data in your organisation safe matters not just from a corporate perspective; it’s also your legal responsibility. The revised data protection laws, known as the General Data Protection Regulation (GDPR), will take effect in May 2018, and the regulations are designed to ensure data stays secure. Under the new regulations, companies that don’t comply will face fines of up to 4 per cent of their global revenue for the previous year, or €20 million (£15.8m) depending on which is greater.
Important aspects of the regulations include the appointment of a special data protection officer if your company handles significant amounts of sensitive data, or if you monitor the behaviour of consumers. Companies will need to show they audit the storage of personal data, and must notify those affected within 72 hours if a security breach occurs that compromises data.
Where a company is collecting, storing and sharing personal information, they must notify those whose data is being collected.
From a consumer perspective, the regulations mean that if an individual doesn’t want their data to be processed, they can ask the company to erase it, provided there are no legitimate reasons for retaining it. This right includes internet companies that store personal data, so you could, for example, ask Facebook to erase your profile along with all the data that it has gathered while you were using the service.
Consumers will also have a right to ‘data portability’ to make it easier to switch between service providers. For example, you should in the future be able to switch between email providers without losing contacts or previous emails.
Other varieties stop various applications, such as your web browser, from running. These merge into the lock-screen variety, where a full-screen window is displayed whenever your machine is started, usually displaying a message claiming to be from some government department, telling you you’ve broken some law and need to pay a fine.
At the top end of the viciousness scale are those ransomwares that encrypt your files so you can’t open them, unless you pay the ransom demanded.
In general, the way you guard against ransomware is to be cautious. Don’t visit websites that might be unsafe; don’t open email attachments that are suspicious; and don’t click on links in social media posts. Unfortunately, people tend to be taken in by all these options, so as a system administrator your main guard against ransomware is to make sure you can recover from it if machines are affected. This means you need strong backups and good disaster recovery software.
For home users the same thing is true, though in some cases you can get around the problem by doing a System Restore to return your computer to an earlier state – so long as you’ve enabled System Restore before the problem occurs. The message is, back up your data files regularly, enable System Restore, make sure you are cautious about visiting dodgy websites and clicking on links in emails, and use anti-virus and anti-malware programs.
It may be that you’re patting yourself on the back because you have followed all the advice above, never ever visit ‘dodgy’ websites, and have good compliance policies in place to prevent your more naïve users from straying into dangerous territory. Sadly, this doesn’t necessarily protect you from malvertising, which involves placing malicious advertisements on otherwise quite innocent and reputable websites.
Most online sites don’t deal directly with specific advertisers. Instead, they take blocks of frequently changing advertisements from an advertising network that acts as a broker, taking advertisements from a number of clients and placing them on websites. This allows people to create an innocent looking advertisement that contains either malware, or a link to a site that is malicious. The most aggressive type of malvert is pre-click malware that contains malicious code embedded in the main script of a webpage. One such campaign placed ads on Google, Yahoo and YouTube along with many other reputable websites.
SPIT and SPIM
Most of us are all too familiar with spam emails, but SPIT and SPIM can be equally annoying and harder to deal with. Your email provider, server and/or client will have ways to help you deal with spam, but when the spam is delivered as unwanted advertising in your instant messages, it’s a lot harder to avoid. There is also VoIP Spam or SPIT which appears as unsolicited calls using the Voice over Internet Protocol. The spammer sets off many thousands of voice calls, and if someone answers, plays a pre-recorded message.
The growth of Cybercrime-as-a-Service means that would-be cybercriminals no longer need to know how to set up a cyber fraud or a cyber-attack; instead they can pay someone else to do it for them. It’s possible to find offerings including Attacks-as-a-Service, Malware-as-a-Service and Fraud-as-a-Service. Such ‘products’ provide everything the customer needs, including the malicious code and the wherewithal to conduct the attack. This might come in the form of very secure hosted servers, or through renting the use of compromised machines that have been formed into a botnet. Most Cybercrime-as-a-Service companies offer downloaders to get malware onto machines, keyloggers to capture what compromised users are typing, and tools to hide the malware from the victim’s security software.
So how do you keep your computer network safe? The only guaranteed solution is a computer that has no connections whatsoever to the outside world, but that’s not really a workable solution in today’s connected world, so the name of the game is threat reduction, mitigation and management. Step one is to ensure your precious data is backed up, preferably to disconnected storage, and your systems have some form of disaster recovery.
Next, you need to keep systems patched and up-to-date. While cyber criminals do spend a lot of time looking for unknown weaknesses in your operating system, web browser, database software or whatever, it’s a lot easier for them to compromise your systems if you leave open weaknesses that have already been identified.
Finally, you need to consider investing in a range of protection measures that go beyond the conventional firewalls and anti-virus solutions that most of us rely on.
While any firewall is better than nothing, some offer significant extra features.
The firewall components of Dell SonicWall Unified Threat Management combine intrusion prevention, anti-malware, content and URL filtering and application control. Fixed and mobile devices are supported, including laptops, smartphones and tablets. Mobile devices are often among the more vulnerable connections on a corporate network, so SonicWall provides native SSL VPN secure mobile access. You can also set up multiple zones of access for both wired and wireless users that control which assets are accessible to specific groups of users.
Another set of firewalls worth considering are those from Barracuda Networks. The company was the first Microsoft Azure Certified Security Solution Provider, and its products include Barracuda Web Application Firewall and NextGen Firewall F-Series. These firewalls are designed to secure connections between offices, VNets, datacentres and clouds. The benefit the Barracuda devices offer is that they are designed to fill the gap in security between the cloud infrastructure security and your local security. They offer protection at the point where your application and data reside, acting as though it were a physical device bridging connections between application servers in a network DMZ and your ISP’s router.
The Azure support offered by Barracuda is one of its selling points, allowing you to establish both site-to-site and client-to-site connections to Azure cloud services.
Sophos Web Gateway
Most malware arrives via the web, which is where Sophos Web Gateway comes in. It is designed to protect against phishing attacks, drive-by downloads and malvertising. The gateway works by scanning all web traffic to check that it meets your security policies for PCs, tablets and mobile phones.
The gateway provides web filtering, anti-malware and SSL scanning. This is a completely cloud-based service: you simply deploy a thin agent which runs in the background on your endpoint devices. The cloud-based nature of the service means that policies are enforced and threat protection is active no matter where your users are working. The gateway benefits from using the security research of SophosLabs, so ensuring the protection is up-to-date on the most recent threats. The web protection engine scans web content and blocks threats for HTTP, HTTPS, IMAP, SMTP, UDP and DNS traffic.
StorageCraft ShadowProtect is a combination of backup and disaster recovery, data protection, and managed migration of Windows and Linux systems to both virtual and physical machines. You create snapshot disk images which you can use to restore a compromised system, or to recover individual files and folders. Fans of ShadowProtect say they like it because it is very flexible if you need to recover files, and unobtrusive during the backup phase. You can create incremental backups across a network or to a remote site, then have them verified to make sure they’re viable.
One problem with some backup and recovery software is an insistence on recovering to the same hardware, which is not always an option. ShadowProtect lets you restore from bare metal on hardware that isn’t the same as your original machine, or alternatively you can restore your backup to a Microsoft or VMware virtual machine.
It’s little use locking down your desktop devices only to have your business users connect their mobile devices in an unsecure way. Microsoft Enterprise Mobility Suite (EMS) is designed to let enterprise customers manage mobile devices including iOS, Android, and Windows Phone, particularly where people want to use their own personal device on a corporate network. It includes features from Azure Active Directory for identity rights management, Intune for mobile device management, and Azure Rights Management for document and data security. From a security viewpoint, identity management means administrators can manage external devices and make use of single sign-on.
Devices are managed from a company portal where users can install applications, view and manage devices, and set up synchronisation of data. Devices can be specified as either corporate or personal, and then managed according to the appropriate compliance settings. If a device doesn’t meet the required level of security then it can be removed from the system or even selectively wiped if necessary.
One weakness in many security systems is the need for external contractors to connect across the company firewall to systems that run within the corporate network. Here Bomgar offers a solution in its secure remote access and support software.
Essentially, the software allows an administrator within the firewall to establish an encrypted outbound connection to the external contractor’s machine so that you don’t have to open any ports or provide any permissions across your firewall. You can use Active Directory and LDAPS to manage authentication, insist on multi-factor authentication, and set up a range of permissions for technicians and privileged users. An audit log captures details of all remote connections.
A related product is Bomgar Privileged Account Management and Vault. This is an agentless, proxy-based appliance that combines privileged session management with a secure password vault. What this means is that the privileged account passwords stay under your control and can’t be compromised because of poor security on the part of the user. The system is deployed as an application proxy server that provides access to systems through a browser window. The server integrates with Active Directory or LDAP to manage user and group access. More traditional clients are also available if greater access is required. Administrators are notified when sessions are commenced, and the sessions are recorded.
If a security breach does occur, it’s important to find out how bad it is and what data has been compromised. Nuix has a range of digital forensic investigation software that administrators can use to collect, analyse and report on digital data to investigate security breaches and problems.
Nuix Insight Adaptive Security is a collection of six security technologies accessed from one lightweight agent. There’s a Digital Behaviour Recorder that runs whether or not a security breach has occurred. This monitors and records activity including users, processes, Windows Registry changes, user sessions, DNS queries, file system information, Netflow communications, removable media and print jobs. A real-time detection module identifies malicious activity, and protection options include whitelisting, blacklisting, application control, and behavioural blocking.
If a security breach occurs, there’s a range of options for searching the data sets, and a remediation module that can be used to terminate malicious processes based on their process identifier (PID), and to delete malicious files and Windows Registry keys.
Business executives can be travelling with gigabytes or even terabytes of company data on their laptops, presenting a real security risk if the device is stolen. Becrypt’s Data Protection Suite protects devices using a combination of full disk encryption, port control and media encryption. It can also be used to protect removable storage media.
Becrypt also offers Becrypt tVolution, a locked down, customisable Linux operating system that can be installed onto a laptop or desktop and remotely managed using Becrypt Enterprise Manager. The technology is also available on a locked down Android device called the tVolution Mini that provides users with access to virtualised applications on Citrix, VMware and Microsoft, and to cloud resources. As there’s no way of installing any software, system administrators can use this to allow external contractors or partners to work on corporate resources without providing too much access.
ESET Endpoint Security
Endpoint Security from ESET is a suite of protection facilities that can be used to secure and protect Windows, Mac, Linux and mobile devices from viruses and spyware, while also providing a firewall, spam protection, web filtering and device control. You can also use it to enforce security policies. It is popular if you have a mix of older and newer devices as it works with them all. You can also use it to remotely manage Microsoft SQL Server, MySQL, Oracle, Microsoft Access and VMware.
Threats are identified using ESET’s ThreatSense heuristic malware detection technology, which has techniques for detecting both known and zero-day threats. It has a good virus and spyware scanning engine, and comes with integrated spam filters. You can configure it to automatically scan removable media on insertion, and it has a Host-based Intrusion Prevention System (HIPS) that protects against unauthorised changes to the system registry, processes, applications and files. One nice touch is its Trusted Network Detection which offers a stricter level of protection when a client connects to a new or unauthorised network.