By Lisa McLaughlin
A few years back, organizations were most concerned with attacks from viruses, though today’s technology provides well-established protection against most viral threats. Right now, the focus is on phishing campaigns that contain malicious links embedded with copycat-type of websites into emails that are targeted to system users.
If criminals are unable to penetrate your network, they may then attempt to break in by sending phishing emails to your system users. These may contain a spoofed website linked to top-level domains, or even a form that asks for confidential information In spite of multiple layers of protection such as yes/no gateways, anti-malware software, and URL filtering controls. Because of the human element, some of these attacks do succeed.
Target, the United States Postal Service, the IRS and, recently, U.S. federal employees have all fallen prey to different attacks. The attacks succeed because they’re often the fastest and easiest way to penetrate a network’s defenses. An attacker begins by obtaining information about an organization or its computer systems, typically via a simple social interaction. For example, an attacker may send an email masquerading as a trustworthy source, such as a reputable credit card company or banking institution. When users click on the embedded link or respond with the requested information, attackers can gain access to information. They can also maneuver themselves to use their victim’s domain as a relay to send spam emails to other organizations. This would be very bad for your business if your clients received spam email messages from you and if your domain was then blacklisted. At the very least your security controls and reputation would be questioned.
One of the most effective defenses against phishing is layered controls. One example of such controls is vulnerability scanning, which is a foundation method for evaluating a system’s security posture and identifying weaknesses. Best practice requires that emails should be scanned and scored at the gateway level (as incoming email), then scanned again at the end point when delivered to the email application on the systems user’s computer. Data residing within the application should also be scanned continuously.
If a user clicks on a malicious link in a phishing email, it is absolutely vital that you have a means of stopping that user from proceeding any further. It is VITAL that you ensure your users have a well-disciplined URL filtering tool on their computers, including all laptops, so that all system users are protected at all times.
The consequences of inattention to these weaknesses can be dire. Malware infections can inject a virus to your computer that then reveals your information to a hacker; such infections may include code or other software that damages your system or network. They can even take control of your computer or network resources.
How can malware attack your network if you’re actively scanning at both the gateway and end-point? This can happen if your solutions definitions are not up-to-date or the malware is a new variant. Even worse, if you have local administrator privileges on your machine, so will the malware. Once malware has been activated it typically uses elevated privileges or system vulnerabilities to progress further into a system, such as mapped drives on your network. We strongly recommend that you use your privileged accounts only for system administrative tasks and that accounts with limited rights be used for all other tasks.
Even worse, criminals can use a “shellshock-based” vulnerability against your mail servers to build botnets that search for vulnerable MTAs/MDAs. This campaign spreads via email, using shellshock exploitation code in the message header fields. To reduce the risk of such an attack, configure perimeter firewalls to block all undefined traffic. Check your firewalls to ensure they also block SMTP connections out to the Internet, which prevents any malware on internal PCs and servers from exploiting vulnerable systems on the Internet. Again – running a robust and up-to-date firewall with changes aligned with segregation of duties is another prime example of having a rich layered set of controls.
In conclusion, we recommend your organization take a leading role in ensuring your system users are aware of the broad range of free and publicly available information on cyber security. This includes regulatory and industry guidance that is harmonized with relevant standards such as ISO, FFIEC, NIST, PCI Payment Card Industry, OWASP, SANS Institute Standards, Federal Trade Commission regulations, and COBIT, as well as internal standards like the UK’s Cyber Essentials and state standards like the Massachusetts 201 CMR 17 frameworks. Additionally, there is also a dizzying array of tools that allows us all to make informed decisions on how best to implement the right security for our businesses.
To learn more about recent high profile attacks: http://www.forbes.com/sites/jaymcgregor/2014/07/28/the-top-5-most-brutal-cyber-attacks-of-2014-so-far/
The views expressed herein are those of the author and do not necessarily reflect those of SS&C.