Last week, I enumerated a list of things that decision makers should be concerned about with regard to potential security holes, focused both on malicious content that might make its way into your organization, as well as for valuable data assets that might make their way out. We continue that list of issues here:
Employee errors: Employees will sometimes inadvertently install malware or compromised code on their computers. This can occur when they download a codec, install ActiveX controls, install various applications that are intended to address some perceived need (such as a capability that IT does not support or that a user feels they must have), or when they respond to scareware/fake anti-virus (rogue AV or fake AV) software. Scareware is a particularly dangerous form of malware because it preys on users who are attempting to do the right thing – to protect their platforms from viruses and other malware. Even users who are quite experienced can be fooled by a well-crafted scareware message.
Malvertising: Malicious Internet advertising is intended to distribute malware through advertising impressions on Web sites. An Online Trust Alliance brief discussed how a single malvertising campaign can generate 100,000 impressions, with approximately 10 billion malvertising impressions occurring in 2013 via more than 200,000 malvertising incidents. Underscoring just how serious the malvertising problem has become, a study by RiskIQ for the period January to September 2013 found that 42% of malvertising is carried out by drive-by exploits that did not require interaction by end users (58% of malvertising involves users clicking on malicious advertisements).
Mobile malware: The growing use of smartphones and tablets, particularly personally owned devices, is increasingly being exploited by cyber criminals. For example, Alcatel-Lucent found that 16 million mobile devices were infected with malware during 2014, an increase of 25% from 2013. This represents an infection rate of 0.68%, meaning that in an organization of 1,000 employees, each of whom has an average of 1.5 mobile devices, there will be a total of 102 infected mobile platforms at any given time. The vast majority of infections impact Android devices – the Alcatel-Lucent research suggests that under 1% of iPhone and BlackBerry devices are infected with malware.
Mobile copycat applications: Many developers distribute their mobile apps through vendor and third party stores that offer varying levels of security, much of it inadequate. Some app stores are highly secure operations and require that developers satisfy rigorous standards before their apps can be offered. Others’ standards, however, are less stringent and create the opportunity for serious security risks. The result is that many third-party app stores are susceptible to a number of security and related problems like the distribution of copycat apps and malware distribution.
Compromised search engine queries: Valid search engine queries can be hijacked by cybercriminals to distribute malware. This form of attack relies on poisoning search queries, resulting in the display of malware-laden sites during Web searches. Search engine poisoning is particularly effective for highly popular search terms, such as information on celebrities, airline crashes, natural disasters and other “newsy” items.
Botnets: Botnets are the cause of a large number of successful hacking and phishing attacks against many high-profile targets. For example, Sony, Citigroup, the US Senate, Lockheed Martin, the International Monetary Fund, Northrup Grumman, and RSA have all been victimized by botnet attacks. The result has been that millions of records have been exposed that will result not only in the disclosure of personal and sensitive information, but also lawsuits and other expensive remediation efforts.
Hacking: This is a form of specialized cyberattack in which cybercriminals use a number of techniques in an attempt to breach corporate defenses. An example of a successful hacking attack is the recent incursion against Sony Pictures that may have been carried out by an operation of the North Korean government.
Gullible users: Users can represent a major security threat because of a combination of their specific personality types and inadequate training. For example, 100 students from an undergraduate psychology at the Polytechnic Institute of New York were sampled. These students a) completed a survey focused on their beliefs and habits with regard to online behavior; b) asked about how likely they thought they would be the victim of online crime, such as password theft; and c) completed a personality assessment survey. After completing these activities, these students were then sent obvious phishing emails.
One out of six of those tested – most of whom were engineering or science majors – fell for the scam emails. Ignoring the gender differences of those who were most likely to fall for the phishing emails in this study, the researchers found that those with the most “open” personalities – i.e., those who are most extroverted – were more likely to fall for phishing scams. The findings strongly suggest that people who overshare on Facebook or Twitter, for example, are more likely to become victims of phishing scams and other online fraud than those who are more introverted, share less or who don’t have social media accounts. Another study found that younger students (aged 18-25) were more likely to fall for phishing scams than their older counterparts.
Ransomware: One of the more common recent examples of ransomware is the CryptoLocker malware that encrypts victims’ files and then demands ransom to decrypt them. Victims who choose not to pay the ransom within a short period of time will have their files remain encrypted permanently. Cryptolocker typically extorts a few hundred dollars per incident and is normally delivered through email with a PDF or .zip file disguised as a shipping invoice or some other business document.
We have just published a white paper focused on addressing these issues – you can download it here.