top security threats of 2016 - security threats of 2016 what’s ahead and how to prepare ......

Top Security Threatsof 2016What’s ahead and how to prepare

(800) 650 – 8930 I [email protected]

© 2016 Calyptix Security Corporation. All rights reserved. I [email protected] I (800) 650 – 8930

Top Security Threats 2016

1. Ransomware2. Phishingattacks3. Mobile malware4. GrowingSMBnetworks5. Cloudserviceadoption6. Cyberregulations7. Oldvulnerabilities8. DDoSattacks

The number of threats to the small business network are expanding at an alarming rate. The severity of the threats also continues to grow, so much that a single cyber-attack could spell disaster for a small business.

The potential costs brought on by losses in customer data, system availability, and company reputation remain high. The additional costs of potential regulatory action and legal fallout are skyrocketing as regulators become more comfortable taking legal action.

In short: it’s a dangerous world. The only way to keep your business and clients safe is to understand the latest threats and where they are headed, which is why we are here today.

This report will review the biggest threats to small business network security in 2016.

Topicswewillcoverinclude:


#1: Ransomware is spreadingSomeone Lit the Fuse on Ransomware – anditExplodedLastYear.Ransomware is a type of malware that denies access to a valued asset – such as data – and demands a ransom payment to restore access.

Crypto-ransomware is the hottest trend. It encrypts the data on a victim’s machine and threatens to destroy the decryption key if a ransom is not paid. Criminals have made millions of dollars with this scheme.

New Tactics EmergingSeveral variants of ransomware are using new tactics to avoid detection and worsen infection. For example, version 4.0 of the infamous CryptoWall ransomware encrypted not only victims’ files but also the file names.1

The Chimera ransomware also has a new trick: blackmail. After it encrypts victims’ files, it threatens to publish them and identify the owner if a ransom is not paid to the hacker. However, according to Malwarebytes, this is an empty threat.2

Researchers have also discovered new strains of ransomware that target servers. The compromised machines are then used to infect other machines on the network and hold them for ransom.3

Start a Ransomware Business?Criminals are trying new business models with ransom-ware. The Tox ransomware-as-a-service platform allowed attackers to set up and use the malware for free last year by paying a 20% commission the extorted money.

The service was so popular that its alleged creator was quickly overwhelmed and tried to sell it last year. Other ransomware-as-a-service platforms, such as Cerber, have risen to take its place. 4, 5

Hospitals are a TargetHealthcare data can be more valuable than credit card data on the black market. And apparently it’s also a lucrative target for ransomware attacks.

Three ransomware attacks on hospitals in March 2016 alone included:

• MedStar Health – an attack on the largest health-care provider in Maryland and Washington D.C. held files and systems hostage for $19,000, forcing the organization to take systems offline.6

• MethodistHospital in Henderson, KY, declared an ‘internal state of emergency’ after ransomware seized systems and files and demanded a surprisingly small $1,600 for their release.7

• PrimeHealthcareServices in California, sustained attacks on two of its hospitals, Chino Valley Medical Center and Desert Valley Hospital. A similar attack the month prior hit Hollywood Presbyterian Hospital in Los Angeles and cost the organization nearly $17,000 to unlock its systems.8

The crypto-ransomware craze will continue. One way or another, cyber attackers will continue to seize business assets and demand ransom payments to release them, and the tactics will continue to evolve.


#2 : Email phishing still worksEmailPhishinghasLongBeenaPopularMeansofAttack,anditRemainsso.In general, phishing is the act of sending malicious emails to an individual or group of targets. The message is disguised as something legitimate or harmless, such as a shipping notice or a message from a known contact. Typically by clicking a link on the email or opening an attachment, the victim is infected.

This tactic can be the main entry point for a large-scale infection. For example, last year, the breaches at Sony, Anthem, and the White House all involved phishing emails.9, 10, 11

Phishing emails are an effective way to penetrate cyber security systems – especially when attackers craft a custom email for each target – which is often called ‘spear phishing.’

How effective are phishing emails? About as effective as legitimate email marketing campaigns. Recent data shows:

• 23% of recipients open phishing messages12

• 11% click on attachments13

This old tactic is not fading, either. Researchers saw phishing increase 74% in the second quarter last year, so you can expect to see plenty of it in 2016.14


#3 : Mobile malware is risingThe Rise has BegunThe threat of mobile malware remains small, but it is growing rapidly, even exponentially depending on who you ask.

Several companies tracked huge jumps last year:

• Kaspersky reports new mobile malware tripled overall in 201515

• New Android malware grew 342% in 2015, according to Nokia (see chart to the left)16

Nokia also found that smartphones account for 60% of infections on mobile networks. Many other infections are on PCs that use the mobile network through a dongle or tether.17

PC malware is currently a far greater problem than mobile malware, but malicious code on tiny devices will continue to grow in size and capability in the future.

“The number of Android malware samples in our database more than doubled in the second half of 2015. The total growth in 2015 was 342%”

-Nokia


#4 : Growing SMB NetworksWith Growth Comes New Challenges

LaxSecurity=MajorRisks

The small office network is increasingly growing in size and complexity, and this will continue in 2016. The rise of the internet of things – i.e. the growing number of wifi-enabled gadgets – is part of this growth. Whether it’s a security camera, thermostat, or a Fitbit, more devices will attempt to connect to the network this year. Whether and how they are allowed to join is in the hands of the network administrator (you).

A troubling part of this trend is the apparent lack of security in many of these products, amounting to millions of insecure endpoints across the world. For example, some manufacturers are using the same encryption keys across thousands of products. Researchers recently discovered just 230 encryption keys used in more than 4 million IoT devices. This is like selling 15,000 cars that all use the same key. It’s not difficult for thieves to take advantage.18

Although the number of new devices added to an average SMB network in 2016 is likely to be greater than last year, it’s still expected to be a small. Every new device added to a network can incrementally increase the chance of a data breach, but not if effective policies and procedures are in place to minimize that risk.


Cloud services are still expanding

BetterSafethanSorry

DoestheCloudComply?

TheHacker’sJackpotThe growing popularity of cloud services continues to place high-value assets (such as customer data and file servers) outside the organization’s immediate control. Data that thousands of companies previously stored on-premise is now aggregated and stored off-site by Amazon, Google, Microsoft, and others.

Some argue that their assets are safer in the hands of large companies such as these. That being said, every cloud service should be evaluated in advance for the potential benefits, drawbacks, and risks it presents to an organization.

This raises security questions for all organizations, especially those companies that must comply with industry regulations such as HIPAA and PCI DSS.

Not only must these organizations ensure their third-party service providers can protect their assets, but they also must ensure they do so within the bounds of compliance.

The rapid adoption of cloud services begs the question – do these services fit within the bounds of HIPAA and PCI DSS compliance? And if so, how must the network be configured to ensure compliance is maintained? Too many administrators may be following the crowd and hoping they are covered.

As they have grown, some cloud services have become drool-inducing targets for attackers.

• Cloud adoption in regulated industries such as financial services and healthcare more than doubled from 15% in 2014 to 39% in 2015.19

• Adoption in unregulated industries almost doubled – jumping from 26% to 50% over the same period.20

One research report by Alert Logic Cloud security said it best:

“[Thieves] want to invest their time and resources into attacks that will bear the most fruit: businesses using cloud environments are largely considered that fruit-bearing jackpot”21

#5 :


Cyber security regulation expantion

WhatThisMeansforYou

ConsumerFinancialProtectionBureau(CFPB) March 2016

DHSOfficeofCivilRights(OCR)March 2016

Federal Trade Commission (FTC)Ongoing

SecuritiesandExchangeCommission(SEC)Sept. 2015

U.S.DepartmentofDefense(DoD)Aug. 26, 2015

FinancialServicesNov. 9, 2015

Cyber security regulation continues to expand and touch more industries. Enforcement, including hefty civil penalties for detractors, is also on the rise.

Below are just a handful of recent developments in this space:

The CFPB recently performed its first-ever enforcement action based on data security and privacy. The action accused Dwolla, an online payment service provider, of misrepresenting the security of its products and services. The CFPB imposed a $100,000 civil penalty.22

The office responsible for enforcing the healthcare regulations known as HIPAA announced the beginning of its second phase of audits. This round will assess “covered entities,” which are covered by the rules, and their “business associates.”26

The Federal Trade Commission has filed charges alleging that companies are failing to protect consumers in the cyber realm. For example, Oracle was forced to settle a lawsuit brought by the FTC in Dec. 2015 that alleged the software giant deceived consumers about its Java updates.23

Wyndham Resorts was also sued by the FTC for not protecting guests on the networks. And hardware giant ASUS was sued for the poor security in its routers and settled in Feb. 2016. 24, 25

Last year, the SEC announced its first-ever cybersecurity enforcement action. The subject was a St. Louis-based investment adviser that agreed to settle charges that it failed to set the required cybersecurity policies and procedures in advance of a breach on its systems that compromised the personal data of about 100,000 people.27

The DoD issued an interim rule in August that obligates defense contractors and subcontractors to protect “covered defense information.” Cyber security incidents that affect systems containing this data must be reported. Policies and procedures for contracting cloud computing services are also outlined.28

Banks in New York can expect more regulation in 2016. The New York Department of Financial Services sent a letter to state and federal regulators in November to ask for help crafting new cybersecurity regulation for financial institutions.29

#6 :


Old vulnerabilities continue to dominate

HowtoMinimizeYourRisk

Thousands of new software vulnerabilities are discovered every year, and a few of them are dangerous on an epic scale (think Heartbleed).

For all the attention new vulnerabilities receive, though, they are not the ones you should worry about the most. Why? Because most security breaches are based on vulnerabilities that are more than 12-months old.

For example, in as recent as 2014, an astounding 99.9% of vulnerabilities exploited that year were disclosed more than a year prior. Whether through negligence or ignorance, people do not patch their systems often enough.30

In 2016, outdated systems will continue to be breached by simple exploits that have been available for years.

The best solution to this problem? Choose systems that patch automatically and hands-free. That takes the chore off your plate and keeps you up-to-date

#7 :


#8 : DDoS attacks are growingAndBecomingMoreSophisticated

Distributed denial of service (DDoS) attacks are a common means of cyberattack, and they seem to grow stronger and more popular every year. This trend shows no sign of slowing.

Here are a few enlightening stats:

• DDOS attacks double in Q1 2015 year-over-year31

• They hit record levels in Q2 201532

• They grew 23% in Q3 201533

• At the end of 2015, they knocked out the BBC’s websites. The attackers claimed that effort was the biggest on record of 602 Gbps.34

The data speaks for itself. As DDoS attacks become easier and easier to mount, they will continue to grow in popularity. We see no reason for this trend to slow down in 2016

“[DDos attacks] hit record levels in Q2 of 2015 and grew 23% in Q3 of 2015”

-Akamai


SecureYourEntireNetwork

MakeSecuritySimple

ImproveUptime& Reliability

The AccessEnforcer UTM Firewall is an all-in-one solution for network security and management. Threats such as hackers, spam, and malware are blocked automatically from your network. These network tools keep connections fast and reliable.

Our firewall saves you precious time and money because it is easy to set up and manage. Every model has the same dashboard and features, so you simply pick the best size for your company’s network.

The network management tools in AccessEnforcer give your VoIP calls great quality and keep activities like video streaming from slowing you down. You can even block social networks, shopping sites, and other time wasters to keep your staff focused.

AccessEnforcer is the simplest way to protext and manage your SMB network

CalyptixAccessEnforcerCalyptixAccessEnforcer

Network security for small business

Visit us at www.calyptix.com/features for more inforamtion


Sources1. BleepingComputer – CryptoWall 4.0 released with new features http://www.bleepingcomputer.com/news/se-

curity/cryptowall-4-0-released-with-new-features-such-as-encrypted-file-names/

2. Malware Bytes – Inside Chimera Ransomware https://blog.malwarebytes.org/threat-analysis/2015/12/in-side-chimera-ransomware-the-first-doxingware-in-wild/

3. Talos – SamSam: The doctor will see you, after he pays the ransom http://blog.talosintel.com/2016/03/sam-sam-ransomware.html

4. ZDNet – Tox ransomware owner ‘screws up’ http://www.zdnet.com/article/tox-ransomware-owner-screws-up-offers-platform-for-sale/

5. PCWorld - Cerber ransomware sold as a service, speaks to victims http://www.pcworld.com/article/3040750/cerber-ransomware-sold-as-a-service-speaks-to-victims.html

6. Washington Post – MedStar Health turns away patients after likely ransomware cyberattack https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-after-cyberattack-on-its-comput-ers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f33_story.html

7. Krebs on Security – Hospital declares internal state of emergency after ransomware infection http://krebsonse-curity.com/2016/03/hospital-declares-internet-state-of-emergency-after-ransomware-infection/

8. Los Angeles Times – 2 more Southland hospitals attacked by hackers using ransomware http://www.latimes.com/local/lanow/la-me-ln-two-more-so-cal-hospitals-ransomware-20160322-story.html http://www.npr.org/sections/thetwo-way/2016/02/17/467149625/la-hospital-pays-hackers-nearly-17-000-to-restore-computer-network

9. Politico – Researcher: Sony hackers used fake emails http://www.politico.com/story/2015/04/sony-hackers-fake-emails-117200

10. Investigators suspect Anthem Breach began with ‘Phishing’ of Employees http://www.insurancejournal.com/news/national/2015/02/10/357051.htm

11. Slate – Go Phish – Why email is so laughably insecure right now http://www.insurancejournal.com/news/na-tional/2015/02/10/357051.htm

12. Verizon Data Breach Investigations Report 2015 http://www.verizonenterprise.com/DBIR/



15. Kaspersky – The volume of mobile malware tripled in 2015 http://www.kaspersky.com/about/news/vi-rus/2016/The_Volume_of_New_Mobile_Malware_Tripled_in_2015

16. Nokia Cyber Threat Intelligence Report 2H 2015 http://resources.alcatel-lucent.com/asset/193174

17. The Hacker News – Millions of IoT devices using same hard-coded crypto key http://thehackernews.com/2015/11/iot-device-crypto-keys.html

18. Bitglass – Cloud adoption in regulated industries keeping pace with unregulated industries http://www.bitglass.com/blog/cloud-adoption-in-regulated-industries-is-rising-fast

19. Bitglass – Cloud adoption in regulated industries keeping pace with unregulated industries http://www.bitglass.com/blog/cloud-adoption-in-regulated-industries-is-rising-fast

20. Alert Logic – Cloud Security Report 2015 https://www.alertlogic.com/resources/cloud-security-report-2015/

21. Wall Street Journal – CFPB fines fintech firm Dwolla over data-security practices http://www.wsj.com/articles/cfpb-fines-fintech-firm-dwolla-over-data-security-practices-1456956326

22. Federal Trade Commission – Oracle agrees to settle FTC charges it deceived consumers about Java software up-dates https://www.ftc.gov/news-events/press-releases/2015/12/oracle-agrees-settle-ftc-charges-it-deceived-consumers-about-java


Sources23. Federal Trade Commission – Wyndham settles FTC charges it unfairly placed consumers’ payment card infor-

mation at risk https://www.ftc.gov/news-events/press-releases/2015/12/wyndham-settles-ftc-charges-it-un-fairly-placed-consumers-payment

24. Federal Trade Commission – ASUS settles FTC charges that insecure home routers and ‘cloud’ services put consumers’ privacy at risk https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put

25. U.S. Department of Health and Human Services - OCR Launches Phase 2 of HIPAA Audit Program http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/

26. U.S. Securities and Exchange Commission – SEC charges investment advisor with failing to adopt proper cyber-security policies and procedures prior to breach https://www.sec.gov/news/pressrelease/2015-202.html

27. SheppardMullin - Department of Defense Provides Government Contractors a Grace Period for Compliance with Key Cybersecurity Requirements - http://www.governmentcontractslawblog.com/2016/01/articles/dfars/department-of-defense-provides-government-contractors-a-grace-period-for-compliance-with-key-cybersecu-rity-requirements/

28. New York State Department of Financial Services – Potential new NYDFS cyber security regulation require-ments http://www.dfs.ny.gov/about/letters/pr151109_letter_cyber_security.pdf


30. Akamai - Q1 2015 State of the Internet – Security Report https://www.akamai.com/us/en/multimedia/docu-ments/state-of-the-internet/2015-q1-internet-security-report.pdf

31. Akamai – Q2 2015 State of the Internet – Security Report https://www.akamai.com/us/en/multimedia/docu-ments/state-of-the-internet/2015-q2-cloud-security-report.pdf

32. Akamai – Q3 2015 State of the Internet – Security Report https://www.akamai.com/us/en/multimedia/docu-

ments/state-of-the-internet/2015-q3-cloud-security-report.pdf

33. The Hacker News – 602 Gbps! This may have been the largest DDoS attack in history http://thehackernews.com/2016/01/biggest-ddos-attack.html

top security threats of 2016 - security threats of 2016 what’s ahead and how to prepare ......

Documents