Tech Tuesday - Mastering Time Management Unlock the Power of OnePlan's Timesh...
Cybercrime - An essential guide from Thawte
1. ®
Cybercrime – The ever-growing
threat to your business
An essential guide from Thawte
WHITE PAPER 2015
2. Contents:
Cybercrime – The ever-growing threat to your business: Introduction 3
Data breaches 4
Phishing 4
Spam 5
Identity theft 6
Vulnerabilities & malware threats 7
Damage to your business 7
A strategy that protects you 8
Fighting back with SSL 8
Take your security to the next level with an ‘Always-On’ approach 9
Conclusion 9
Cybercrime – The ever-growing threat to your business
2
®
3. Cybercrime – The ever-growing threat to your business
3
Cybercrime – The ever-growing threat to your business
Introduction
‘Cybercrime’ has entered the lexicon in a big way and has become a significant threat to businesses wherever they
are located and whatever their size. But how bad is the threat? And why does it cause such high levels of alarm and
concern?
2014 saw cybercrime operations grow ever more refined, with specializations, service providers and fluctuating
markets very much mirroring the legitimate technology industry. According to the Symantec ‘Website Security Threat
Report 2015’1
, “a drive-by download web toolkit”, for example, which includes updates and 24/7 support, can be
rented for between $100 and $700 per week. Distributed denial of service (DDoS) attacks can be ordered from $10
to $1,000 per day and, in terms of the buyer’s market, credit card details can be bought for between $0.50 and $20
per card, while 1,000 followers on a social network can cost as little as $2 to $12.
A report by Hewlett Packard and the U.S.-based Ponemon Institute of Cybercrime2
stated that hacking attacks
cost the average American firm $15.4 million per year, double the global average of $7.7 million. The most costly
cybercrimes were those carried out by malicious insiders, DDoS and web-based attacks. The global financial
services and energy sectors were the worst hit, with an average annual cost of $13.5 and $12.8 million.
®
$15.4
MILLION
PER YEAR
Cost the average American firm
HACKING ATTACKS
for the global
financial services sector is
The average annual cost of
CYBERCRIME
$13.5
MILLION
is one of the worst hit costing
on average each year
THE ENERGY SECTOR
$12.8
MILLION
1
http://www.symantec.com/security_response/publications/threatreport.jsp
2
“Hewlett Packard and the U.S.-based Ponemon Institute of Cybercrime”
4. Cybercrime – The ever-growing threat to your business
4
®
Data breaches
If 2014’s high-profile data breaches taught us anything, it’s that IT security teams need to step up their game in 2015
and beyond.
Indeed, more recent high-profile hacking attacks, such as those affecting Sony, Netflix, health insurer Anthem and
parking ticket website PaymyPCN.net, have served to increase business concerns substantially about the real-world
implications of cybercrime. With growing numbers of hacking attacks aimed at harvesting valuable data, such as
healthcare records and credit card numbers, enterprises are increasingly recognizing – and often feeling – the effects
of data misuse. Their critical systems are facing increasingly sophisticated threats and whilst shoring up the perimeter
against known attacks is paramount, it is not enough. Solutions employed right across the business must be just as
advanced and persistent as the threats they face, going well beyond traditional approaches. One key reason why
cybercrime is flourishing is due to the myriad of opportunities to exploit vulnerabilities in an enterprise’s defence system,
such as those resulting from negligence and human error, leaving a company open to data breaches and enabling an
external attacker to hijack legitimate credentials to infiltrate a corporate network.
Phishing
It’s worth pinpointing some of the key areas of vulnerabilities that cybercriminals are now exploiting and the damage
they can cause. Spear phishing attacks: a virtual trap set by cyber thieves that use official-looking emails to lure you to
fake websites and trick you into revealing your personal information.
Phishing attacks start with an innocent-looking email that appears to come from a trustworthy source, but have now
evolved to the extent that often neither the individual nor the organisation is even aware an incident has occurred until it
is too late and confidential data has already been stolen. They are mainly designed to deceive employees, who are still
seen as the ‘weakest link’, but Thawte has observed that many companies simply do not have efficient internal incident
response procedures in place to alert their staff about such threats.
There are a number of key processes that should be functional for an organization to be able to resist these external
threats, including the length of time before a phishing email is recorded as an incident and having effective out-bound
email filters implemented to prevent the leakage of sensitive data. For example, companies should be able to respond
to a phishing attack within 15 minutes of receiving the malicious email. Efficiency at the early stages is crucial. Yet
many of them fail to react within that time frame.
5. Cybercrime – The ever-growing threat to your business
5
®
Most phishing scams are distributed through phishing emails or URLs on social media sites. On social media, there’s
often a news hook, like the Ebola outbreak, or some kind of celebrity scandal that encourages people to click on links that
require them to ‘login’ before they can see the details or video promised. Email distribution can also involve news hooks,
but is used to phish for professional account logins, such as banking details, LinkedIn accounts and cloud file storage.3
Some emails pose as security updates or unusual activity warnings that require you to fill in your details on a phishing site,
which immediately sends your details to the criminals.
The origins of these phishing sites are often obscured to prevent security warnings when victims open their browsers,
and this year saw a new leap forward for the criminals, with the use of AES (Advanced Encryption Standard) . The
encryption is designed to make the analysis of phishing sites more difficult and a casual analysis of the page will not
reveal any phishing-related content, as it is contained in the unreadable encrypted text. Browser and security software
warnings are therefore less likely to appear, more victims are likely to fall for the scam and it’s harder to track4
.
This is an increasingly menacing world, faceless, aggressive and highly sophisticated. And ignoring it is no protection.
Any wise enterprise must assume that they are in line to be targeted, no matter where they are or what size of
operation. Accepting that there is a phishing scam somewhere down the line that will have you in its sights is by far the
best policy – because then you can plan exactly how to deal with the fallout and possibly spare your business untold
damage.
Spam
The most common form of spam is unwanted email, but you can also get text message spam, instant message spam
(sometimes known as spim), and social networking spam. Some spam is harmless, but at the other end of the scale, it
is used as part of an identity theft scam or other kind of fraud.
A common approach is for spammers to flood the Internet with many copies of the same message, in an attempt to
force the message on people who would not otherwise choose to receive it. Most email spam is commercial advertising,
often for dubious products, get-rich-quick schemes or bogus legal services.
One particularly nasty variant of email spam is sending spam to mailing lists (public or private email discussion forums). Since
many mailing lists limit activity to their subscribers, spammers will use automated tools to subscribe to as many mailing lists
as possible, so that they can grab the lists of addresses or use the mailing list as a direct target for their attacks.
Spam is big business and the spammers keep doing it because people keep falling for their scams, clicking on links
to install key loggers. One seemingly innocent such scam is to add at the end of an email a phrase such as ‘To
unsubscribe, click here’, enticing the recipient to respond. By clicking and performing the action, you have told the
spammer your email address is valid and reaches a real person. Spammers can now sell your address to another
spammer, with the assurance that the email address is legitimate.
3
http://www.symantec.com/connect/blogs/linkedin-alert-scammers-use-security-update-phish-credentials
3
http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam
3
http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox
4
http://www.symantec.com/connect/blogs/fresh-phish-served-helping-aes
69%2012 20142013
66% 60%
On the plus side, over the last three
years, states the Symantec ‘Website
Security Threat Report 2015’, the overall
spam rate has dropped from 69% in
2012 to 66% in 2013 and 60% in 2014
6. Cybercrime – The ever-growing threat to your business
6
®
On the plus side, over the last three years, states the Symantec ‘Website Security Threat Report 2015’, the overall
spam rate has dropped from 69% in 2012 to 66% in 2013 and 60% in 2014. While this is good news, there are still a lot
of scams out there being sent by email – and criminals are still making plenty of money. In October, Symantec reported
an increase in a particular scam where emails were sent, often to a recipient working in the finance department of a
company, requesting payment by credit card or the completion of a wire transfer. The sender details were sometimes
faked or made to look like they had come from the CEO, or other high-ranking member of the victim’s company, and
money transfer details were either sent in an attachment or required the victim to email back and request them.5
The rise in this type of scam is most likely due to the fact that scams based on malicious attachments can be more
easily filtered by corporate security systems, but many organisations are still not undertaking this simple action, despite
the majority of malicious emails still relying on potentially harmful attachments. In contrast, a sharp rise in malicious
URLs versus attachments at the end of the year was related to a change in tactics and surge in socially engineered
spam emails.
“End users should be mindful when using any social network, keeping an eye out for free offers for gadgets, gift cards
and airline tickets or enticing invitations to join adult dating and webcam sites,” cautions the report. “If you are asked to
fill out a survey or sign up for a service using a credit card, you are most likely being scammed.” As the old adage goes:
‘If it sounds too good to be true, it probably is.’
Identity theft
Identity theft – the process of your on-line self gradually being taken over – could start when someone hacks your
webmail, and then your PayPal and iTunes accounts. That becomes the passport into other accounts, until the
cybercriminals who stalk the Internet, looking for easy victims, all but control your online life.
Why are more and more people being caught in this deadly trap? In part, because many of us fail to properly secure our
vital data and systems, using the same, easily broken, passwords (daisy chaining) across email accounts and multiple sites
that we visit, leaving behind a trail of personal details from which the hackers can build a picture of exactly who we are.
To criminals, business identity theft means the potential for even more easy money and goods. It involves the actual
impersonation of the business itself. It can occur through the theft or misuse of key business identifiers and credentials,
manipulation or falsification of business filings and records, and other related criminal activities intended to derive
illicit gain to the detriment of the victimised business; and, to defraud creditors and suppliers, financial institutions,
the business’ owners and officers, unsuspecting consumers, and even the government. Any type of business or
organization of any size, or legal structure, is a target.
Right now, someone reading this white paper will almost certainly be being groomed as another victim of identity
theft – the estimated worldwide cost of which has soared to around $5 billion a year, according to the latest Microsoft
Consumer Safety Index survey.
5
http://www.symantec.com/connect/blogs/malicious-links-spammers-change-malware-delivery-tactics
Identity theft estimated worldwide cost
$5BILLIONAYEAR
7. Cybercrime – The ever-growing threat to your business
7
®
As for passwords, the ultimate problem is that it is all too often the hacker’s passport to all that’s most private and
precious – a single point of failure that, once infiltrated, can open the floodgates, allowing them access to every aspect
of your personal life. In the main, we are lazy and careless with our passwords, tending to daisy chain them or opt for
the obvious, such as ‘password’ or ‘123456’. As for employing a short password, no matter how watertight you may think
it is, modern processing speeds are able to rip through 10,000 passwords in just a few seconds. Best practice dictates
that you change your passwords regularly, making them complex and strong.
Vulnerabilities & malware threats
While the levels of spam may be falling off slightly, the trend in the number of vulnerabilities leaving enterprises exposed
to attacks is doing the exact opposite, continuing inexorably upwards. And although remedies, workarounds or patches
are readily available for the majority of reported vulnerabilities, malware authors are only too aware that many people do
not apply these updates – and so they are able to exploit well documented vulnerabilities.
In many cases, a specialist ‘dropper’ scans for a number of known vulnerabilities and uses any unpatched security
weakness as a backdoor to install malware – the short form for ‘malicious software’; ie, any kind of unwanted software
installed without your consent. Viruses, worms and Trojan horses are all examples of malware.
This, of course, underlines the crucial importance of applying updates; this is how web exploit toolkits, such as Sakura
and Blackhole, have made it easier for attackers to exploit an unpatched vulnerability published months or even years
previously.
Several exploits may be created for each vulnerability, and a web attack toolkit will first perform a vulnerability scan
on the browser to identify any potentially vulnerable plug-ins and the best attack that can be applied. Many toolkits
won’t utilize the latest exploits for new vulnerabilities, if an old one will suffice; exploits against zero-day vulnerabilities
are uncommon and highly sought after by the attackers, especially for use in ‘watering-hole’ attacks: ie, the targeted
hijacking of legitimate websites to push malware.
With the majority of websites still accommodating vulnerabilities, it is clear that many website owners are not keeping on
top of vulnerability scans. They may be paying more attention to malware scans that could potentially reveal malicious
software – yet malware is often planted following the earlier exploitation of vulnerabilities.
Damage to your business
So what is the likely impact of all these attacks on you and your organisation? Typically, aggressive attacks can cause
prolonged disruption to internal and external business operations. Servers may be taken down completely, data wiped
and digital intellectual property released on the Internet by attackers. Employees may not be able to fully function
normally in the workplace for months afterwards. On top of that, such attacks may expose embarrassing internal data
via social media channels — and could have a longer media cycle than a breach of credit card or personal data.
However, the impact of a cyberattack goes far beyond that. The loss or theft of sensitive customer data can also have
a serious impact on the economic value of a company’s reputation. Anyone affected where data has been stolen or
disclosed without their consent may react by publicising the matter in social media and/or inform journalists, as well as
the regulator. This can lead to a wider distrust of the company, which, in turn, can result in the blacklisting of its website,
lost business and/or a fall in the share price.
A company’s reputation is its greatest asset, making it imperative that business leaders take every possible step to
protect themselves, customers, employees and intellectual property against data breaches and the potential fall-out
from negative publicity this provokes.
8. Cybercrime – The ever-growing threat to your business
8
®
A strategy that protects you
Every business needs to have in place a comprehensive strategy to protect themselves against all of these points of
entry – and also to detect whether they have already become unknowing victims of the growing tide of cybercrime. This
is the time for organisations to take a holistic approach to the security procedures required to combat advanced threats,
rather than look for a ‘silver bullet’ technology solution. A ‘hands-on’ approach by IT departments, in conjunction with
external data specialists, can then help implement, review and enhance security procedures. Not acting now only opens
the door wider to the likelihood of a successful attack that may well mean loss of revenue, of customer trust and the
potential loss of critical data.
Most worryingly, such attacks could be initiated externally or internally. While the vast majority of employees are
principled and loyal to the business, there need to be systems in place to guard against those who are not. At the
same time, genuine human error is equally a fact of life and may prove just as costly where it leads to a breach of your
defences. With the right controls and protections in place, with help from the right provider, the guessing game of who is
ethical and who is not, or who is trying to exploit your IP – or indeed already have – becomes redundant and a thing of
the past.
Fighting back with SSL
While admittedly there is no silver bullet, a number of technologies can help protect you and your customers, and
underpin business credibility. With many of the current phishing techniques relying on driving customers to spoofed
websites to capture personal information, that is where technology such as Secure Sockets Layer (SSL) becomes
critical in fighting phishing and the other forms of cybercrime described in this white paper – by encrypting sensitive
information and authenticating your site. If you are not already using SSL, then look at it not as an option, but as a ‘must
be deployed now’. The welfare of your business and its very reputation depend on it.
Ultimately, security best practices call for implementing the highest levels of encryption and authentication possible
to protect against cyber fraud and build customer trust in the brand. SSL, the world standard for online security, is the
technology used to encrypt and protect information transmitted over the web. SSL protects data in motion – which
can be intercepted and tampered with, if sent unencrypted. Moreover, support for SSL is built into all major operating
systems, web browsers, Internet applications and server hardware.
Choose Extended Validation (EV) SSL Certificates for the highest visible display of online trust. This is the gold standard
in SSL certificates. EV verification guidelines, drawn up by the CA/ Browser Forum, require the CA to run a much more
rigorous identity check on the organisation or individual applying for the certificate. Sites with an EV SSL certificate have
a green browser address bar and a field appears with the name of the legitimate website owner and the name of the CA
that issued the certificate.
Choose Extended Validation (EV) SSL Certificates for the highest visible display of online trust
9. Cybercrime – The ever-growing threat to your business
9
®
Take your security to the next level with an ‘Always-On’ approach
Businesses that are serious about protecting customers and their business reputations should implement ‘Always-
On SSL’, with SSL certificates from a trusted Certificate Authority such as Thawte. Always-On SSL delivers the same
high level of SSL protection throughout your site, securing the visitor’s entire session with SSL, not just on forms and
checkout pages. Visitors will always feel secure with the reassuring ‘HTTPS’ at the beginning of the browser address
bar throughout their entire stay on your website, making it safer to search, share and shop online. What’s more, Google
now favours websites that implement ‘HTTPS everywhere’/Always-On SSL, rewarding owners with an SEO ranking
boost.
Conclusion
The ever-increasing threat from data breaches, phishing, spam, identity theft, vulnerabilities and malware means that
organisations like yours can no longer afford inaction. With the cost of cybercrime in the U.S. alone heading towards
$16 million per year, security technologies that underpin online business credibility and customer trust are now more
vital than ever. This is why SSL is now a must-have for any organisation interested in protecting its customers and
its online reputation. It’s why Always-On SSL, which protects your customers during their entire user session, is now
favoured by sites like Google and is fast becoming the new standard in website security. And it’s also why Thawte is
here to provide you with all the expertise and website security technology you need.
10. Cybercrime – The ever-growing threat to your business
9
®
Green bar
Increase your conversions and reduce fraud
with the Thawte Green Bar.
Not All SSL Is the Same
Thawte online security is trusted by millions of people around the world. Here are just a few reasons to switch to Thawte:
Strongest SSL Encryption
Protect your confidential data with 256-bit SSL
encryption and $1.5m USD Warranty.
Lightning Fast OCSP Speed
Faster Online Certificate StatusProtocol
(OCSP) response delivers an optimised
customer experience.
Thawte Certification Center
Buy, renew, and manage certificates
with a single, secure sign-in to
Thawte®
Certificate Center.
Scalability
Thawte grows with you. Ourinfrastructure
supports more revocation checking globally
than all other Certificate Authorities combined.
Uncompromised Infrastructure
Thawte is the 1st International SSL
certificate provider and has never been
breached or compromised. Delivering
100% planned uptime.
Industry Leading Support
Easy enrolment, installation help and
world class multi-lingual expert support
help you get up and running fast.
Money-back Guarantee
We provide a 30 day, no questions asked,
money-back guarantee to ensure you are
satisfied with your purchase.