Web security

Web SecurityWeb attacks will continue to increase in 2016, experts tell us. But web security is getting cleverer - and here’s what you need to know about it.

The European Union’s latest ENISA Threat Landscape report tells us that web attacks will continue to increase in the future. So, no surprises there, then!

But web security hasn’t stood still. In fact, there are many web security features now available that give security partners and their customers much deeper insight into web threats, as well as more effective tools to combat and manage them.

Here are just a few web security developments you might want to look out for in 2017.

URL analysis to beat zero-day threats

The backbone of web security has often typically relied on comparing a URL to a database of known malicious URLs, and blocking access if a match is found.

Clearly, there are severe limitations to this approach. Zero-day threats, for instance, won’t be on any URL blacklist, because they are simply too new, as we’ve explored in a previous post.

But web security solutions can now ‘sandbox’ a URL (quarantine it so that interactions with it cannot pass threats onto the network) and automatically analyse the behaviours of the destination site.

This way, even zero-day and unknown threats can be spotted and blocked, before they can cause any damage.

Centrally managed content filtering and reporting

Web content filtering is also a critical security requirement for most organisations, to ensure that employees don’t access inappropriate or reputationally risky material.

Historically, however, it’s been easier said than done. Endpoint security solutions have rarely proven themselves up to the task; they typically cannot monitor or report on web access unless there is a policy in place on that endpoint for that specific website. (Hardly an all-encompassing strategy, eh?)

Web security solutions can totally transform this situation, because security policies and their actions can be applied from a central dashboard to users and roles, independently of the endpoints they’re working from.

A senior manager who has good cause to investigate questionable content on a website, for example, might simply be monitored; a more junior user attempting the same thing might have access to that website blocked.

Decoupling web filtering from endpoints also means that reports can be created and run in real-time, simply by clicking on widgets in the centralised dashboard - and these cover all web use, not just pre-selected sites.

Web application control: the new ‘must have’

As we touched on in a previous post, it is now possible for web security solutions to control access not only to cloud applications like, for example, Facebook, but to specific features within them – by individual, role, device and location.

These can include, for example, functions that enable users to upload or delete profile images, remove a public link, permanently delete files from a recycle bin, disable a security group, and many other types of actions that can be high-risk in certain contexts, both with and without malicious intent.

As businesses rely more and more on cloud and social applications to carry out everyday processes, this kind of web security is set to become mission-critical.

Gains in performance, deployability, and more

But it’s not just the security features themselves that are worthy of note.

A host of innovations around performance, deployment, usability and productivity mean that web security solutions are now a more attractive proposition from the point of view of end-users (who are looking for service excellence) as well as security partners (who are looking for differentiators and ease of management) than ever before.

From the performance point of view, the latency (lag) often associated with cloud-delivered solutions, for example, is a thing of the past, thanks to locally stored caches that wake up instantly.

From the deployment point of view, flexibility is high on the agenda, with agentless options, and multiple authentication methods, including SAML, direct, and agent-based – pretty much whatever the end-user prefers, in fact.

And when it comes to usability, guest users on VLAN and mobile workers are protected without the additional complication of connecting to a VPN (or the danger of failing to do so), supporting risk-aware productivity.

Something tells me threat actors, users and security partners alike will be watching web security very carefully in 2017.

RansomwareThe word “ransomware” terrifies individuals and organisations alike. We look at how this threat works - and how to fight it!

The ransomware mood music isn’t good this year. As security publications and commentators tell us, ransomware is expected to dominate the malware arena in 2017.

More than ever, then, security partners need to offer sound, confident advice to end-users on both the nature of ransomware, and how to defend against it.

So look no further!

Ransomware: how it works

Ultimately, the aim of ransomware is to paralyse companies’ operations, usually by encrypting data, then demanding money to decrypt it and render it usable again.

For security partners and their customers, one of the challenges with ransomware is that it can enter the network through many different routes – malicious links or infected file attachments in emails, drive-by attacks triggered by a visit to an infected website or ad, botnets, USB drives, Yahoo Messenger images… the penetration potential is extremely high.

But to rub salt into it, ransomware also dodges many of the traditional anti-virus defences.

It disguises filenames and attributes and hides behind legitimate file extensions. And it often uses secure communications protocols like https and Tor, and encrypts its communications as it goes, obscuring the tell-tale server calls that would ordinarily betray its presence.

What this means is that most anti-virus protection is none the wiser to the threat – and so the latter finds its target, which is usually the most critical data the business holds. (Indeed, the notorious Cryptolocker ransomware, as this blog, from Bitdefender, explains, hunted out 70 different specific file extensions, precisely for this reason).

Ransomware: how to stop it

A threat that can infect via so many different channels, and hide its tracks whilst it’s doing it, clearly can’t be stopped by a single “silver bullet.”

It can only be stopped by layered protection that detects and blocks at all the levels at which ransomware can penetrate and spread.

Research carried out by Trend Micro has found that 99% of over 99 million ransomware attacks were found in malicious email or web links, so robust defence at the email and web gateway level, as well as at the endpoint and network levels, are a must.

Protecting email and web traffic from ransomware

Analysis is the key here; in the absence of the normal malware “cues” that signal a threat, security solutions have to look harder, deeper and wider for signs of the miscreants.

This means not just analysing links in the body of an email, for example, but also the links in the attachments that that email contains – as well as the attachments themselves.

It means scanning for zero-day and browser exploits, and other favoured ransomware entry points that are buried in applications (such as within Office 365 – 2 million threats discovered to date, according to Trend Micro!), rather than just in links or attachments.

And it means both being able to instantly compare links with a global database of known malicious URLs, and automatically rewrite links (as we discussed in this post) to divert them into a sandbox and analysis environment.

There, they can be triggered and inspected at no risk - even if they are not “known suspects.”

Protecting endpoints from ransomware

But what if the threat enters the network from an endpoint, like a PC – triggered, perhaps, by an infected document on a USB stick?

Actually, it’s at this level that some of the most useful indicators of ransomware behaviours – rapid encryption of multiple files, for example, or exploit kits that look for unpatched software vulnerabilities, as a prelude to sending ransomware through them – can be detected.

A security solution that can isolate the endpoint can stop the ransomware from spreading further via the network. And on that point…

Protecting networks from ransomware

The network itself must of course be protected.

But network traffic flows across myriad nodes, ports and protocols, so security must be capable of identifying ransomware and attacker behaviour in and across each of these sub-layers.

Here, too the sandbox analysis that we mentioned above is a powerful resource, mirroring the actual network environment so that the presence of typical ransomware behaviours can be accurately tracked and their effect (and therefore likely objective) revealed.

And blocked!

Ransomware immunisation: using the threat against itself

But one of the slickest anti-ransomware developments we’ve seen recently is a “vaccine”, which literally uses the ransomware’s own programming against it.

Ransomware typically prevents a machine it has already infected from playing host to any other infection that could interfere with the ransomware’s own endgame.

But this same feature, deployed on uninfected machines, effectively blocks the ransomware itself, as we have previously described in this post. So, does this mean ransomware is finally hoist by its own petard?

I wouldn’t bet on it. But by sharing knowledge about how ransomware works, how we can defeat it, and where businesses and security partners can go for more advice, we make every hostage that bit more difficult to take.

And that’s a ransomware result.

Keyboard equipped with a red ransomware dollar button.
Keyboard equipped with a red ransomware dollar button.

There has been report of several companies becoming infected by the Crysis Ransomware and as such we have had a look into what it does and how it can be prevented.

History

First detected in February 2016, this virus has multiple methods of infection typically an email which has attachments using double extensions to make them appear non-executable.  Although it has been seen to also come through SPAM emails and compromised websites.  There has also been reports that it has been distributed to online locations and shared networks disguised as an installer for various legitimate programs.

Description

Crysis Ransomware itself is capable of encrypting over 185 file types across fixed, removable and networks drives and uses RSA and AES encryption, once infected it will also look to delete the computers shadow copies.  Whilst also creating copies of itself into the following locations.

  • %localappdata%\­%originalmalwarefilename%.exe
  • %windir%\­system32\­%originalmalwarefilename%.exe

The virus will then look to create/edit certain registry keys to ensure it is run on each system start.

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%originalmalwarefilename%" = "%installpath%\­%originalmalwarefilename%.exe"

Finally after encryption there is a .txt file placed in the computers desktop folder, sometimes this accompanied by an image set as the desktop wallpaper.

  • %userprofile%\­Desktop\­How to decrypt your files.txt

There has also been reports of Crysis stealing data and credentials from the affected machines and passing these back to its Command and Control server.  This would then allow the computers and local networks that have been infected to become vulnerable to further attack if the credentials are not changed.

It has also been seen that Crysis will monitor and gather data gathered from IM applications, webcams, address books, clipboards and browsers prior to sending this to the C&C server with the windows variant stealing account and password credentials.

Prevention

To reduce the risk of infection we recommend the following

  • Ensure you are using an upto date AV product
  • Ensure any specific Ransomware prevention tools in the AV are used
  • Ensure you have a regular tested backup of the data
  • Educate users in the dangers of opening attachments from an unknown source

 

 

Bitdefender have updated their GravityZone cloud console with some new features over the weekend and here at Blue Solutions we are happy to guide you through these changes and how they will affect you and your customers.

Anti-Ransomware

The big news is that Bitdefender has now incorporated Anti Ransomware vaccine to all its cloud customers, and will be rolling this out through the on-premise version on Tuesday 27th Sep 2016.  This module is activated through the policy section  Antimalware --> On Access settings

Gravityzone Ransomware Vaccine Policy Setting
Gravityzone Ransomware Vaccine Policy Setting

By activating this module, machines will be protected from all currently known forms of Ransomware.

Other New Features

Update Rings - this feature allows Administrators of the program to  chose when in the validation cycle an update is received.

Anti-Exploit Techniques - a new set of powerful techniques which further enhances existing technologies to fight targeted attacks.  These are integrated into the existing Advanced Threat Control module.

Web Access Control Rules - The categories list has been updated with multiple new categories added.

Exchange Protection - This can now be enabled/disabled when editing a customer with a monthly license subscription.

 

The above features are now in place for all current users of Bitdefender Gravityzone in the cloud and will be rolled out to Bitdefender Gravityzone on-premise users from the 27th Sep 2016.

For more details on the above features and a look at the other features included please click here

logo     bs-logo

Over the last week we have seen an increase in the amount of companies receiving emails containing Zepto Ransomware, a file encrypting virus based on the infamous Locky cryptoware.
Most of the emails have been carefully crafted to ensnare the victims using social engineering techniques, typically greeting the recipient by first name and asking them to open an attachment which they had requested.
zepto image
The attachment will typically be either a .zip extension or .docm extension and once opened will run a malicious JavaScript which then encrypts all files on the users machine with the .zepto extension

To try and combat the infection, we offer the following advice
1. To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
2. To protect against VBA malware, tell Office not to allow macros in documents from the internet.
3. Ensure your AntiMalware program is upto date
4. Ensure your users are careful with email attachments and only open the ones they are sure they have requested
5. If possible set email filtering to quarantine all .zip and .docm files

Businessman pushing virtual security button on digital background

The Web opens a window between networks and the world, creating risks businesses can’t manage. We look at 3 killer web security features that put MSPs in this space.

According to the Threat Landscape 2015 report published by the European Union Agency for Network and Information Security (ENISA), the “observed current trend” for web attacks is described, simply and rather ominously, as “increasing”.

Of course, what this also means is that the opportunity for MSPs to play into this space, by managing organisations’ web security headaches for them, is potentially huge.

But the market is crowded - so what are the killer web security innovations MSPs need to offer to really differentiate themselves from competitors?

Innovation 1: defeating outbound threats in a pure service model

Web attacks aren’t just inbound – in fact, the most devastating consequences can occur as a result of outbound traffic, for example if a Botnet, Key Logger, or other malicious program sends out information from within the customer’s network.

The innovation here is happening on multiple levels.

MSP solutions are now taking over the role of constant outbound web security monitoring that customers’ teams often simply do not have the capacity to provide.

Immediate alerts, by email or SMS, when a threat is detected, plus automatic blocking of malicious requests, protect the business from haemorrhaging its own IP and sensitive data, and safeguard teams’ core productivity.

Network usage and threat analysis reports, delivered to inboxes, then enable stakeholders to understand top threats, overall network traffic, and trends, enabling them to adjust security policies and manage future risk.

Ease of deployment: we are now looking at MSP solutions that require no on-site hardware or software, and can protect the entire customer network instantaneously simply by being “pointed” at the security vendor’s DNS structure.

Lastly, protection is no longer a trade-off against performance. An MSP delivering a web security service like this one benefits from over 2,500 auto-updates to its threat definitions daily, but doesn’t have to funnel checks and traffic through the bottleneck of a proxy server - thus maintaining optimum surfing performance.

Innovation 2: visibility into cloud apps and social media

As one vendor has explained, “Ten years ago, web security meant stopping people going to the wrong website. Today…it has become increasingly about visibility and analysis of activity within cloud applications that employees are accessing,..”

Across services like Facebook, Dropbox, Twitter, and even enterprise applications like Salesforce, what are customers’ employees posting or uploading? Is it appropriate to the audience it reaches? What are they clicking on? How are they storing sensitive data, where are they sending it, and why? Are they using language that could hint at malicious or criminal intent?

Any one of these concerns is a potential reputational and compliance timebomb – but MSP solutions are now available that take the heat out of HTTPS in three ways.

Firstly, it is now possible for MSPs to deliver visibility into cloud application usage, enabling customers to see actions like file uploads, message posts, data storage, and look inside the content of risky or suspicious activity.

Secondly, MSPs can now control access (or enable customers to control access) not only to cloud applications, but to specific features within them – by individual, role, device and location.

These can include, for example, functions that enable users to upload or delete profile images, remove a public link, permanently delete files from a recycle bin, disable a security group, and many other types of actions that can be high-risk in certain contexts, both with and without malicious intent.

The massive productivity gains that cloud apps can deliver are thus largely retained, but at a far lower level of accompanying risk.

Thirdly, this “cloud application control”, to be viable across multiple applications, and, potentially, hundreds or thousands of users, has now evolved into a centralised service that can be controlled from a single dashboard, reducing admin and management overheads, and enabling MSPs to keep their margins keen.

Innovation 3: holistic threat view

Analysis of web attacks in isolation does not always deliver the full web threat picture. Web users are invariably email and collaboration software users too, for example, so web threats often propagate through these channels, via vulnerable endpoints.

The danger for the MSP providing a web security service is that if they don’t have a truly holistic view of each user and the threats that have been ranged against them in the recent past, the true threat pattern – and so the true extent of users’ vulnerability – will not be fully understood. Service fail!

But MSPs are already over this hurdle, for two reasons.

They can now access a centralised management console that makes all the relevant threat data visible in one synopsis, (an example of which is shown in this video).

And the web security application itself can be connected to other security applications (email, collaboration, endpoint) in one integrated service.

The benefits of this approach are immediate, in the sense that the customer is less likely to get caught out by a threat pattern that the MSP’s service hasn’t picked up on!

But they’re also forward-looking, as threat intelligence is actively shared between applications, making detection of multi-channel threats easier in the future.

MSPs and web security – the future

But let’s play devil’s advocate here for a moment. MSPs can deliver services around everything from email provision, to backup and business recovery, to accounting and finance, to business analytics, and more besides. There is no shortage of growth markets for MSPs – so why choose web security?

None of us have a crystal ball, but the view from the bridge at analysts The Radicati Group looks pretty decisive in this summary of their 2015 to 2019 predictions.

“The Corporate Web Security market”, they say, “continues to grow at a fast pace, fueled [sic] by on-going concerns about corporate security… The market is expected to grow from over $2.1 billion revenues in 2015, to over $3.9 billion in 2019.”

The Group also tells us that “Cloud based Web Security solutions are seeing increasingly strong demand”, bolstered by the need for “powerful Web Security protection on the go, without the complexity of connecting back to the corporate network.”

The web security market is on the up. MSPs just need to make sure they’re delivering the right features to get a profitable slice of it.

Brian-A-Jackson1

On a weekly basis there are now articles regarding a big brand company which has been hacked, these usually relate to what data has been lost, how they are notifying those affected and what they are going to be doing to prevent this from happening again.

So how do you prevent it from happening in the first place?

From experience I can see that if a hacker wants to get details from somewhere they will take the easiest target, the ‘Low Hanging Fruit’ as they say, in ensuring your company has some basic security principles in place can help mitigate this.

So how do you ensure you are not the ‘Low Hanging Fruit’

Simple measures can be taken within your environment to help secure it. As a basic level you should be meeting the following guide - CyberEssentials Requirements

This sets out some advice regarding Firewalls, User access control, Passwords, Malware protection and Patch management.

Once you have met the standards given within this document you should be looking to increase the security standards within your organisation. The most effective we have found is the use of education, once educated your staff will be able to react to the threats quicker and reduce the risks to your company.

security-banner

Our top security updates in the news and on the web this week

1.10 tips to avoid Cyber Monday scams

Shoppers familiar with the Cyber Monday circus know they’re stepping into the lion’s den. The Internet has always been a lawless place. First posted on Malwarebytes.

For the original post and further information click here

2. More POS malware, just in time for Christmas

Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break. First posted on The Register.

For the original post and further information click here

3. Some simple security advice for computer and smartphone users

Demonstrated how easy it can be to compromise users computers and 'steal' very personal video and photos, here's some really simple advice to help prevent this happening. First posted on Pen Test partners.

For the original post and further information click here

4. CryptoWall Updates, New Families of Ransomware Found

The ransomware threat isn't just growing—it's expanding as well. There has been a recent surge of reports on updates for existing crypto-ransomware variants. First posted on Trend Micro.

For the original post and further information click here

ransomware-update

5. Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks

The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites. First posted on Malwarebytes.

For the original post and further information click here

6. Another Day, Another HMRC Tax Phish…

We could all do with a bit of a tax refund right before the festive season, and wouldn’t you know it. First posted on Malwarebytes.

For the original post and further information click here

7. Diving into Linux. Encoder’s predecessor: a tale of blind reverse engineering 

Linux.Encoder.1 has earned a reputation as the worlds first Ransomware family tailored for Linux platforms. First posted on Bitdefender Labs.

For the original post and further information click here

If you have any security news that you would like to see on our blog please send it to us at bluesolutions, please include the link from the original article in the email.

security-banner

Our top security updates in the news and on the web this week

1. CryptoWall 4.0 A Stealthier, More Sweet-Talking Ransomware

When the malware makes its move, the new CryptoWall not only encrypts files, as it always has done, it also encrypts filenames. Heimdal Security states this new technique increases victims’ confusion, and thereby increases the likelihood that they’ll pay the ransom, and quickly. First posted on Dark Reading.

For the original post and further information click here

2. TalkTalk – The case for a Chief Security Officer

While the importance of the Chief Information Security Officer has been in constant growth over the past few years, organisations that employ a CISO/CSO are still far too few. First posted on Trend Micro.

For the original post and further information click here

3. Linux Ransomware Debut Fails on Predictable Encryption Key

No need to crack RSA when you can guess the key. File encrypting ransomware Trojans are almost ubiquitous on Windows, and it was only a matter of time. First Posted on Bitdefender Labs.

For the original post and further information click here

Brian-A-Jackson1

 

4. Adobe Flash Update Includes Patches for 17 Vulnerabilities

In what’s becoming a monthly ritual, Adobe today pushed out an updated version of its Flash Player that includes patches for critical vulnerabilities. First posted on Threatpost.

For the original post and further information click here

5. How Scammers Are Trying To Use Your Computer To Steal Your Cash

Cyber criminals want to hijack your computer for financial gain. But how does the scam work and how can you stop them? First posted on TechWeek Europe.

For the original post and further information click here

6. Top ranking Instagram client removed from iTunes and Google Play after user data theft discovery

A software developer has discovered that a leading free app on iTunes and Google Play has been sending people’s usernames and passwords to an unknown website. The malicious app is called InstaAgent, and is touted as an Instagram client. It is also reportedly the most downloaded free app in the UK and Canada. First posted on TechWeek Europe.

For the original post and further information click here

If you have any security news that you would like to see on our blog please send it to us at bluesolutions, please include the link from the original article in the email.

In preparation for print (CMYK and RGB), the greens and blues were edited. These would need to be extracted (icons and their color adjustment layers) from 175032_8_R3.psd, the schawk master.

Originally posted on the AppRiver Blog

Researcher David Leo of Deusen.co.uk has announced a proof of     concept vulnerability that was active, until recently, in both Chrome and Safari browsers that allows attackers to spoof legitimate URLs in their address bar while taking web surfers to a completely different site.

Chrome has since patched this vulnerability, but Safari has not. This leaves all devices that rely on the Safari browser vulnerable to this exploit. This includes current Macs running OSX, iPhones and iPads.

This exploit works by running a quick and tiny code snippet in the browser when a supposed legitimate link is provided to end users. The actual “legitimate link” is requested and the browser begins to head in that direction, however before it can, the exploit redirects the browser to the false destination. The original URL destination remains in the address bar, making it appear as though the user has ended up at the legitimate site. The code is very simple and very light weight making it possibly very enticing to those who would like to offer up a very convincing phishing attack.

Through spoofing, attackers already utilize legitimate sites and news stories to make their attacks more convincing, usually by stealing graphics and headlines. A couple of safety precautions, or things to look out for in these attacks, would be to mouseover the link provided to make sure it was pointing where it says it is pointed. Otherwise ending up at a destination that was not advertised is another bright red flag. However in this style of attack, everything would simply appear normal and correct on the surface.

Here's an example of the code that executes this exploit:

safair

This particular PoC attack makes the user believe they are headed to the news site dailymail.co.uk, however the hidden redirect takes viewers back to the research page on www.deusen.co.uk while maintaining dailymail.co.uk in the address bar.

To test this exploit out on your system, David Leo has provided a test page to see if you are a potential victim located here:  http://www.deusen.co.uk/items/iwhere Simply press “Go” and if Dailymail shows in your address bar, you are still vulnerable to this attack and are encouraged to be extra careful while browsing the internet or following links within emails from unexpected sources.

AppRiver provide email & web security solutions, helping businesses to communicate securely and protect their networks from malicious web content. Contact our sales team on 0118 9898 222 to learn more about AppRiver solutions.