Web security

Web SecurityWeb attacks will continue to increase in 2016, experts tell us. But web security is getting cleverer - and here’s what you need to know about it.

The European Union’s latest ENISA Threat Landscape report tells us that web attacks will continue to increase in the future. So, no surprises there, then!

But web security hasn’t stood still. In fact, there are many web security features now available that give security partners and their customers much deeper insight into web threats, as well as more effective tools to combat and manage them.

Here are just a few web security developments you might want to look out for in 2017.

URL analysis to beat zero-day threats

The backbone of web security has often typically relied on comparing a URL to a database of known malicious URLs, and blocking access if a match is found.

Clearly, there are severe limitations to this approach. Zero-day threats, for instance, won’t be on any URL blacklist, because they are simply too new, as we’ve explored in a previous post.

But web security solutions can now ‘sandbox’ a URL (quarantine it so that interactions with it cannot pass threats onto the network) and automatically analyse the behaviours of the destination site.

This way, even zero-day and unknown threats can be spotted and blocked, before they can cause any damage.

Centrally managed content filtering and reporting

Web content filtering is also a critical security requirement for most organisations, to ensure that employees don’t access inappropriate or reputationally risky material.

Historically, however, it’s been easier said than done. Endpoint security solutions have rarely proven themselves up to the task; they typically cannot monitor or report on web access unless there is a policy in place on that endpoint for that specific website. (Hardly an all-encompassing strategy, eh?)

Web security solutions can totally transform this situation, because security policies and their actions can be applied from a central dashboard to users and roles, independently of the endpoints they’re working from.

A senior manager who has good cause to investigate questionable content on a website, for example, might simply be monitored; a more junior user attempting the same thing might have access to that website blocked.

Decoupling web filtering from endpoints also means that reports can be created and run in real-time, simply by clicking on widgets in the centralised dashboard - and these cover all web use, not just pre-selected sites.

Web application control: the new ‘must have’

As we touched on in a previous post, it is now possible for web security solutions to control access not only to cloud applications like, for example, Facebook, but to specific features within them – by individual, role, device and location.

These can include, for example, functions that enable users to upload or delete profile images, remove a public link, permanently delete files from a recycle bin, disable a security group, and many other types of actions that can be high-risk in certain contexts, both with and without malicious intent.

As businesses rely more and more on cloud and social applications to carry out everyday processes, this kind of web security is set to become mission-critical.

Gains in performance, deployability, and more

But it’s not just the security features themselves that are worthy of note.

A host of innovations around performance, deployment, usability and productivity mean that web security solutions are now a more attractive proposition from the point of view of end-users (who are looking for service excellence) as well as security partners (who are looking for differentiators and ease of management) than ever before.

From the performance point of view, the latency (lag) often associated with cloud-delivered solutions, for example, is a thing of the past, thanks to locally stored caches that wake up instantly.

From the deployment point of view, flexibility is high on the agenda, with agentless options, and multiple authentication methods, including SAML, direct, and agent-based – pretty much whatever the end-user prefers, in fact.

And when it comes to usability, guest users on VLAN and mobile workers are protected without the additional complication of connecting to a VPN (or the danger of failing to do so), supporting risk-aware productivity.

Something tells me threat actors, users and security partners alike will be watching web security very carefully in 2017.

Over the last week we have seen an increase in the amount of companies receiving emails containing Zepto Ransomware, a file encrypting virus based on the infamous Locky cryptoware.
Most of the emails have been carefully crafted to ensnare the victims using social engineering techniques, typically greeting the recipient by first name and asking them to open an attachment which they had requested.
zepto image
The attachment will typically be either a .zip extension or .docm extension and once opened will run a malicious JavaScript which then encrypts all files on the users machine with the .zepto extension

To try and combat the infection, we offer the following advice
1. To protect against JavaScript attachments, tell Explorer to open .JS files with Notepad.
2. To protect against VBA malware, tell Office not to allow macros in documents from the internet.
3. Ensure your AntiMalware program is upto date
4. Ensure your users are careful with email attachments and only open the ones they are sure they have requested
5. If possible set email filtering to quarantine all .zip and .docm files

Businessman pushing virtual security button on digital background

The Web opens a window between networks and the world, creating risks businesses can’t manage. We look at 3 killer web security features that put MSPs in this space.

According to the Threat Landscape 2015 report published by the European Union Agency for Network and Information Security (ENISA), the “observed current trend” for web attacks is described, simply and rather ominously, as “increasing”.

Of course, what this also means is that the opportunity for MSPs to play into this space, by managing organisations’ web security headaches for them, is potentially huge.

But the market is crowded - so what are the killer web security innovations MSPs need to offer to really differentiate themselves from competitors?

Innovation 1: defeating outbound threats in a pure service model

Web attacks aren’t just inbound – in fact, the most devastating consequences can occur as a result of outbound traffic, for example if a Botnet, Key Logger, or other malicious program sends out information from within the customer’s network.

The innovation here is happening on multiple levels.

MSP solutions are now taking over the role of constant outbound web security monitoring that customers’ teams often simply do not have the capacity to provide.

Immediate alerts, by email or SMS, when a threat is detected, plus automatic blocking of malicious requests, protect the business from haemorrhaging its own IP and sensitive data, and safeguard teams’ core productivity.

Network usage and threat analysis reports, delivered to inboxes, then enable stakeholders to understand top threats, overall network traffic, and trends, enabling them to adjust security policies and manage future risk.

Ease of deployment: we are now looking at MSP solutions that require no on-site hardware or software, and can protect the entire customer network instantaneously simply by being “pointed” at the security vendor’s DNS structure.

Lastly, protection is no longer a trade-off against performance. An MSP delivering a web security service like this one benefits from over 2,500 auto-updates to its threat definitions daily, but doesn’t have to funnel checks and traffic through the bottleneck of a proxy server - thus maintaining optimum surfing performance.

Innovation 2: visibility into cloud apps and social media

As one vendor has explained, “Ten years ago, web security meant stopping people going to the wrong website. Today…it has become increasingly about visibility and analysis of activity within cloud applications that employees are accessing,..”

Across services like Facebook, Dropbox, Twitter, and even enterprise applications like Salesforce, what are customers’ employees posting or uploading? Is it appropriate to the audience it reaches? What are they clicking on? How are they storing sensitive data, where are they sending it, and why? Are they using language that could hint at malicious or criminal intent?

Any one of these concerns is a potential reputational and compliance timebomb – but MSP solutions are now available that take the heat out of HTTPS in three ways.

Firstly, it is now possible for MSPs to deliver visibility into cloud application usage, enabling customers to see actions like file uploads, message posts, data storage, and look inside the content of risky or suspicious activity.

Secondly, MSPs can now control access (or enable customers to control access) not only to cloud applications, but to specific features within them – by individual, role, device and location.

These can include, for example, functions that enable users to upload or delete profile images, remove a public link, permanently delete files from a recycle bin, disable a security group, and many other types of actions that can be high-risk in certain contexts, both with and without malicious intent.

The massive productivity gains that cloud apps can deliver are thus largely retained, but at a far lower level of accompanying risk.

Thirdly, this “cloud application control”, to be viable across multiple applications, and, potentially, hundreds or thousands of users, has now evolved into a centralised service that can be controlled from a single dashboard, reducing admin and management overheads, and enabling MSPs to keep their margins keen.

Innovation 3: holistic threat view

Analysis of web attacks in isolation does not always deliver the full web threat picture. Web users are invariably email and collaboration software users too, for example, so web threats often propagate through these channels, via vulnerable endpoints.

The danger for the MSP providing a web security service is that if they don’t have a truly holistic view of each user and the threats that have been ranged against them in the recent past, the true threat pattern – and so the true extent of users’ vulnerability – will not be fully understood. Service fail!

But MSPs are already over this hurdle, for two reasons.

They can now access a centralised management console that makes all the relevant threat data visible in one synopsis, (an example of which is shown in this video).

And the web security application itself can be connected to other security applications (email, collaboration, endpoint) in one integrated service.

The benefits of this approach are immediate, in the sense that the customer is less likely to get caught out by a threat pattern that the MSP’s service hasn’t picked up on!

But they’re also forward-looking, as threat intelligence is actively shared between applications, making detection of multi-channel threats easier in the future.

MSPs and web security – the future

But let’s play devil’s advocate here for a moment. MSPs can deliver services around everything from email provision, to backup and business recovery, to accounting and finance, to business analytics, and more besides. There is no shortage of growth markets for MSPs – so why choose web security?

None of us have a crystal ball, but the view from the bridge at analysts The Radicati Group looks pretty decisive in this summary of their 2015 to 2019 predictions.

“The Corporate Web Security market”, they say, “continues to grow at a fast pace, fueled [sic] by on-going concerns about corporate security… The market is expected to grow from over $2.1 billion revenues in 2015, to over $3.9 billion in 2019.”

The Group also tells us that “Cloud based Web Security solutions are seeing increasingly strong demand”, bolstered by the need for “powerful Web Security protection on the go, without the complexity of connecting back to the corporate network.”

The web security market is on the up. MSPs just need to make sure they’re delivering the right features to get a profitable slice of it.

Brian-A-Jackson1

On a weekly basis there are now articles regarding a big brand company which has been hacked, these usually relate to what data has been lost, how they are notifying those affected and what they are going to be doing to prevent this from happening again.

So how do you prevent it from happening in the first place?

From experience I can see that if a hacker wants to get details from somewhere they will take the easiest target, the ‘Low Hanging Fruit’ as they say, in ensuring your company has some basic security principles in place can help mitigate this.

So how do you ensure you are not the ‘Low Hanging Fruit’

Simple measures can be taken within your environment to help secure it. As a basic level you should be meeting the following guide - CyberEssentials Requirements

This sets out some advice regarding Firewalls, User access control, Passwords, Malware protection and Patch management.

Once you have met the standards given within this document you should be looking to increase the security standards within your organisation. The most effective we have found is the use of education, once educated your staff will be able to react to the threats quicker and reduce the risks to your company.

security-banner

Our top security updates in the news and on the web this week

1.10 tips to avoid Cyber Monday scams

Shoppers familiar with the Cyber Monday circus know they’re stepping into the lion’s den. The Internet has always been a lawless place. First posted on Malwarebytes.

For the original post and further information click here

2. More POS malware, just in time for Christmas

Threat researchers are warning of two pieces of point of sales malware that have gone largely undetected during years of retail wrecking and now appear likely to earn VXers a haul over the coming festive break. First posted on The Register.

For the original post and further information click here

3. Some simple security advice for computer and smartphone users

Demonstrated how easy it can be to compromise users computers and 'steal' very personal video and photos, here's some really simple advice to help prevent this happening. First posted on Pen Test partners.

For the original post and further information click here

4. CryptoWall Updates, New Families of Ransomware Found

The ransomware threat isn't just growing—it's expanding as well. There has been a recent surge of reports on updates for existing crypto-ransomware variants. First posted on Trend Micro.

For the original post and further information click here

ransomware-update

5. Blast from the Past: Blackhole Exploit Kit Resurfaces in Live Attacks

The year is 2015 and a threat actor is using the defunct Blackhole exploit kit in active drive-by download campaigns via compromised websites. First posted on Malwarebytes.

For the original post and further information click here

6. Another Day, Another HMRC Tax Phish…

We could all do with a bit of a tax refund right before the festive season, and wouldn’t you know it. First posted on Malwarebytes.

For the original post and further information click here

7. Diving into Linux. Encoder’s predecessor: a tale of blind reverse engineering 

Linux.Encoder.1 has earned a reputation as the worlds first Ransomware family tailored for Linux platforms. First posted on Bitdefender Labs.

For the original post and further information click here

If you have any security news that you would like to see on our blog please send it to us at bluesolutions, please include the link from the original article in the email.

security-banner

Our top security updates in the news and on the web this week

1. CryptoWall 4.0 A Stealthier, More Sweet-Talking Ransomware

When the malware makes its move, the new CryptoWall not only encrypts files, as it always has done, it also encrypts filenames. Heimdal Security states this new technique increases victims’ confusion, and thereby increases the likelihood that they’ll pay the ransom, and quickly. First posted on Dark Reading.

For the original post and further information click here

2. TalkTalk – The case for a Chief Security Officer

While the importance of the Chief Information Security Officer has been in constant growth over the past few years, organisations that employ a CISO/CSO are still far too few. First posted on Trend Micro.

For the original post and further information click here

3. Linux Ransomware Debut Fails on Predictable Encryption Key

No need to crack RSA when you can guess the key. File encrypting ransomware Trojans are almost ubiquitous on Windows, and it was only a matter of time. First Posted on Bitdefender Labs.

For the original post and further information click here

Brian-A-Jackson1

 

4. Adobe Flash Update Includes Patches for 17 Vulnerabilities

In what’s becoming a monthly ritual, Adobe today pushed out an updated version of its Flash Player that includes patches for critical vulnerabilities. First posted on Threatpost.

For the original post and further information click here

5. How Scammers Are Trying To Use Your Computer To Steal Your Cash

Cyber criminals want to hijack your computer for financial gain. But how does the scam work and how can you stop them? First posted on TechWeek Europe.

For the original post and further information click here

6. Top ranking Instagram client removed from iTunes and Google Play after user data theft discovery

A software developer has discovered that a leading free app on iTunes and Google Play has been sending people’s usernames and passwords to an unknown website. The malicious app is called InstaAgent, and is touted as an Instagram client. It is also reportedly the most downloaded free app in the UK and Canada. First posted on TechWeek Europe.

For the original post and further information click here

If you have any security news that you would like to see on our blog please send it to us at bluesolutions, please include the link from the original article in the email.

In preparation for print (CMYK and RGB), the greens and blues were edited. These would need to be extracted (icons and their color adjustment layers) from 175032_8_R3.psd, the schawk master.

Originally posted on the AppRiver Blog

Researcher David Leo of Deusen.co.uk has announced a proof of     concept vulnerability that was active, until recently, in both Chrome and Safari browsers that allows attackers to spoof legitimate URLs in their address bar while taking web surfers to a completely different site.

Chrome has since patched this vulnerability, but Safari has not. This leaves all devices that rely on the Safari browser vulnerable to this exploit. This includes current Macs running OSX, iPhones and iPads.

This exploit works by running a quick and tiny code snippet in the browser when a supposed legitimate link is provided to end users. The actual “legitimate link” is requested and the browser begins to head in that direction, however before it can, the exploit redirects the browser to the false destination. The original URL destination remains in the address bar, making it appear as though the user has ended up at the legitimate site. The code is very simple and very light weight making it possibly very enticing to those who would like to offer up a very convincing phishing attack.

Through spoofing, attackers already utilize legitimate sites and news stories to make their attacks more convincing, usually by stealing graphics and headlines. A couple of safety precautions, or things to look out for in these attacks, would be to mouseover the link provided to make sure it was pointing where it says it is pointed. Otherwise ending up at a destination that was not advertised is another bright red flag. However in this style of attack, everything would simply appear normal and correct on the surface.

Here's an example of the code that executes this exploit:

safair

This particular PoC attack makes the user believe they are headed to the news site dailymail.co.uk, however the hidden redirect takes viewers back to the research page on www.deusen.co.uk while maintaining dailymail.co.uk in the address bar.

To test this exploit out on your system, David Leo has provided a test page to see if you are a potential victim located here:  http://www.deusen.co.uk/items/iwhere Simply press “Go” and if Dailymail shows in your address bar, you are still vulnerable to this attack and are encouraged to be extra careful while browsing the internet or following links within emails from unexpected sources.

AppRiver provide email & web security solutions, helping businesses to communicate securely and protect their networks from malicious web content. Contact our sales team on 0118 9898 222 to learn more about AppRiver solutions.

 

Malware attacks, security breaches and data corruption- just a few of the problems that business owners would prefer not to happen. Knowing these disasters cause businesses to lose money and sometimes their livelihoods, MSPs need to think about their customer’s disaster recovery plans and how long will it take for them to recover if the worst does happen?

The big questions are:

How quickly would they need to recover? This is the recovery time objective (RTO).  How much data can they afford to lose? That’s their recovery point objective (RPO).

Your RTO is a calculation of how quickly business processes need to be restored and resumed after a disaster—the maximum allowable downtime after which the consequences become unacceptable. Reduce the gap between the RTO and your recovery time actual (RTA), the time it actually takes the I.T. team to get servers functioning and that’s money in your customer’s pocket!

Your RPO is the maximum amount of data over time that could be lost. How much data can they afford to lose (or have the time to re-enter into the database)? A couple days’ worth of data? A few hours’ worth? Even less?

Whatever the answers are to these questions, having a disaster recovery solution that helps their businesses recover quickly is important to protect them against the worst happening.

Call our Sales Team today on 0118 9898 222 to find out about the best backup and recovery solutions for your business

AppRiver logo largerversion

Article by Troy Gill, AppRiver

Over the past several days we have been seeing several malicious email campaigns posing as legitimate communication from Amazon. The first campaign is posing as messages from the amazon.co.uk with the subject line reading: Your Amazon Order Has Dispatched (#3digits-7digits-7digits). These messages purport to be order shipment notifications. These messages began hitting the AppRiver filters on 31/10/14 and have been coming in consistently ever since. So far we have quarantined just over 600,000 of these messages.

Each message contains a Word document (MD5: a75e196e6c0cabc145f4cdc3177e66ec) that contains a malicious macro. In most instances users should at a slightly lower risk with this infection vector, since macros are not enabled by default in more recent versions of Word.  The macro (if allowed to execute)leads to the install of a Trojan dropper. The malware currently creates a process named SUVCKSGZTGK.exe on the victims machine. Eventually this leads to the install of key-logging malware designed to harvest banking login credentials, email credentials and social media credentials. As we commonly see with this these types of campaigns, the payload can be changed out by the malware distributors so this dropper could pull down some other form of malware in the future.

Here is a look at the message:

Malicious Amazon message1

 

In a separate email blast, another group is distributing malicious emails posing as Amazon order confirmation emails. These emails are coming is at a slightly slower clip than the former campaign mentioned but we have quarantined nearly 160,000 of these message over the past few days. They appear from amazon.com with the subject reading: Your order on Amazon.com.

These email have a bit more of a legitimate look as they utilize actual graphics taken from Amazon. Instead of a malicious attachment, these messages utilize links to compromised wordpress sites. Clicking these links will launchthe download of a .scr file  named: invoice1104.pdf[dot]scr. Which should be a huge red flag to most users as the .scr file extension is used almost exclusively for malware infection these days. The .scr file(MD5: 09cb12d7cd0228360cd097baeaaa6552) is in fact a Trojan dropper that will lead to the install of more malware once it has infected the host. Once again, from here, the sky is the limit for the malware distributors since they can now download and install remote files of their choosing.

Here is a look at the message and prompt :

Malicious Amazon message2

 

Malicious Amazon3

 

 

 

 

This is a very popular time of the year for these types of scams with so many people in shopping mode in preparation for the holidays. With many people expecting purchase confirmations and shipping confirmations with much more frequency, it increases the likelihood that people will far for this scam.

Be extra cautious this holiday shopping season and if you are suspicious of unauthorized activity on your Amazon account, never follow any links in an email, go directly to the website and check your account from there.