Modern, targeted cyberattacks can take any organization by surprise. And these targeted cyberattacks are increasingly widespread. CBS “Money Watch” reported in June 2015 that more than 80 percent of U.S. companies have been successfully hacked, according to a Duke University/CFO Magazine Global Business Outlook Survey.
According to the CBS report, “Successful attacks by hackers involved stealing, changing or making public important data, according to the survey. Smaller companies (those with fewer than 1,000 employees) were more vulnerable, with 85 percent saying their information systems had been broken into. About 60 percent of larger companies reported successful hacks.”
What many people don’t realize is, commonly used security technologies can leave an organization especially vulnerable to hackers. That’s because undisclosed—unpublished and unknown—malware can’t be detected by these common technologies. Minimizing a company’s exposure to cyber-hacks now requires new technology and operational practices to mitigate threats that otherwise can have serious consequences.
Held for ransom
An example of costly and aggressive malware is the ransomware attack, which is unfortunately becoming well known in the U.S. Ransomware hacks have been on the rise in recent years, attacking approximately 130,000 PCs and servers in 2014 and 718,000 in 2015, according to Kaspersky Lab, an international cybersecurity firm based in the United Kingdom. These hacks often come in the form of emailed advertisements that, if downloaded, can encrypt, password protect and render corporate files inaccessible unless a ransom is paid to the attacker. A personal computer can be running the latest version of an anti-virus software; however, this type of malware cannot be detected and prevented from doing its intended damage.
The purpose of ransomware is self-evident—to blackmail a person or company to make a large payment in order to regain control of computers and electronic information. However, a different kind of targeted, undisclosed and successful cyberattack occurred earlier this year in a Ukraine electrical utility company. The purpose was not to hold the company ransom for a payment but to seize operation of the control systems, the substations and the grid, according to a BBC report in February 2016. The attack serves as an important lesson, because, among other reasons, the control systems, software applications, firmware and equipment used to operate the utility company are the same solutions and products used in North American electric utility companies.
The BBC reports that the attack was targeted and occurred over a six-month period, including daily attempts to gain user passwords, elevate security privileges and access network infrastructure. Management and critical employees were targeted. Information regarding their lifestyles and work behavior was collected, and a spear-phishing campaign was used to bait employees. Emails were sent to specific employees who had been granted sensitive operational privileges. The content was related to their recent social activities, commercial events and a host of topics designed to avoid arousing the employees’ suspicions.
Spear phishing is an email that appears to be from an individual or business that the recipient knows and trusts. However, when the email is opened, the malware is installed. A targeted attack will involve sophisticated preparation. In such attacks, attached files and images contain undisclosed (unpublished and unknown) malware designed to achieve the next level of network access. The malware attachments sent to the Ukraine utility company employees included many such malware transmissions.
In the case of the utility company, each installed malware used the Web connection (from inside the network) to retrieve the next malware required for the attack. As it evolved, firewalls were breached and security privileges were gained. Week after week, the unnoticed hackers positioned themselves with the access they needed to gain complete remote control of the operating infrastructure. The grid was then brought down. The attackers even flooded the utility company’s phone line to disrupt internal communication and coordination. IT service workers were required to visit each substation and operate manual overrides to regain control.
Examples of well documented spear phishing attacks occurred against the New York Times using a Microsoft Word document; JPMorgan Chase using a PDF document, Target Stores using a TIFF image, and NATO/EU using a PowerPoint file. All of these attachments appeared to be legitimate to the people who opened or downloaded them.
Fortunately, new technology exists for malware detection. Several industry-leading solutions can be sourced from companies in the U.S., United Kingdom and Israel. These development teams often work in coordination with government security and intelligence organizations; they study the nature of malware and cyberattacks and build solutions that meet the evolving tactics of hackers.
These modern tools align with daily business practice to deter, defeat and minimize the outcome of a modern undisclosed cyber security threat. As I mentioned earlier, traditional virus detection software is known as anti-virus software, but these solutions can only detect disclosed (known and published threats); they are largely ineffective when dealing with modern undisclosed malware. Some software will also employ published blacklists of international Web addresses known to propagate viruses.
New solutions have been developed to remove the ransomware malware from a system and decrypt files using one of several decryption algorithms. These solutions serve to restore data and render the ransom threat harmless and unpaid. Keep in mind that back-up files should be maintained in case hacked files are changed by the ransomware.
True type detection
In recent years malware detection software has included true type detection algorithms that analyze email attachments. True type detection determines if the internal structure of the document has been altered. This class of software will input and disassemble the attachment, identify any changes to the internal structure of each document type, disable the malware by changing its code, then reassemble the document. The document can then be used while the changed and disabled malware remains inside. Industry solutions claim that only one in every 500 malware detected documents will be too damaged for use. True type detection will mitigate undisclosed threats. Unlike anti-virus software, updates of published known viruses are not required. The true type detection class can be referred to as “anti-exploit software” and would have detected and disabled all of the attacks described earlier in this article.
Email, browser and network traffic, file transfer sites and portable media such as memory sticks all contribute to vulnerability and risk. Corporate and company policies regarding the use of these technologies should be reviewed and updated. Following are some questions to consider:
Should all inbound and outbound email pass through anti-exploit servers, either cloud based or on premise and outside of the corporate network? These solutions usually have a monthly or flat rate charge, based on the number of email accounts. Would your organization agree to processing email, including sensitive executive, management, financial and customer email outside of the corporate network or on the cloud? That is exactly what corporations are doing all over the world and why these practices need be discussed at the board level of organizations.
Should browser and network traffic be routed the same way as email? What would be the performance implications of all browser and email transactions passing through an anti-exploit server? What new equipment would be required to support it? If browsers are considered vulnerable and high risk software—arguably the highest risk to malware—then why are corporate ERP (enterprise resource planning) systems using them? Many of these browser and network transactions may be encrypted rendering the true type detection algorithms ineffective at the time of transmission. But what about the traffic that is not encrypted? Would malware target encrypted pathways in an effort to avoid detection?
Should file transmission be processed by anti-exploit servers before encryption and after decryption? File transfer software encrypts data files for transmission. Many structured text files (JSON and XML) are used for a host of file transfer applications, EDI (electronic data exchange) among them. Malware could be embedded into these transmitted files. Once encrypted, the malware would be safely transferred over a secure network pathway and EDI-type applications often cross entire supply chains.
Should the use of memory sticks and other portable media devices, within the network, be regulated? It’s an obvious question with an equally obvious answer. Centrally located and dedicated work stations could be used to cleanse these devices before every use. Should unregulated connection of portable devices to the network be permitted at all?
My recommendation is that all organizations create a cyber security committee, comprised of company executives and the IT manager, and reporting to the board of directors. The committee should establish a budget and regularly review an organization’s cyber security strategy and implementation. Minimizing the risk and vulnerability of critical company assets and operations should be an ongoing priority.
Mark Blasman is the executive vice-president of business and product development at Jomar Softcorp International Inc., Cambridge, Ontario, Canada.