The cost of ignoring malware: How attention to the ... - NTT Com Security

In View

The cost of ignoring malware: How attention to the basics can protect your organisation from damaging attacks It’s not enough for an organisation to install a security platform and hope that it never experiences a breach. But this seems to be exactly what is happening. The threat landscape is fluctuating and becoming more dangerous and organisations are not responding to those threats. It is easy to think of a security breach in terms of an attack on a world famous organisation, such as the eBay leak, or a rare major IT meltdown like Heartbleed, which made headlines earlier this year. But most security incidents are never made public. Cybercrime is evolving at an alarming rate, with more creative attacks each year such as Ransomware – a type of malware that locks down a smart phone application until the attacker is paid a ransom.1 Or the malware scam that passes itself off as a Facebook instant message or Yahoo! Messenger message and, after infecting the victim’s system, recites passages from the Bible (which actually serve as decryption keys for its data).

200 malware attacks a minute Malware is not simply an annoyance, but a substantial problem to information security. NTT Group Security’s 2014 Global Threat Intelligence Report (GTIR)2, which collected and analysed data from over three billion attacks with the support of 1,300 security specialists and researchers, found that 43% of security incidents in 2013 were the result of malware. In 2013, McAfee found that there were over 200 computer attacks a minute using various forms of malware.3 From these it seems pretty clear; malware can’t be ignored. Remember the basics There are security basics such as threat avoidance, threat detection and incident response which can drastically reduce the chance of attacks penetrating an organisation’s security. But, as the GTIR found, many companies dealing with malware breaches were missing basic controls, such as anti-virus, anti-malware and effective lifecycle management. In NTT Group Security’s experience of one company breach, up-to-date antivirus protection would have detected the threat and prevented the attack, saving the company over $109,000 – the cost of cleaning up the breach and months of continued malware circulation, degraded

“As a minimum, assess the highest risks first, validate and set the right controls, and ensure that the controls are implemented and regularly tested to ensure that it is effective. This includes ensuring that critical patches are in place and vulnerabilities are mitigated.” Garry Sidaway Global Director of Security Strategy NTT Com Security

service, ongoing troubleshooting and associated mitigation activities due to lack of basic protection. These are constant security applications that work to protect and maintain a system. The technology is available – but companies are failing to implement it. It seems counterintuitive that with the highest technology advancements and skills at their disposal, hackers would choose such low-level methods to breach an organisation. But they will put in the minimum amount of effort to gain access to a system. Why go high-tech when they can take you down simply and quickly? And hackers have easy access since companies are not covering the basics.

1. Leyden, John: “PC-infecting chat demon quotes THE BIBLE to summon malware plague.” Link: http://www.theregister.co.uk/2014/05/27/im_trojan/ 2. NTT Com Security, Solutionary, Dimension Data, NTT Innovation Institute and NTT Data collaborated to deliver NTT Group Security’s 2014 Global Threat Intelligence Report. 3. Security Magazine: “McAfee Reports 200 New Computer Attacks Per Minute in 2013.” Link: http://www.securitymagazine.com/articles/85324-mcafee-reports-200-new-computer-attacks-per-minute-in-2013

www.nttcomsecurity.com

Copyright© NTT Com Security 2014

Enough is enough According to the GTIR, anti-virus failed to detect new versions of malware and half the vulnerabilities found during scans were the result of patches not being installed. Within this threat landscape, the cost of doing nothing is increasing. Organisations cannot assume that plugging in technology is going to keep them safe against threats. Security protection needs to be an ongoing, consistent, evolving routine.

Sidaway goes on to explain some of the basic measures available to companies in need of upping their security platform. Vulnerability scanning, in which a security assessment scans a customer’s security environment to find weaknesses and areas of potential exploitation, can give valuable insight into how attackers will use a company’s system to gain access to sensitive data. This method is an effective way for IT departments to find system weaknesses before hackers do.

Since all malware essentially attacks an endpoint - be it a desktop, laptop, tablet or smart phone - the temptation is to try to remedy it at the endpoint itself. Putting security in place to protect the endpoint is a good first step, but shouldn’t be the only level of defence.

Log analysis Collecting and analysing logs throughout an organisation can be used as another level of defence. These can be found in Windows or Adobe for example, and are generally stored for use in reports and investigations.

Companies need to consider a layered approach that addresses all aspects of the organisation and supports the long term business objectives. This is likely to require a blend of managed services and technology together with suitable business processes so that an organisation can understand its current risk maturity and put in place the right approach to provide continuous risk management. Implement and test There are basic protection strategies that a company can take to combat and better protect against the evolving threats. Garry Sidaway, Global Director of Security Strategy, NTT Com Security, suggests a strategy for a ground level of security: “As a minimum, assess the highest risks first, validate and set the right controls, and ensure that the controls are implemented and regularly tested to ensure that it is effective. This includes ensuring that critical patches are in place and vulnerabilities are mitigated.”4 By prioritising risks, implementing and regularly testing security platforms companies can considerably cut down on security threats.

43%

OF SECURITY INCIDENTS IN 2013 THE RESULT OF MALWARE

By regularly checking logs, a company can better understand threats and spot recurring data and trends that may help identify future threats. A constant debate within many organisations is prevention vs. detection: is it more important to stop attacks before they happen, or to contain them once they breach a system? Both are necessary.

Additional levels of security With increasing levels of threats and advancing sophistication, organisations must act quickly, be more efficient and more effective than ever in keeping safe. A reactive security strategy will simply not cut it — companies need to start being “Visibility and alignment is necessary to deliver effective policies, procedures and security controls as part of continuous risk management.” Garry Sidaway Global Director of Security Strategy NTT Com Security

proactive against threats to avoid being breached and integrating processes and operations within the security system.

One option is using a Managed Security Services Provider (MSSP), to offer visibility and control that allow for active threat management. With access to global information and structures, MSSPs offer a It may seem redundant to plan for a breach more in-depth look into a company’s security with levels of prevention security already system and potential threats on both a in place, but proper incident detection is network and application level. An MSSP crucial to curtailing the effect of a breach. takes large amounts of data and information Our research shows a staggering 77 per cent and sizes it down into comprehensive of respondents had no incident response information that allows organisations to planning in place. Choosing not to implement make informed, intelligent security decisions. an up-to-date incident response will leave your organisation open to risks that may Take the hackers’ route result in a breach. Another route a business could take to ensure security would be APT (Advanced Outsourcing to a trusted provider can also help mitigate the risks by providing valuable Persistent Threats) simulation. This takes the route a real hacker would take when trying information to the board to help them understand and prioritise threats, and make to breach a company’s security barricades. First it profiles the company and creates more informed decisions. Outsourcing IT targeted emails, known as spear-phishing, security will allow upper-level management and then uses the information it gathers to to focus on their roles – rather than the infiltrate a security system. This simulation security system. in turn offers a better insight into the organisation’s security, which can then be turned into valuable risk management.

200

COMPUTER ATTACKS A MINUTE USE MALWARE

77%

HAVE NO INCIDENT RESPONSE PLAN IN PLACE

4. Sidaway, Garry: “Stop the blame game: Report reveals the secrets to business IT security.” Link: http://www.itproportal.com/2014/05/26/stop-the-blame-game-report-reveals-the-secrets-to-business-itsecurity/#ixzz33SzNVCIY

www.nttcomsecurity.com

Copyright© NTT Com Security 2014

2

Governance, Risk and Compliance (GRC) is a three-tiered approach to management that more companies are beginning to adopt, and it can also be an effective part of a company’s security strategy. Sidaway explains: “Visibility and alignment is necessary to deliver effective policies, procedures and security controls as part of continuous risk management.” Running PCI DSS scanning can also help lower the risk of breaches, as our research showed that those who ran them regularly had less of a risk and could repair an incident three times faster than companies that did not.

We see a more secure world NTT Com Security is in the business of information security and risk management. By choosing our WideAngle consulting, managed security and technology services, our customers are free to focus on business opportunities while we focus on managing risk. The breadth of our Governance, Risk and Compliance (GRC) engagements, innovative managed security services and pragmatic technology implementations, means we can share a unique perspective with our customers – helping them to prioritise projects and drive standards. We want to give the right objective advice every time.

Simple, ongoing security These figures and facts are not meant to scare companies, but they do show that the threat is present, and organisations can protect themselves with proper security measures. The major finding of our GTIR is that basic, simple and ongoing security platforms are imperative to a company’s threat defence system. But organisations need to ensure they are considering information security and risk management as part of the overall business agenda. The threat landscape is quickly evolving and becoming more sophisticated, and a comprehensive approach is required for continuous risk management.

About the author Garry Sidaway Global Director of Security Strategy at NTT Com Security Garry Sidaway was appointed Global Director of Security Strategy in January 2011. He works with global enterprise customers to help them address the challenges of embedding information security and risk management into the security fabric of a business. Garry has been working in IT throughout Europe and America for more than 25 years. Garry’s past roles have covered all aspects of information security and risk management, including roles at Cybertrust, part of the Verizon Terremerk group. He has worked throughout the world in a wide range of industries, giving him a unique insight into business risks and information security. He has been instrumental in the development of security solutions to meet business needs.

Our global approach is designed to drive out cost and complexity – recognising the growing value of information security and risk management as a differentiator in high-performing businesses. Innovative and independent, NTT Com Security (formerly Integralis), has offices spanning the Americas, Europe, and APAC (Asia Pacific) and is part of the NTT Communications Group, owned by NTT (Nippon Telegraph and Telephone Corporation), one of the largest telecommunications companies in the world.

To learn more about NTT Com Security and our unique WideAngle services for information security and risk management, please speak to your account representative or visit: www.nttcomsecurity.com for regional contact information.

www.nttcomsecurity.com

Copyright© NTT Com Security 2014

3