Global Ransomware virus spread – Nyetya

A new ransomware virus variously named Nyetya, Petrwrap and GoldenEye has been spreading globally over the last 24 hours.

cyber security

This virus is distinct from WannaCry and other initially suspected variants, it has some unique new features which makes it harder to detect and defend against, clearly showing that today’s malware landscape is evolving apace. This rapidly changing threat landscape has a number of factors including; leaked tools from government agencies, more advanced security controls that require advanced malware (the cat and mouse game) or just because attackers are more determined and more capable.

This and other recent virus attacks serves to reinforce the need for a defence in-depth approach to security with comprehensive controls at all levels of an organisations IT infrastructure.

Some Characteristics of Nyetya and why it is different

1. It encrypts the master boot record, which makes the whole system unusable and causes more damage. Previous crypto viruses (ransomware) were encrypting specific file extensions

2. It does not use a common attack vector from the Internet

It does not infect by scanning ports for vulnerable services, nor uses phishing (mails with crafted content with specific covert malware links), nor file attachments or web sites that host malicious content. Instead it exploits various ways of getting into a network including exploiting vulnerabilities in mass deployed accounting software in Ukraine (called MeDoc). The software was tricked into auto-updating with a malicious file (Perfc.dat)MS. Once it is inside it uses the Eternal Blue (SMBv1) exploit to spread (same as WannaCry) but also two other administrative tools (PSexec and WMI) which in general are valid and legitimate tools used inside a network. The use of these tools would not raise any alarms on network security controls. The malware is capable of stealing the current user’s token and use it to distribute itself to other devices via PSexec (still unclear how it is able to steal the token) or again to steal the current user credentials and use them via WMI.

3. No external internet scans

There is no evidence of external scans (from the internet) in order to locate unpatched SMB services. The only scans that the virus conducts are horizontal, once it is inside the protected network. That makes the virus very hard to detect as most organisations do not have visibility within their network for such activity

4. No Command and Control functionality

The virus does not use C&C so any reputation based security controls cannot detect it. IP addresses / domains reputation is widely used to detect zero-day attacks and to monitor the spread of the virus. That does not seem feasible protection from Nyetya

5. Special attention has been paid to cleaning up any remaining data and logs

All of these unique characteristics point to the fact that cyber criminals have changed their tactics (after the failure of WannaCry due to the incidental but timely discovery of the killswitch) and want the malware spread to be as stealthy as possible.

Protecting yourself from the attack

A short summary of techniques necessary to protect against the attacks are listed below. These cannot be undertaken in isolation and it is assumed that good security practices are already in place such as disaster recovery strategy as well security control such anti-malware controls.

Patch your systems (MS17-010 should be applied), close off any SMBv1 services (disable)
Do not use admin/elevated privileged accounts for normal users
Monitor your network and endpoints for PSexec and WMI communication and try to establish if that is valid communication (could be based on which one the administrators use and also the time of the day)
Monitor your internal network segments using an IDS/IPS

Which type of network security controls are best suited to discover and prevent malware spread?

While other forms of malware attack may have been stopped by reputation based or email and web security controls, neither would have been effective in this instance.

An essential tool in the armoury of security controls is endpoint security such as Cisco AMP for Endpoints, which actively analyse the behaviour of executable files on the system and perform sandboxing.

IDS/IPS network controls are able to catch lateral scans and spread via SMBv1 exploit only if they can see the traffic (actively monitoring traffic on the same logical domain). The most common IDS/IPS deployment model is on the Internet edge, as this malware does not use external scans or gets distributed via normal Internet related channels (mail and web) these controls are not effective. The tactical adaptability in the way the cyber criminals craft their malware attack necessitates a defence in depth approach to security where there can never be too much control in place.

Don’t WannaCry from the “mother of all” ransomware attacks?

As you might be aware this Friday 11th May there was a massive global outbreak of a new type of crypto virus dubbed WannaCrypto (aka WannaCry). Major locations hit included the UK (Health sector including Hospitals and GP Surgeries), in Spain Telecom giant Telefonica were targeted (along with Portugal and Argentina telecoms) and institutions in Russia. Over 140 counties have been affected and over 200,000 systems were affected.

This article provides an anatomy of this ransomware and some steps to prevent such an attack in the future.

How was the UK affected?

The NHS was crippled (more than 46 hospitals and many GP surgeries reported the malware spread) having to resort to pen and paper for day to day activities, patients were turned away, important data such as scans and personal test results were lost, planned surgeries were cancelled, we could easily say that lives were at stake as sometimes more critical operations had to be postponed or done without important tests/scan results. This was the stuff of science fiction being played out in real life.

Facts about the WannaCry cyber attack:

1.   The fastest spreading malware ever (over 140 countries with a large number of affected endpoints in a matter of hours)

This link shows the spread over time. The animation was made possible because the authors of MalwareTech were able to hack into one of the Command and Control domains and gain control over it so they can trace the incoming call home requests from the hacked machines (keep in mind that this does not depict the whole spread of the virus as MalwareTech operated in EST time and the spread in Europe and Asia was already going for some hours).

2.   The virus exploited a vulnerability in Windows OS systems that was used for years by the NSA (and GCHQ) but only revealed for the public a couple of months ago

Security specialists are quite split in their opinions about the leaking of this exploit.

One opinion is that the vulnerability should never have been leaked preventing bad guys becoming aware of it and hence they would not be able to exploit it. This approach is Security through Obscurity or the ostrich effect – dig the head into the ground and if you cannot find it, it does not exist.

The second opinion is that not a single discovered vulnerability should remain hidden, the more people are aware of the threat, the more people can react to it. General security admins had more than two months to patch their systems as an official patch from Microsoft was released pretty quickly after the leak.

Many government and large organizations (due their sheer size and bureaucracy) are still running Windows XP (long time a dominating OS for the whole world) and since XP is out of life and support, there was no patch for it.

3.   Kill switch – the virus had a kill switch designed by its creators, a hidden long domain that if alive will make the virus stop spreading. A researcher found it by looking at the malware (reverse engineering it) and he was not really sure why the domain was there, he registered the domain and luckily helped in stopping the spread.

4.   Botnet Command and Control(CnC) centers were located in TOR (the onion router)

CnC is very important for Crypto Viruses as these are usually created not to destroy but to extort money out of people who want their files recovered and recovery is done via a backchannel in TOR supplying the key. TOR, also known as the Tor Project or the Onion Router, is an online anonymity network designed to conceal its user’s identity and online activities.

If people pay and their files do not get recovered the rumor spreads and other victims accept their losses and do not pay anything. The current estimation for infected systems with encrypted files is more than 55,000 and attackers want an average of 300 USD for file decryption, that amounts to a hefty sum (if 20,000 users pay, that is over 6 million dollars).

5.   The attack is heavily customized with detailed interaction between user/victim – The information displayed to the user explains in detail what has happened and what needs to be done (how to pay) to recover files and it is translated and shown in 28 languages

How does the attack work?

The malware uses a vulnerability in the SMBv2 remote code execution in Microsoft Windows. The exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadow Brokers dump on April 14th, 2017 and patched by Microsoft on March 14th. As SMB traffic does not communicate directly to the outside world, the attack point was via email and then spread internally via the infected host. After initial infection the virus spread like a worm, probing all hosts within the network for open SMB ports and trying to infect them. Also quite unique for this virus is that it uses different services for performing different tasks, aka Modular Service approach – for example, it uses different services for file dumping, for finding files with particular important extensions and encrypting them, for disabling the shadow copy/system restore, for presenting the screen with the note/demands/payment information – yes that is a separate executable file.

Protection techniques

This is what unaffected clients need to do to avoid becoming victims of this ransomware.

1.   Patch – regular/automated patching of windows systems would have prevented this malware from doing any damage by removing the vulnerability that could be exploited

2.   Security awareness training – organization employees should be aware of the dangers of opening file attachments in emails or clicking on links

3.   Advanced malware protection on the endpoints – could stop the execution of the malware in the first stage or downloading and installation of the malware in the second stage

4.   Email security – strong email security would have greatly reduced the spread of the malware or disabled any executable files from being delivered to the users (depends on tuning, but even files with unknown status should be blocked and verified before further analysis can be done) or check URLs in emails to determine if they are safe to click (more modern Email protection systems have built in Web URL protection)

5.   Web security controls – would help in cases when the infection point happens by URL link in email

6.   Advanced IPS with Command and Control botnet detection – would not be effective in the first minutes of the spread but will quickly update itself (depending on vendor) and will detect/drop outgoing CC connections. Traditional firewalls with stateful technology would not help except by blocking SMB traffic based on TCP 139/445 ports (however traditional firewall deployments do not scan internal traffic)

7.   Backup your important information in a separate secure location – a reactive approach but very effective towards crypto viruses

Please also refer to updates from the UK National Cyber Security Centre which provide guidance on how to protect against ransomware.

Indicators of compromise

How to check if your network has the malware. Typical indications are listed in the link below

Basically infected clients will request connections to associated IP addresses, in there will be evidence of file transfers with the mentioned SHA-256 fingerprint (keep in mind there are small variations of the virus resulting in multiple fingerprints)

Mitigation techniques (after the attack)

Unfortunately after files are encrypted, it is close to impossible to decrypt them without having the proper key. Most endpoint protection companies give you a list of things to do to remove the virus, mitigate its spread, and be immune in the future but not to recover files. General recommendation vary between different vendors but most of them follow these steps.

1.   Make sure your endpoint protection software is running and not disabled

2.   Download and install the latest signatures

3.   Install the PATCH from Microsoft (MS17-010) which fixed the SMBv1 vulnerability

4.   Scan all systems, the virus is detected (usually by this name MEM:Trojan.Win64.EquationDrug.gen), and reboot the system (before that make sure you have the patch installed).

This article was compiled by our Lead Security Consultant Deyan Panchev.

The true financial costs of a security breach

IT security is critical to protecting those elements of business that you work so hard to secure – goodwill, a solid reputation and consumer trust (as well as avoiding the things that can threaten to damage your company irrevocably, such as bad publicity that endures). Looking beyond these business risks, there lies a wealth of data that provides a window into the true financial costs of an IT breach – and if we begin with the fact that UK businesses faced costs of £29bn from cybercrime in 2016 alone, we come to realise that never has the threat of cyberattacks loomed so large on the horizon for UK companies (ITGovernance).

The (staggering) costs of recovery

Whilst many businesses still consider robust security as simply an unnecessary or overinflated cost, the alternative is what can be truly costly. For UK SME’s, the average malware attack represented a bill of £10,516 in time and money spent following a breach. What makes this figure even more staggering, is the fact that two-thirds of all UK businesses have been impacted by a cyber breach in the last twelve months alone (Government). For large UK companies, the costs of recovery have averaged out to £4.1 million.

When looking to the transnational brand names, we also see that no company is immune to the potential of an attack. TalkTalk faced a £60m recovery bill (that’s notably still rising), in addition to a fall in their share price of 30%; not only this, but the brand’s profits are down as they’ve battle to stem the flow of a mass exodus of customers (to date over 100,000 customers have left TalkTalk).

Across the Atlantic, retailer Target were forced to build an entirely new cyber centre – a move that was inevitable following $118 million in lawsuits filed by banks, card issuers and customers after 40 million credit card numbers were stolen.

Facing regulatory fines (and the bad press that accompanies it)

As of 2015 the UK Government reported that they’d collected a record breaking £1.4bn in regulatory fines (each of which had a maximum of £500,000 [pwc]). Yet even these figures may soon just be the tip of the iceberg, as EU GDPR legislation is set to come into effect as of 2018, with estimates that UK companies could then be stumping up as much as £122bn.

Whilst these figures are incredible, there’s a cost that accompanies them that isn’t directly monetary – and that’s the loss of goodwill. Put simply, the bad press that comes along with such fines can be nothing short of business breaking. For more insight into the business implications of a breach outside of financial costs, read last our previous blog: The business risks of a cyber breach.

The potential for business closure

In some cases, the costs of a security breach are untenable. Code Spaces, Nirvanix and MyBizHomepage are all prime examples of companies that folded due to security breaches. Notably, the latter company was once worth $100 million – and despite a $1 million attempt to right the wrongs of the breach, the company still folded. What’s more it’s not merely financial gain that attackers set their sights on, as was the case with Ashley Madison (the extramarital affair ‘hook-up’ website), the result of which has been many a divorce case (and a situation that many experts predict Ashley Madison won’t wriggle out of).

What next?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

The business risks of a cyber breach

Technology continues its pace of lightning fast evolvement – and whilst security systems, tools and techniques continue to become ever more advance, so too do the tactics and tools of the IT criminal underworld. To underline and startlingly emphasise this point, we look to the latest UK Government’s report into business security breaches – which found that 74% of SMEs reported a breach in the last year alone (pwc). Sobering figures indeed.

Businesses must be aware and stay continually up-to-date with the very real risks of a cyber breach. This blog article should serve as a firm starting foundation for understanding exactly what outcomes are experienced, when a company’s IT systems are penetrated.

Trade that comes to a screeching halt

An IT security breach is capable of immediately ceasing almost all business activity – creating backlogs, dissatisfied customers and stressed employees. Whilst the financial cost of this downtime will vary from company to company, when we look to Fortune 1000 companies, the cost of unplanned application downtime is palpable – totalling to between $1.25 and $2.5 billion; these figures represent an average hourly cost of $100,000 per hour (IDC).

Lost goodwill – irreplaceable. Bad publicity – potentially never ending

Beyond the dead set financial costs, lies something at risk that is truly priceless – the goodwill of your customers (as well as those who were yet to become customers). We need only look to the IT security breaches in recent time of Yahoo!, Carphone Warehouse and Hilton Worldwide to truly gain a picture of the impact of a cyber-attack.

Yahoo! who’ve continually lost market share in the last decade, fell victim to a hack that exposed the details of 500 million user accounts. This would have been serious enough, however the situation was compounded by an 18 month delay in investigating; the result of which has put buy-out negotiations with Verizon Communications on a knife edge. What’s more, a recent survey highlights just how unpopular this news will be with Yahoo! users themselves, as 90% of people say that they expect to be informed of a breach within 24 hours (FireEye).

Carphone Warehouse are facing potentially years of investigations by the UK data watchdog for the interception of 90,000 customers’ credit card details – something that will repeatedly impact upon the company’s image with each news update on the case. Finally, whilst Hilton Worldwide’s POS infiltration may not have impacted the brand’s share price, the headache of bolstering their security, and offering all affected customers free credit report services, has represented nothing short of an administrative nightmare.

The bad publicity that came about as a result of these breaches is, to this day, impacting upon each of these company’s profit margins. Estimating when, or indeed if, such a loss of confidence will ever subside is impossible.

Lost trust and lost custom – A bird in the hand…

Whilst steps can be taken to rebuild brand image and win over new customers who may have abandoned a company post-breach, winning new customers is considerably more time-consuming that servicing current ones. What’s more, this issue is becoming all the more serious, with more customers today switching to competitors once a breach is revealed. As testament to this, over 2013-14, IT security breaches resulted in 15% more lost customers, than in the year previous (Digicert).

The threat of further attacks

When the news of a successful IT breach breaks, the prospect of that company becoming a target for more cyber criminals is almost unavoidable. This places pressure on a company to react quickly with bolstered security. Unfortunately depending on the IT system in question, this can be a logistical nightmare at best, and technically impossible at worst.

What next?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

Cyber Threats – Steal it with a Click

Security teams often view browser add-ons as a low security risk but recent monitoring has shown some browser based threats can be quite damaging. Cisco’s research established that browser based infections were far more prevalent than many businesses realised the case to be.

Although the number of browser infections measured over a 10 month period, appeared to decline, the trend was deceptive due to the increasing volumes of encrypted browser traffic. The tracking methods were therefore not as effective.

Malicious browser extensions can steal information and therefore be a major source of data leakage. Every time a user opens a new webpage with a compromised browser, malicious browser extensions collect data. They are extracting more than the basic details about every internal or external webpage that the user visits. They are also gathering sensitive information embedded in the URL. This information can include

  • user credentials
  • customer data
  • details about an organization’s internal APIs and infrastructure.

Multipurpose malicious browser extensions are delivered by software bundles or adware. They are designed to pull in revenue by exploiting users in a number of ways. In an infected browser, they can lead users to click on malware advertising such as display ads or pop-ups. They can also distribute malware by enticing users to click a compromised link or to download an infected file encountered in malware advertising. They can also hijack users’ browser requests and then inject malicious webpages into search engine results pages.

Over the survey period Cisco sampled 45 companies. The survey found that in every month more than 85 percent of organizations were observed to be affected by malicious browser extensions, underscoring the scale of these types of threats. Because infected browsers are often considered a relatively minor threat, they can go undetected or unresolved for days or even longer—giving cyber criminals more time and opportunity to carry out their campaigns.

Cisco recommend that security teams are allocated more
time and resources to monitoring this risk, and to consider increased use of automation to help prioritize threats.

Would you like an Independent Security Assessment to understand what threats you may be facing. Just click this link and gives us a few details, we can arrange a call back from one of our Security specialist.

Cyber Threats – Detection reduced from 200 days to 17 hrs

Time to detection, or TTD, is the window of time between the first observation of an unknown file and the detection of a threat. The industry average TTD is 100-200 days meaning many undetected cybercriminals have in excess of 100 days on average to do damage to a compromised business.

In many instances businesses are using outdated modes of protection against the new threat landscape. Many businesses are still dependent on Anti-Virus software and Firewalls rules as their principle means of protection. Given the evolved nature of threats and their ability to easily evade traditional methods of detection, the traditional approach is akin to using a colander to catch water.

A more sophisticated approach to cyber threat defences involving a combination of adaptive, integrated detection techniques with automated protection has led to a significant reduction in TTD rates. In Cisco’s case they have managed to get the TTD down to approximately 17 hours. Cisco sees this approach leading to the establishment of a “detection and response” framework which will make it possible for a faster response to both known and emerging threats.

The new framework will feature a “visibility platform” that delivers full contextual awareness and is continuously updated to assess threats, correlate local and global intelligence, and optimise defences.

Below, we present Cisco’s six tenets of integrated threat defence to help business better understand the intent and potential benefits of this architecture:

1. A richer network and security architecture is needed to address the growing volume and sophistication of cyber threats.

Eliminate the “See a problem, buy a box” mentality. Instead of simply alerting security professionals to an intrusion or a suspicious event this framework gathers activity in an automated fashion to provide a better picture of what is happening on the network.

2. Best-in-class technology alone cannot deal with the current or future threat landscape; it just adds to the complexity of the networked environment.

There isn’t much difference between the major security vendors when it comes to core security. Organisations are investing in the seemingly best and newest technologies to deal with internet security however new vendors offering the same solutions does little other than complicate the landscape.

3. More encrypted traffic will require an integrated threat defence that can converge on encrypted malicious activity that renders particular point products ineffective.

In part 2 we looked at the rise of encrypted traffic and why this is a good thing however it also makes it harder for IT security to monitor threats. With an integrated security platform and increased network visibility tracking these threats will become easier.

4. Open APIs are crucial to an integrated threat defence architecture.

With an integrated platform automation can be enhanced. This also brings awareness to security products which, in a multivendor climate, will result in better visibility and security control.

5. An integrated threat defence architecture requires less hardware and software to install and manage.

Where vendors are able to offer feature rich platforms with extensive functionality, this will decrease the complexity of IT security for SMEs. The result will be reduction in malicious groups and individuals gaining access to the network while remaining undetected.

6. The automation and coordination aspects of an integrated threat defence help to reduce time to detection, containment, and remediation.

Security teams often need to focus on the here and now. With an integrated threat defence system false positives can be reduced through automation and the more pressing security concerns can be dealt with quicker and more effectively.

It is not surprising that the businesses surveyed for Cisco’s Security Capabilities Benchmark Study are less confident in their ability to help secure their businesses. Businesses now need to consider the powerful impact that proactive and continuous integrated threat defence based on collaboration can have in bringing cybercriminal activity to light, undermining adversaries’ ability to generate revenue, and reducing the opportunity to launch future attacks.

Would you like an Independent Security Assessment to understand what threats you may be facing. Just click this link and gives us a few details, we can arrange a call back from one of our Security specialist.

Apple and Cisco Fast-Tracking the Mobile Enterprise

Rowan Trollope, Senior Vice President and General Manager of Cisco’s Internet of Things (IoT) and Collaboration Technology Group, explains how Apple and Cisco plan to form the ultimate enterprise partnership.

“I came to Cisco to create incredible technology experiences for millions of enterprise workers. That’s why I’m so thrilled to be the executive sponsor of our partnership with Apple; together, our two companies are capable of “incredible” on a pretty massive scale.

Since our announcement in August, engineers, user experience and design teams from Cisco and Apple have been working side by side and testing together to make sure you have a truly delightful experience with your iPhone and iPad on your company’s Cisco assets. And today, as Apple introduces iOS 10, we’ve reached a major milestone”.

To find out how, click here.

IT Security – Want to know what you are up against? Part 2 of 3

In our last blog post we looked at various web attack methods, threat updates and where cyber criminals were focusing their efforts.

In part 2 of this series based on the 2016 Cisco Annual Report we want to focus on 3 main areas that are being exploited – Data encryption, WordPress web sites and the IT Security infrastructure vulnerabilities.

These are 3 particularly important aspects of IT Security for SME businesses.

A False Sense of Encrypted Security

Customer details form the cornerstone of any business however in 2015 there seemed to be a false sense of security when it came to encryption. Encrypted traffic, specifically HTTPS, is fast becoming the dominant form of traffic (in fact it accounts for over 50% of all bytes sent over the Internet).

Both sending and storing data have been identified as two ways SMEs become victims of cyber attacks. Cisco found that a number of businesses simply don’t encrypt the data that they store on their internal network. Cyber attackers are establishing ways to circumvent encryption, stealing data at rest and encrypting it while routing it to known malware locations.

For SMEs it means point solutions alone (such as Anti-Virus and Perimeter Firewalls) are becoming less effective and an integrated threat defence is a must for identifying emerging threats.

Compromising Security Through WordPress

Within the SME sector WordPress has emerged as a pivotal platform to build and maintain websites. This has also benefitted attackers who see it as a cost effective way to launching ransomware, bank fraud and phishing attacks.

Dormant WordPress sites are now being used more extensively as relay agents and the number of WordPress domains that were adopted for this purpose by malicious groups increased by 221% between February and October 2015.

Poorly maintained sites are being exploited too as a result of weak security. This can be using an outdated version of WordPress that isn’t up to date security wise, inadequate admin passwords or running plugins that are missing the latest security patches.

Web security that analyses traffic coming from WordPress websites is a must going forward in 2016.

Creating Updated Infrastructure Resilience

Many organisations who try and save money neglect to update their security infrastructure and this leaves them wide open to security compromises.

Cisco found that 92% of the sample they ran on various internet enabled infrastructure devices were vulnerable from a security standpoint and 8% had reached their end of life making the more vulnerable to exploits. Put simply, organisations are failing to properly upgrade their security infrastructure.

The big point to take away from this from a SME perspective is to be proactive regarding IT security rather than only acting when this security is infiltrated.

Are SMEs Really the Weak Link?

We mentioned in our previous post that SMEs can be seen as a weak link when it comes to IT security.

SMEs are less likely to use incident response teams or outsource their security operation to security experts. Another report showed that 33% of UK organisations handle their security internally while this figure drops to 20% for other countries.

These two aspects alone make them increasingly vulnerable to cyber attacks and data compromises with only 51% of companies that have 500 or fewer employees actively patching and upgrading their security.

The fact that SMEs are also less likely to have experienced a major data breach up to this point makes them unprepared to know how to respond and also how to prevent it happening in the future. According to a recent government report the average cost of an IT security breach for an SME can rise to as high as £310,800 which can have devastating financial effects for the business.

In the third part of our series we are going to look at what the future holds for IT security in 2016 and beyond.

IT Security – Want to know what you are up against? Part 1 of 3

In the first part of this blog series on the 2016 Cisco Annual Report we take a look at the methods attackers are using to infiltrate organisations and what sectors and geographical locations are being targeted.

The vulnerability of small and medium sized enterprises (SMEs) to sophisticated attacks on their IT structure is growing. These attacks are becoming bolder and coordinated as the Target data breach in 2013 shows. High profile attacks resulted in 40 million customers having their personal and credit card details hacked due to a third party SME supplier not taking proper steps to safeguard their data. This was a US data breach however in 2015 74% of small organisations in the UK admitted that their IT security had been infiltrated.

In the changing landscape SME businesses are increasingly being targeted according to Toni Allen of the British Standards Institute (BSI). In most cases it can take between 100 – 200 days before a company even realises their security has been compromised.

The latest Web Attack Methods

Even though Flash is being phased out and with it goes one of the most common areas of malicious attacks this has only meant that web attacks are being refocused.

Browser infections and targeting social media platforms are two big methods of gaining access to data. In fact, malicious browser extensions that provide a way to leak data were found to impact 85% of the organisations that were studied.

92% of attackers use DNS to target businesses and familiar botnets such as Bedep, Gamarue, and Miuref account for the majority of the command and control activity that affects businesses these days.

Threat Updates in 2015 and Beyond

Flash might be on its way out but Cisco found that malicious individuals or organisations are still most likely to target Flash users. The fact that exploit kits are publically available means it still ranks at the top of the list for vulnerabilities.

Although some browsers sandbox or block Flash completely, attackers still target either older browsers or those not securely updated and it was still an effective method in 2015 and likely to be so in the near future.

Companies using outdated browsers, and add-on software are most at risk. The Cisco report found that 30% were using software that was reaching end of support which further increases their susceptibility.

Geographical and Industry Overview of Attacks

Where are these attackers focusing their efforts?

Government, healthcare, technology companies and professional services topped the list of most targeted industries with SME businesses found to be a weak link. They use less defences and processes to analyse security intrusions. Only 49% of SMBs used web security in 2015 and only 29% were committed to patching software and using configuration tools that keeps their security up to date.

Hong Kong was subject to the most web attacks in 2015 and the number of attacks aimed at organisations in Hong Kong were 9 times the figure of the US.

Encryption, WordPress and Infrastructure

Over the past 12 months the way in which attackers access and steal data has evolved with an emerging focus on social media platforms while established weaknesses such as Flash are still being exploited quite extensively.

Hackers are not only sharing more information with each other but also becoming more flexible in their approach.

In the second part of this blog series we are going to look at the escalating issues in three main areas namely encryption, WordPress and the infrastructure that SMEs use.

Would you like an independent Security Assessment to understand what threats you may be facing. Just click this link and gives us a few details, we can arrange a call back from one of our Security specialist.

Security Assessment

As Security continues to be a major area of focus for business executives and managers we continue to develop services in this area to address these needs. To this end we have teamed up with Comstor and Cisco to offer Security Assessments that give a comprehensive view of real time security threats. The service also includes actionable steps to mitigate identified threats. Watch this space over the next few weeks for more information on this service.