Industry Intel

Girl Scouts and OpenText empower future leaders of tomorrow with cyber resilience

The transition to a digital-first world enables us to connect, work and live in a realm where information is available at our fingertips. The children of today will be working in an environment of tomorrow that is shaped by hyperconnectivity. Operating in this...

World Backup Day reminds us all just how precious our data is

Think of all the important files sitting on your computer right now. If your computer crashed tomorrow, would you be able to retrieve your important files? Would your business suffer as a result? As more and more of our daily activities incorporate digital and online...

3 Reasons We Forget Small & Midsized Businesses are Major Targets for Ransomware

The ransomware attacks that make headlines and steer conversations among cybersecurity professionals usually involve major ransoms, huge corporations and notorious hacking groups. Kia Motors, Accenture, Acer, JBS…these companies were some of the largest to be...

How Ransomware Sneaks In

Ransomware has officially made the mainstream. Dramatic headlines announce the latest attacks and news outlets highlight the staggeringly high ransoms businesses pay to retrieve their stolen data. And it’s no wonder why – ransomware attacks are on the rise and the...

An MSP and SMB guide to disaster preparation, recovery and remediation

Introduction It’s important for a business to be prepared with an exercised business continuity and disaster recovery (BC/DR) plan plan before its hit with ransomware so that it can resume operations as quickly as possible. Key steps and solutions should be followed...

Podcast: Cyber resilience in a remote work world

The global pandemic that began to send us packing from our offices in March of last year upended our established way of working overnight. We’re still feeling the effects. Many office workers have yet to return to the office in the volumes they worked in pre-pandemic....

5 Tips to get Better Efficacy out of Your IT Security Stack

If you’re an admin, service provider, security executive, or are otherwise affiliated with the world of IT solutions, then you know that one of the biggest challenges to overcome is efficacy. Especially in terms of cybersecurity, efficacy is something of an amorphous...

How Cryptocurrency and Cybercrime Trends Influence One Another

Typically, when cryptocurrency values change, one would expect to see changes in crypto-related cybercrime. In particular, trends in Bitcoin values tend to be the bellwether you can use to predict how other currencies’ values will shift, and there are usually...

Cyber News Rundown: Edition 9/8/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Consumer Credit Reporting Agency Equifax Suffers Cyberattack Affecting 143 Million Customers

Equifax announced hackers gained access to sensitive company data that potentially compromised information for 143 million American consumers, including Social Security numbers, driver’s license information, and credit card details. This is the third major cybersecurity incident for the agency since 2015. Most concerning, Equifax knew of the breach on June 29 but waited until September 7 to disclose the information.

Instagram Hack Exposes Millions of Accounts

A group of hackers recently gained access to a large number of Instagram accounts for high-profile celebrities and other victims. The attackers were able to use an exploit in the Insta app to retrieve the email addresses and phone numbers for millions of account holders. They then used this information to take control of more valuable accounts and posted the credentials for sale on the dark web. While Instagram was quick to fix the bug, it is still unclear just how many accounts were compromised.

Customer Databases Belonging to Time Warner Cable Publicly Exposed

In the last week, officials have been working to trace the cause of a data breach that could affect nearly 4 million Time Warner Cable customers. The breach appears to have stemmed from two databases, managed by Broadsoft Inc. (a partner of TWC), that were left fully accessible to the public. The data in question spans millions of transactions and communications with customers who have used the MyTWC mobile app in the last 7 years.

PrincessLocker Ransomware Uses Exploit Kit to Spread

While PrincessLocker may not be the newest or most dangerous ransomware variant currently making the rounds, it propagates through an unusual method: exploit kits. Along with a less expensive ransom demand, PrincessLocker has been spotted as the payload for a fully automated exploit kit known as RIG, which uses drive-by attacks to exploit system vulnerabilities.

Energy Grid Hackers Play Waiting Game

As cyberattacks focus more and more on infrastructure, rather than financial gain, they leave the future of many cities and countries uncertain. Many modern hackers have managed to work their way into countries’ infrastructures by easily bypassing the poor security used by numerous largescale energy facilities around the world. They’ve left backdoors into systems that could cause major disruption to the surrounding geographical areas, and, unfortunately, many of these very systems have never been updated appropriately. Meanwhile, attackers have nothing but time on their side to determine how and when it would benefit them to exploit these vulnerabilities.

Poker Site DDoSed, Then Ransomed

Late last week, America’s Cardroom and Winning Poker Network fell victim to the latest in a long string of DDoS attacks that have plagued such sites for years. This latest attack, however, brought with it a ransom demand to stop the attacks. The sites claim to have mitigated the DDoS attacks, though that comes after nearly 2 days of cancelling poker tournaments due to the insufficient bandwidth for their players.

An update from the CEO

Over the past eight years, I’ve been honored to work alongside a world-class group of professionals—including the Webroot team, and our growing network of partners and customers. Our security community has grown into something special, and powerful. With tremendous gratitude for that experience, I am sharing my plan to retire as CEO of Webroot. Mike Potts will be joining Webroot as CEO and a member of the Board of Directors on September 25, 2017, and I will continue to serve on Webroot’s Board of Directors.  

As I look back and think about the highlights of the past 8 years, a few stand out for me: 

  • Introducing the first “next gen” endpoint solution, built in the cloud and leveraging contextual threat analysis for greater efficacy against zero day threats than was possible before. 
  • Establishing Webroot as a highly innovation company and expanding our portfolio from endpoint protection to network protection, threat intelligence and security awareness training. 
  • Winning the prestigious Thomas J. Edison Award for Innovation, the first ever awarded to a security company. 
  • Building out a team of almost 600 talented Webrooters across the world, including outstanding teams from our acquisitions of BrightCloud, PrevX, CyberFlow Analytics and Securecast. 
  • Achieving #1 status in the major markets where we compete, like consumer retail in North America, and managed service providers and embedded threat intelligence worldwide.
  • Growing our customer base to millions of consumers, over 9,000 managed service providers and 210,000 businesses.
  • And, achieving with the close of this last fiscal year 14 consecutive quarters of double-digit growth. 

What stands out most for me, though, is the extraordinary people.  My years at Webroot were the most satisfying of my 52 years in business, and I’ve never worked with a finer group of people—employees, customers and partners alike.  We created a uniquely collaborative relationship with our customers and partners, which led to not only the highest satisfaction rates in the industry, but also a great source of inspiration for how our products could evolve to solve new problems. The success of  Webroot is our shared accomplishment. 

It’s time for me to pass the baton, and I am confident Mike Pott’s is the right person to lead Webroot going forward. Mike’s passion, vision, and industry knowledge paired with the talented team in place means you have just seen the beginning of innovation from Webroot. I can’t wait to see what this team accomplishes in the coming years and hear about all of the successful implementations from our customers and partners.  

Thank you, 

Dick Williams

Dick Williams' 8 Years of Achievements

Cyber News Rundown: Edition 9/1/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

IRS-Themed Ransomware Using Old-School Tactics

Over the past week, researchers have discovered a new ransomware variant that attempts to impersonate both the IRS and the FBI, similar to the FBI lockscreen malware that was popular several years ago. By tricking the victim into opening a link to a fake FBI questionnaire, the ransomware is downloaded onto the machine and begins encrypting. Fortunately, both the FBI and the IRS are taking great measures to alert possible victims and to catalog any scam emails that are being sent out.

History Repeats Itself at UK NHS District

Back in May, the UK’s National Health Services fell victim to a large WannaCry ransomware attack. While most of the districts have since regained full functionality, the district of Lanarkshire has once again been targeted. A cyberattack on its staffing and telephone systems left the district with only emergency services for several days. This event just reinforces the importance of updating security on critical systems before an attack, and even more so after one as devastating as WannaCry.

Worldwide Spread of Android DDoS Malware

A recent study found that hundreds of thousands of Android mobile devices had been compromised by a malware variant designed to turn them into a large-scale DDoS botnet. With hundreds of apps carrying the malicious code, it’s unsurprising that devices in more than 100 different countries have been linked to this WireX botnet, which was recently dismantled by security researchers from several different companies.

Hurricane Harvey Brings Out Scammers

As donations have poured in to support the victims of Hurricane Harvey, so too have stories of scammers looking to profit from their tragedy. Many fraudulent non-profit websites have already been registered and are seeing an exponential increase in traffic, along with large donations that will never reach the intended recipients. Phone scams have also been on the rise, with people impersonating relief organizations and other assistance groups to get information and money from victims of the storm.

Payment Records Compromised at UK Tech Retailer

In more tough news for UK citizens, officials at CeX have confirmed unauthorized access to payment records of nearly two million user accounts on their online site, webuy.com. Fortunately for many of the site’s users, CeX stopped storing customer payment information back in 2009, so most of the cards on file are likely expired. Customers have been advised to watch their accounts for any suspicious activity in the coming months, and to change their passwords as a precaution.

Cyber News Rundown: Edition 8/25/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

UK NHS Database Exposes Over 1 Million Patient Records

During the past week, a breach was discovered in patient booking system SwiftQueue, which is widely used by several National Health Service (NHS) facilities. The database may have contained patient information for up to 1.2 million UK citizens, though the actual data has yet to be fully examined. Even worse, attackers now claim they have found additional SwiftQueue vulnerabilities and are in possession of all 11 million records stored by the company.

Booking Provider’s Data Found in Public Data Dump

Researchers recently discovered a large customer data dump in a publicly-facing Amazon S3 bucket. The data in question belongs to Groupize, a groups and meetings solution, and contains everything from customer interactions to full credit card information used to book hotels and other meeting spaces. Fortunately for anyone who has used the service, the data was properly secured within a week of the discovery.

Phishing Site Hosted on .fish Domain

A new phishing site using a .fish domain was found in the past few weeks. .Fish is one of many generic top level domains (TLDs) created several years ago. While the site itself appears to have been compromised, rather than created maliciously, it was issuing redirects to an actual phishing page disguised as a French banking cooperative in Vietnam. This is the second .fish-hosted phishing site in the past 2 weeks; the first was a Netflix phishing attack that emerged just one week prior.

U.S. Navy Considers Possible Cyberattack to Blame for Recent Collision

Over the last few days, U.S. Navy officials have been trying to determine the exact cause of a large ship collision in the busy shipping lanes near Southeast Asia. Although there is currently no conclusive evidence of hacking in the ship’s systems, a steering failure occurring without initiating the backup procedures created for this very scenario raises some eyebrows. This is not the first occasion that a ship was purposely sent off-course by external interference, and officials are right to be concerned, as these are major vehicles of war.

Nearly All Hacked Companies Running Unpatched Systems

A new report by the Fortinet cybersecurity firm shows that 90% of all companies hacked in the last year were running unpatched software and network policies. Even worse for many of these companies: suitable patches had been available for months, which could have prevented the attacks, had they been implemented in a timely fashion. With a continually increasing number of attacks on unpatched system protocols, it’s crucial that companies ensure they’re taking sufficient steps to update infrastructure as part of their regular security measures.

Cyber News Rundown: Edition 8/18/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Scottish Parliament Successfully Stops Cyberattack

Officials in the Scottish Parliament have issued a statement regarding a brute force attack on their IT infrastructure. Fortunately for the many members of parliament, their already impressive cybersecurity protocols had recently been further improved in the wake of similar attacks over the last few months. On top of the added security measures, a forced password reset was issued to all staff members, simply to improve any weak credentials.

Phony Banking Domains Distribute Malware

While security precautions continue to expand, the malicious campaigns that try to evade them are growing even faster. By creating multiple fake banking domains, scammers are now attempting to spread Trickbot, a banking Trojan, to thousands of unsuspecting customers. Online banking customers should remain cautious of sites that require banking credentials, especially if visiting them from a link from their email.

Web Service Providers Move Away From the Daily Stormer

In the aftermath of the recent demonstrations and violence in Charlottesville, Virginia, the public has fervently demanded that The Daily Stormer, as a high-traffic site for hate speech, be taken down. After GoDaddy took down the domain, the site attempted to use Google’s hosting services, which were quickly terminated. After being shunned by numerous hosting sites, The Daily Stormer has relocated to the Dark Web.

Additional Chrome Extensions Exploited

Over the past week or so, researchers have found a growing list of compromised Google Chrome extensions. The extensions in question have been used to redirect normal internet traffic to malicious sites, and even alter ads that users see on a site. By using Javascript alerts to gain user permissions, these extensions have successfully diverted nearly 1 million users to their redirected landing pages.

Hacker Unlocks Vehicle for Desperate Family

After waiting several months for a replacement key to be shipped from Japan, the owner of a now keyless Toyota minivan called on a hacker for help. The hacker was able to reprogram the car to allow the owner to use a new key. While this case is a white hat story with a happy ending, it calls attention to the security protocols that could be circumvented by a less altruistic character.

Locky ransomware rises from the crypt with new Lukitus and Diablo variants

NOTE: This blog post discusses active research by Webroot into an emerging threat. This information should be considered preliminary and will be updated as more data comes in.

New variants of Locky—Diablo and Lukitus—have surfaced from the ransomware family presumed by many to be dead. After rising to infamy as one of the first major forms of ransomware to achieve global success, Locky’s presence eventually faded. However, it appears this notorious attack is back with distribution through the Necurs botnet, one of the largest botnets in use today.

Webroot protects against Diablo and Lukitus

We first detected Diablo on August 9, 2017, and Lukitus yesterday, August 16. Since then, we’ve seen activity hitting Windows XP, Windows 7, and Windows 10 machines in the United States, United Kingdom, Italy, Sweden, China, Botswana, Russia, Netherlands, and Latvia.

How are these attacks deployed?

 

As with previous versions, the initial attack vector is through malspam campaigns in which phishing emails contain a zipped attachment with malicious javascript that downloads the Locky payload.

 

 

Once the Locky payload is dowloaded, it encrypts the users’ files with “.diablo6” and “.Lukitus”, respectively.

 

 

Then it changes the desktop background and provides the rescue pages “diablo6.htm” and “lukitus.htm”, which are identical.

 

 

Following what’s been standard for years, the Locky ransomware instructs the user to install a Tor Browser, then navigate to your unique .onion address to pay the ransom.

 

 

There is currently no available decryption tool that will work, other than paying the ransom to obtain the decryption keys. Although Webroot will stop this specific variant of Ransomware as a Service in real time—before any encryption takes place—don’t forget that the best protection in your anti-ransomware arsenal is a strong secure backup. You can use a cloud service or offline external storage, but remember to keep it up to date for personal productivity and business continuity.

For best practices for securing your environment against encrypting ransomware, see our community post.

Initial list of MD5s analyzed by Webroot

NOTE: This exhaustive list is current as of publication of this blog. We will continue to update internal lists but will not publish further additions until such time that we deem it necessary.

 

2E1A3A5F24AA6D725405E009949E6F0B

7821C8F49773EC65B9DFE8921693B130

544BC1C6ECD95D89D96B5E75C3121FEA

A2AEC1429D045355098355CAA371F23E

4779E473C909104272853EA1313BEE37

D7D22FFB1E746C20828422DA5CDF93DA

5245A7FA2351212EBF8257C55536791D

FE1CBC72C53AE7D8D16A5C943B5769FC

EA1832B7539BE8F265C08C0075CCB4DE

ACEA79268714A4752E3BF22161B90471

4BAA57A08C90B78D16C634C22385A748

0816080383AB3F33FEB9B6B51E854C73

0E05A7B9F1F2A19B678D2D92ABF70E47

F83DDED266CA056804BCC60EB998FA6C

4938F1D87F52473BC13C88498D6FC7AF

4BAA57A08C90B78D16C634C22385A748

F83DDED266CA056804BCC60EB998FA6C

8009E4433AAD21916A7761D374EE2BE9

E7E5628F67CB2FA99A829C5A044226A4

4BAA57A08C90B78D16C634C22385A748

3506AB24DB711CF76F95F89B4990981A

ECDAFEF0E38D2B5F24B806AF4FD54CC6

89ED8780CAE257293F610817D6BF1A2E

E613CF78955A4C1D8732B0ECB202CAEC

45021A1A159DEA9952AD3494B8D49852

993608B9AEA2B351E4BA883FEE8916B0

FBE9106026AF42CD24AB970ED718A579

23CCA546A85B5CAA12441F7F4C6B48E4

01DA2F592A64F2ABA0986319436177A5

96E214BAF7F26B879BAF0D87D830F916

040C537F575ED64374AB7F38F27E03F1

D3C856485116A09CAA37D867561BD634

BA82AA75BF6FC2549049877ACE505A24

9C6F2921CE536393198C605C15AE8C91

941CDFF8A86E56D11FCAF25CF7C2129B

A Day in the Life of a Chief Information Security Officer

Over the last couple of years, I’ve written and spoken regularly about the changing roles of the Chief Information Security Officer (CISO). And what better way to demonstrate the many skills the position requires – from the technical to the managerial – than journaling a day’s work. A CISO has to be the strategic partner his or her company needs to manage risk. So for anyone who may be curious, here’s what a day in the life of a CISO looks like.

Hit the ground running

05:46 – Time to get up. Traffic is pretty heavy driving into work, so I have to leave early. As I rise, I check my phone for new emails. Then I check my calendar… it’s going to be a busy day.

06:42 – I pull into Starbucks. I need my venti Pike and a hot morning bun to help me wake-up for the day. As I wait for my coffee, I’m already thinking about my meetings and reading through emails. I learn that we need to triage an issue with Webroot’s SEIM vendor that prevents Webroot employees from accessing certain URLs.I need to speak with the team about tuning our email gateway to stop flagging certain types of email attachments.

07:27 – After making it to the office, I grab another cup of coffee as I walk to my office to check email and read cybersecurity news articles I’ve flagged.

08:10 – After I finish reading email, I prepare for a meeting with my team at 08:30.

  • We’re currently transitioning from one fiscal year to the next, so I want to review with my team what we have budgeted and go over projects that have been funded. I want them to have some context about what we will be working on, what security controls we need to mature and I want each of my team members to volunteer to help manage a project with the project manager.

09:46 – Time for a quick meeting with my Deputy. I work in a satellite office in San Diego, but I’ll be at headquarters in Colorado in a couple weeks, and I want to plan some team meetings.

  • As a CISO, it’s important that I mentor my team and spend time one-on-one with its leaders. As the role of cybersecurity has matured, much of we do is now woven throughout the business, and I believe it’s critical that my team develops the skills it needs to relate to non-technical stakeholders.

10:31 – As I put together a 3-year strategic roadmap to help my organization achieve its goals (ISO 27001 and GDPR certification), I seek out another point of view from my CISO mentor. Even I need assistance at times.

  • As a CISO, you must continually challenge yourself to learn about innovative technologies, new cybersecurity skills, or new management skills. I will never know everything, and I can’t expect my team members to be active in the cybersecurity community and grow their professional skills if I don’t do the same.

Working lunch

11:54 – I’m meeting with a local cybersecurity start-up for lunch. They’ve developed technology for a scenario-based testing platform that evaluates and establishes a risk baseline for an organization. I’ve followed this start-up for several years, and now that they have funding I want to see what changes they’re making to their platform.

  • It probably goes without saying that as a CISO, I find new technologies fascinating, and I continuously look to improve the security suite I have built for my organization. It’s my responsibility as the senior security executive for Webroot to be familiar with innovative technologies and to look at new possibilities that will provide strategic value to my company.

13:41 – Reviewing notes from the meeting with my CISO mentor. He provided me with some spider graphs, which we used to annotate a security risk scorecard. I want to use this data to put together a slide deck that outlining the projects we will work on over the next 36 months, split into two phases.

  • It’s critical to have a strategic roadmap of projects, backed by a risk scorecard that annotates our current state risk baseline. That way, as my team proceeds to work with our business units to update technologies, improve work processes, and complete ISO compliance requirements, we can watch our risk scorecard change. As the CISO, this will enable me to demonstrate the business value of cybersecurity by reducing our risk exposure and maturing our operations.

15:00 – My team and I are meeting with a threat-hunting vendor, planning to do a “proof of concept” for their technology. We requested a demonstration and a Q&A session.

  • I’m continuously working with my team to improve how we view threats to our organization. We want to have a real-time view into how data enters the enterprise, how it is used, how it is accessed, and when and where it exits the organization. Throughout that lifecycle, we want visibility from a single platform to log, alert, analyze, hunt, and remediate when required.

16:47 – After reviewing late emails, I call my boss to check in.

After business hours

18:17 – After fighting through traffic on the way home, I changed to go on a four-mile power walk. As I walk, I use my voice recorder to review meetings and events I had today and lay out ideas for future projects. I also look for articles to review tomorrow, and remind myself to register for the CISO roundtable dinner next week.

20:05 – After having dinner with my family, I retire to my home office to write for an hour. I am in the process of writing my second book for CISOs, and I must dedicate a specific period of time to writing ever day so that I stay on track.

21:32 – Now I’m catching up on Krebs and Cyberwire. This is when I really feel like I’m catching up on what’s going on in the cybersecurity community. I found some articles on interesting technologies, so I shared a couple of them  with several of my peers at work.

22:30 – Time to call it a day. Shutting down the office now, and heading upstairs for bed.

01:28 – Woke up with a spontaneous idea to write an article about 24 hours in the life of a CISO. I jot down some ideas to send to our Public Relations department in the morning.

05:56 – The alarm goes off, and I hit the snooze button for ten minutes. Time to roll over, check my email and start another day…

At the end of the day, I’d like to thank Webroot for giving me the opportunity to be that valuable information security partner I talked about earlier. I’d also like to tell those veterans who are transitioning and looking for a new career, the cybersecurity community needs you. We’d be honored if you came to serve with us.

Cyber News Rundown: Edition 8/11/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Solar Panel Vulnerabilities Could Lead to Hot Issues

A recent study on several of the top solar panel manufacturers checked for any exploitable vulnerabilities in their products. One outcome of the study found that if a large volume of solar panels were exploited at once, it could cause catastrophic problems for the main power grid of an entire country. If such an attack took place, it’s very possible millions of people would be in for a hot mess.

Ships’ Technology Returning to Familiar Shores

In the past few years, sea-faring ships have been enhancing their GPS capabilities to keep track of their fleet anywhere in the world. Unfortunately, this technology is also quite vulnerable to cyberattacks, which could land a ship in troubled waters—stranded hundreds of miles from shore. As these attacks increase, many shipping companies are turning back to older radios as backups to keep in touch with each other and associates on land.

Dutch Car Leasing Company Leaks Driver Info

Within the last week, researchers have discovered a vulnerability in LeaseWise, a type of software used by dozens of car leasing companies. While the leak was shut down after only 24 hours, officials have stated that nearly 100,000 customers’ data may have been exposed in the data breach.

iOS Users are Twice as Likely to get Phished

Over the past few months, researchers have been compiling the statistics for mobile device attacks on iOS® and Android™ phones. Although many users still consider Apple and iOS products to be invulnerable to attacks, the numbers showed nearly twice as many phishing attacks against iOS devices over their Android counterparts. Even more concerning: the majority of these phishing attacks are taking place outside of email services, where they can get around the usual spam filters and other security measures.

Blizzard Players Left Cold During Summer Games 2017

On August 9, players of the widely-popular Blizzard game, Overwatch, have been stuck staring at login screen issues with no resolution in sight. As the Summer Games 2017 event kicked off, a large number of Blizzard servers went down, leaving hundreds of players worldwide (understandably) annoyed and demanding answers. Unfortunately, Blizzard has yet to resolve the issue, but is keeping users apprised of their progress toward a resolution on the company Twitter page.

Cyber Threats to Small Businesses, a CISO’s View (Pt. 2)

Last week, we covered the results of our survey of more than 600 IT decision-makers at medium-sized companies in the U.S., U.K., and Australia. Participants shared valuable insights into their cybersecurity understanding and preparedness, and I gave my own analysis of what the numbers indicate.

Quick recap

I’ve been in the security industry for more than 20 years, and the survey results brought to light some discrepancies I think are worth further consideration. To review:

  • 96% of those surveyed believe they are susceptible to cyber threats.
  • 80% use third-party IT security resources (mixed-use IT and security teams).
  • 29% think they are ready to handle a cybersecurity-related incident.

If 80% of the businesses we surveyed outsource their cybersecurity to trusted MSPs, shouldn’t all 80% feel confident they have the resources to manage a cybersecurity breach? Why did just 29% of respondents report they feel ready to handle that incident?

To me, these numbers indicate many companies are paying for security resources, but still need to train their internal teams to improve confidence that they could triage an incident successfully. So, what can businesses do to reduce their risk of exposure and prepare themselves for a cybersecurity-related incident?

Three quick processes to help small businesses:

  1. Cyber Hygiene: get back to basics. Approximately 80% of the risk facing your organization from the majority of cyber threats can be minimized drastically if you take care of the basics correctly and continuously. You need antivirus and antimalware on all of your endpoints, and you need to make sure they stay up to date. Patch all corporate asset applications and operating systems in a timely manner, particularly critical security patches. (The industry standard is normally 2 weeks after issuance to allow for field testing.)Don’t forget to back up all critical data securely and keep it offsite. Test your backups at least once a quarter. Include a strong firewall for your network, segment your network to protect critical operations, and turn on the personal firewall software on your desktop computers. Below are some useful links to guide you in this process:
    1. S. Cert list of resources to assist small businesses in recognizing their cybersecurity risks: https://www.us-cert.gov/ccubedvp/smb
    2. S. Federal Trade Commission list of 10 practical lessons for small businesses: https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business
  2. Training: don’t hate, educate. For small businesses to manage the impact of a cyberattack, they need to train. I recommend using a good threat intelligence feed to help train IT and security personnel on the threats facing the business and then have them meet periodically to go over the procedures to manage a real-world incident. The company needs to build good muscle memory into its incident response team, even if these types of requirements have been contracted out to an MSP. In the latter case, small businesses should work with their MSPs to determine how their in-house staff should support the MSP during an incident.
  3. Cyber Insurance: i.e. cover yourself. After a small business has assessed their risks, mitigated, and done as much planning as possible, they should look into cyber insurance policies. The policy would likely be different for each company, depending on the services they require. Remember the costs I listed above. The largest costs post-incident are notifying all affected customers and engaging forensics/data recovery services. Having insurance goes a long way toward helping your business recover quickly and cleanly in the event of a breach.

Today’s online landscape is incredibly dynamic and changes every day. To manage risks in the face of increasing changes and challenges, we recommend small and medium businesses partner with MSPs that can provide critical security services, and work with their in-house teams on education and business continuity strategies. Businesses should also maintain security basics correctly and on a continuous basis, while doing extensive worst-case scenario planning. By taking these types of steps, we can ensure a safer, more secure online experience for all of our respective businesses and customers.

Cyber News Rundown: Edition 8/3/17

The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things security. Any more questions? Just ask.

Amazon Echo Resolves Security Flaw

Researchers have recently discovered a major security flaw that affects several generations of the Amazon Echo. The flaw itself involved being able to physically access the device to install malware that records conversations, all while retaining normal usability. Fortunately for consumers, only the 2015 and 2016 devices appear to be susceptible; the flaw was fixed for the 2017 production.

New Features Added to Banking Trojan

As more banking customers use their devices to conduct an increasing number of transactions, authors of banking Trojan, Svpeng, have added in a new enhancement: keylogging. After checking the device’s set language, the malware gives itself full administrative permissions and starts propagating itself as the default SMS app for the phone. Once it gains full access, it starts gathering as much information as it can, from messages to contacts to browsed websites, and then contacts its C&C server to pass along the data.

Next Major Broadcaster Breach: HBO

In the past week, officials at HBO have announced that a breach occurred, exposing not only proprietary information, but also several unaired TV episodes and even an upcoming Game of Thrones script. While the company is unsure how it happened, the breach has brought the security of the entire industry into the spotlight.

Third Party Breach Hits Anthem Healthcare, Again

The nation’s largest healthcare provider, Anthem, has spent the last couple weeks notifying nearly 18,000 customers who may have been a part of a recent data breach. The breach comes from a third party insurance company employee who emailed a sensitive document containing Anthem customer’s medical information to their personal email address. While not directly Anthem’s fault, this news comes not long after the company settled on their last data breach, which affected nearly 80 million customers.

German Development Team Hacked

Recently, the Chrome Web Store belonging to German web development team a9t9 was hacked. Along with the initial breach, the team later found that one of their key web extensions had been injected with malicious software, and had been subsequently moved from their account to the attackers’. Unfortunately for anyone using the current extension, a9t9 are unable to deactivate or remove it, as they no longer have control.

Decoding DEF CON 25

DEF CON 25 has come and gone, but the cybersecurity world is still reeling from some of the research and advanced threats demonstrated at this annual convention of the world’s foremost hackers. Security professionals are more aware than ever of the increasing number of threats targeting everyday devices—from smart appliances to voting machines. Keep reading for insight into DEF CON from Webroot security experts.

Wreck the vote

Voting machines were hacked in about 90 minutes at DEF CON. Advanced Voting Solutions (AVS) WINVote was one of the 30 voting machines available to be hacked. The password was… wait for it… “abcde”. These are the same machines that were used for the 2004, 2008, and 2012 U.S. presidential elections. AVS went out of business years ago and stopped supporting the machines in 2007, yet Virginia was still using them in 2015! The implications are huge; not only does this confirm that voting machines are definitely hackable and voting tampering is entirely plausible, but also that government oversight for the security of these machines is grossly negligent.

DEF CON also displayed its notorious “Wall of Sheep,” where experts analyzed unencrypted network packets to show usernames and password, perfectly readable in plain text. We saw some IoT devices using unsecure protocols like FTP, POP3, IMAP, and HTTP, which were practically handing out the credentials people used to log into them. In particular, I saw more than a few smart doorbell devices on the Wall of Sheep while I was in the room. Makes you rethink your sense of home security.

– Tyler Moffitt, Sr. Threat Research Analyst

A CISO’s perspective

This year, I was amazed at the size of the crowds. DEF CON is truly becoming a must for security professionals to educate themselves on new threats and get hands-on experience in areas such as physical security, hacking and defending SCADA/ICS systems, and penetration testing on wearable devices.

One event I found especially interesting was by the company NXT Robotics, which offered up one of its security robots for hackers to attack. The bot withstood over 96 hours of continuous testing. When I questioned the founder of NXT, he said the robot was designed with a secured version of Linux from its initial design phase—their whole product life-cycle is focused on “security by design.” That impressed me. Given the growing number of IoT devices on the market today, the security of the device, its data, or how it integrates into larger infrastructures is not always accounted in the prerequisites for design. You can see that clearly in the large number of IoT devices that were on display at DEF CON, including cars, which were being stress-tested by many of the conference attendees.

One last point: many of the discussions centered on new attacks or new vulnerabilities enabled by our increasingly intertwined infrastructure. I hope to see more presentations on unique ways to defend and manage risk for organizations that have disparate networks and technologies. As DEF CON proves, hacking isn’t just for attacking; it can be about being creative in defending as well.

– Gary Hayslip, Chief Information Security Officer

Fresh threat research

Every year, without fail, security researcher Chris Domas of Battelle Memorial Institute has something really cool to share. At DEF CON this year, he presented Sandsifter, a project focused on fuzzing the x86 processor to reveal hidden processor bugs and undocumented instructions. Thanks to Sandsifter, a number of secret processor instructions have been uncovered in x86 chips from every major vendor, revealing both benign and security-critical hardware bugs.

Researcher Dimitry Snezhkov, a senior security consultant for X-Force Red at IBM, presented a tool that can offer command and control to penetrated environments via webhooks. In this way, hackers can use approved sites for communication, perform data transfers, and more without detection. (The idea is that HTTP accesses to GitHub are not likely to be filtered and will probably fly under the radar of network administrators.)

– Eric Klonowski, Sr. Advanced Threat Research Analyst

What We Learned at Black Hat 2017

Last week, Black Hat USA 2017 brought an impressive 15,000+ cybersecurity professionals to Las Vegas to talk shop about the biggest issues facing businesses today. Here’s a recap from the perspective of the Webroot security experts who attended.

A hacker’s economy

Black Hat 2017 continued a recent trend of more corporate and business involvement than ever before. We are witnessing history-in-the-making as the threat landscape continues to evolve… and not for the better. Nation state-grade security tools, techniques, and vulnerabilities are increasingly more available to cybercriminals. The price of entry has dropped. It’s as if we’ve lost plans for the atom bomb, while plutonium is just a dollar a pound.

Fortunately, Black Hat continues to be an engaging forum for cross-pollination of security ideas, as well as some scary tactical discussions, but most of all it provides education for individuals and businesses who want to find out how to defend themselves and their employees. My advice to CTOs everywhere is to become conversant in security trends and best practices, whether it’s writing secure code, deploying secure apps, or making sure colleagues are aware of the risks they face every day.

– Hal Lonas, Chief Technology Officer

A CISO’s view

One thing I found interesting this year is that everyone seems to have acknowledged they need machine learning, artificial intelligence (AI), and analytics for their security platforms. Many of the security vendors were talking about using machine learning and AI to differentiate themselves, but I still thought something was missing: nobody was really talking about integration and automation. More vendors are now offering APIs to plug their products into an organization’s SIEM of choice, but from a CISO’s point of view, I want solutions that I can automate to perform specific functions and orchestrate into my security suite.

Unfortunately, I didn’t see much designed to fill that need. With small security teams and tight budget resources, I find CISOs want to implement solutions that can be integrated into their current security platform and exchange/provide data to create a more comprehensive view of the organization’s threat profile in real time. Black Hat has always showcased some amazing technologies, and this year was no different. But from a practical point of view, I was hard-pressed to understand how I would integrate these innovations without having to make major changes to my current security investments.

– Gary Hayslip, Chief Information Security Officer

Understanding machine learning

Industry confusion continues around machine learning and artificial intelligence with the terms being used synonymously. There is still ground to cover to eliminate misnomers when identifying these types of technologies.

That aside, savvy consumers are beginning to understand that machine learning has some limitations. It takes years of experience to properly implement and even more time to build and refine the models to achieve a high level of accuracy. It also isn’t a silver bullet to solve all security problems. Many companies in our space are new to machine learning and haven’t yet had the time to understand its nuances. With over 10 years of experience in machine learning, Webroot is in a unique position, both to provide machine learning technology, but also to educate organizations about how to make the best security decisions for their business.

– David Dufour, Senior Director Engineering

Cryptocurrency fueling ransomware

Ransomware will continue to be a pervasive threat, there is absolutely no questioning this. As long as blockchain payment systems remain (relatively) anonymous, attackers have a direct way to force victims to launder the ransom themselves. Ransomware operators can also shift payments between blockchains, creating another layer of obfuscation. At Black Hat, researchers presented a small glimmer of hope. While methods are far from perfect, they’re developing tactics for tracking payments as they move through the blockchain.

With regard to the malware development, authors are aware of the growing prevalence of machine learning throughout the cybersecurity industry. As such, we can expect to see ransomware developed with a specific emphasis on defeating these models.

– Eric Klonowski, Sr. Advanced Threat Research Analyst

Integrating FlowScape™ Analytics for comprehensive threat coverage

I spent a lot of time on the show floor with our new FlowScape solution, which is great to discuss and to demo, not only for the unique network anomaly and threat detection that it covers, but also for its integration with so much of our other technology. For example, it uses our BrightCloud® IP Reputation threat intelligence to detect communications with known bad IPs. It also enables alerts and monitoring of infected and unprotected hosts through our SecureAnywhere® Business Endpoint Protection management systems via our Unity API.

With FlowScape Analytics, users can clearly visualise the impact of an infection or other cyberattack throughout their network. Getting to demonstrate this solution to other professionals in the cybersecurity space, it was clear we weren’t the only ones excited about the implications of this kind of technology for business security worldwide.

– Matt Aldridge, Solutions Architect