What’s Next? Webroot’s 2019 Cybersecurity Predictions
At Webroot, we stay ahead of cybersecurity trends in order to keep our customers up-to-date and secure. As the end of the year approaches, our team of experts has gathered their top cybersecurity predictions for 2019. What threats and changes should you brace for?
General Data Protection Regulation Penalties
“A large US-based tech company will get hammered by the new GDPR fines.” – Megan Shields, Webroot Associate General Counsel
When the General Data Protection Regulation (GDPR) became law in the EU last May, many businesses scrambled to implement the required privacy protections. In anticipation of this challenge for businesses, it seemed as though the Data Protection Authorities (the governing organizations overseeing GDPR compliance) were giving them time to adjust to the new regulations. However, it appears that time has passed. European Data Protection Supervisor Giovanni Buttarelli spoke with Reuters in October and said the time for issuing penalizations is near. With GDPR privacy protection responsibilities now incumbent upon large tech companies with millions—if not billions—of users, as well as small to medium-sized businesses, noncompliance could mean huge penalties.
GDPR fines will depend on the specifics of each infringement, but companies could face damages of up to 4% of their worldwide annual turnover, or up to 20 million Euros, whichever is greater. For example, if the GDPR had been in place during the 2013 Yahoo breach affecting 3 billion users, Yahoo could have faced anywhere from $80 million to $160 million in fines. It’s also important to note that Buttarelli specifically mentions the potential for bans on processing personal data, at Data Protection Authorities’ discretion, which would effectively suspend a company’s data flows inside the EU.
AI Disruption
“Further adoption of AI leading to automation of professions involving low social intelligence and creativity. It will also give birth to more advanced social engineering attacks.” – Paul Barnes, Webroot Sr. Director of Product Strategy
The Fouth Industrial Revolution is here and the markets are beginning to feel it. Machine learning algorithms and applied artificial intelligence programs are already infiltrating and disrupting top industries. Several of the largest financial institutions in the world have integrated artificial intelligence into aspects of their businesses. Often these programs use natural language processing—giving them the ability to handle customer-facing roles more easily—to boost productivity.
From a risk perspective, new voice manipulation techniques and face mapping technologies, in conjunction with other AI disciplines, will usher in a new dawn of social engineering that could be used in advanced spear-phishing attacks to influence political campaigns or even policy makers directly.
AI Will Be Crucial to the Survival of Small Businesses
“AI and machine learning will continue to be the best way to respond to velocity and volume of malware attacks aimed at SMBs and MSP partners.” – George Anderson, Product Marketing Director
Our threat researchers don’t anticipate a decline in threat volume for small businesses in the coming year. Precise attacks, like those targeting RDP tools, have been on the rise and show no signs of tapering. Beyond that, the sheer volume of data handled by businesses of all types of small businesses raises the probability and likely severity of a breach.
If small and medium-sized businesses want to keep their IT teams from being inundated and overrun with alerts, false positives, and remediation requests, they’ll be forced to work AI and machine learning into their security solutions. Only machine learning can automate security intelligence accurately and effectively enough to enable categorization and proactive threat detection in near real time. By taking advantage of cloud computing platforms like Amazon Web Services, machine learning has the capability to scale with the increasing volume and complexity modern attacks, while remaining within reach in terms of price.
Ransomware is Out, Cryptojacking is In
“We’ll see a continued decline in commodity ransomware prevalence. While ransomware won’t disappear, endpoint solutions are better geared to defend against suspicious ransom-esque actions and, as such, malware authors will turn to either more targeted attacks or more subtle cryptocurrency mining alternatives.” – Eric Klonowski, Webroot Principal Threat Research Analyst
Although we’re unlikely to see the true death of ransomware, it does seem to be in decline. This is due in large part to the success of cryptocurrency and the overwhelming demand for the large amounts of computing power required for cryptomining. Hackers have seized upon this as a less risky alternative to ransomware, leading to the emergence of cryptojacking.
Cryptojacking is the now too-common practice of injecting software into an unsuspecting system and using its latent processing power to mine for cryptocurrencies. This resource theft drags systems down, but is often stealthy enough to go undetected. We are beginning to feel the pinch of cryptojacking in critical systems, with a cryptomining operation recently being discovered on the network of a water utility system in Europe. This trend is on track to continue into the New Year, with detected attacks increasing by 141% in the first half of 2018 alone.
Targeted Attacks
“Attacks will become more targeted. In 2018, ransomware took a back seat to cryptominers and banking Trojans to an extent, and we will continue see more targeted and calculated extortion of victims, as seen with the Dridex group. The balance between cryptominers and ransomware is dependent upon the price of cryptocurrency (most notably Bitcoin), but the money-making model of cryptominers favors its continued use.” – Jason Davison, Webroot Advanced Threat Research Analyst
The prominence of cryptojacking in cybercrime circles means that, when ransomware appears in the headlines, it will be for calculated, highly-targeted attacks. Cybercriminas are now researching systems ahead of time, often through backdoor access, enabling them to encrypt their ransomware against the specific antivirus applications put in place to detect it.
Government bodies and healthcare systems are prime candidates for targeted attacks, since they handle sensitive data from large swaths of the population. These attacks often have costs far beyond the ransom itself. The City of Atlanta is currently dealing with $17 million in post-breach costs. (Their perpetrators asked for $51,000 in Bitcoin, which the city refused to pay.)
The private sector won’t be spared from targeting, either. A recent Dharma Bip ransomware attack on a brewery involved attackers posting the brewery’s job listing on an international hiring website and submitting a resume attachment with a powerful ransomware payload.
Zero Day Vulnerabilities
“Because the cost of exploitation has risen so dramatically over the course of the last decade, we’ll continue to see a drop in the use of zero days in the wild (as well as associated private exploit leaks). Without a doubt, state actors will continue to hoard these for use on the highest-value targets, but expect to see a stop in Shadowbrokers-esqueoccurrences. Leaks probably served as a powerful wake-up call internally with regards to access to these utilities (or perhaps where they’re left behind). – Eric Klonowski, Webroot Principal Threat Research Analyst
Though the cost of effective, zero-day exploits is rising and demand for these exploits has never been higher, we predict a decrease in high-profile breaches. Invariably, as large software systems become more adept at preventing exploitation, the amount of expertise required to identify valuable software vulnerabilities increases with it. Between organizations like the Zero Day Initiative working to keep these flaws out of the hands of hackers and governmental bodies and intelligence agencies stockpiling security flaws for cyber warfare purposes, we are likely to see fewer zero day exploits in the coming year.
However, with the average time between the initial private discovery and the public disclosure of a zero day vulnerability being about 6.9 years, we may just need to wait before we hear about it.
The take-home? Pay attention, stay focused, and keep an eye on this space for up-to-the-minute information about cybersecurity issues as they arise.
Charity Scams to Watch Out for During the Holidays
‘Tis the season of giving, which means scammers may try to take advantage of your good will. A surprising fact about American donation habits is that everyday folks like yourself are the single largest driver of charitable donations in the United States. Giving USA’s Annual Report on Philanthropy found that individuals gave $286.65 billion in 2017, accounting for 70 percent of all donations in the country.
Last year, Giving Tuesday donations alone grew by 22 percent, with an average household donation of $111. With the seventh annual Giving Tuesday on November 27 fast approaching and technology that makes it increasingly easier to support your favorite causes, it’s more important than ever to keep your guard up before you click the “donate” button.
Charity Scams
Unsolicited donation requests are fairly normal during the holiday season —especially since non-profits depend on year-end giving for the success of their organizations—but look out for a few behaviors as red flags. Overly aggressive pitches including multiple phone calls and emails, or high-pressure tactics that require your immediate donation, should always be avoided. Be on high alert for “phishy” emails and links; make sure to check the sender’s email address and hover over links to reveal their true destination before clicking on them. Even if a website looks legitimate, it may be a spoofed. Check that the domain matches the company you intended to visit. This can be trickier than it sounds. For instance, stjudehospital.com may appear to be genuine, but an easy Google search of “St. Jude Hospital” reveals their actual site to be stjude.org.
If you’re donating to a charity you’ve never worked with before, do a little research before committing your funds. Charity Navigator is a particularly useful resource; just type in the organization’s name and check out their rating. If they are not listed on Charity Navigator, it’s probably best to err on the side of caution and donate your hard-earned dollars elsewhere. Also, be sure to only enter sensitive or personal information into websites that have an SSL certificate; you’ll be able to tell if a page is secure if the link begins with “https”. (This is a great tip for shopping online this holiday season too.) Finally, before making any online donations, make sure you have a strong antivirus program installed that can detect phishing sites and that it’s up-to-date on all your devices.
If you are contacted by a charitable organization by telephone and want to make a donation, don’t give them your credit details over the phone. Have them mail you a donation form for you to evaluate and mail back. Remember: no legitimate charity will ask you to wire them money or pay them in gift cards. If you encounter a charity that is urging you to do so, cut all contact and block them on all platforms.
Bear in mind that not all charity scams are out for money, either—some are hoping to skim personal information. There is absolutely no reason to provide a charitable organization with information like your Social Security Number or driver’s license number—these are major red flags. Also, be especially cautious of requests to send an SMS code to donate via text message.
Social Media Scams
Social media is an easy and typically secure way to donate to legitimate charitable organizations, but scammers know how to use these platforms as well. Social media scams are on the rise, but a little bit of common sense goes a long way with donations on social channels. If you’re looking to donate to someone through a crowdfunding site, be sure the campaign fully answers these questions:
- Can you verify if the organizer of the campaign has an existing relationship with the intended donation recipient?
- Is there a plan for how the funds be used to aid the intended recipient?
- Are verifiable friends and family of the intended recipient making donations and leaving supportive comments?
- How will the intended recipient access the funds?
If you cannot easily find the answers to these questions, we recommend you avoid donating to that campaign.
Another pervasive social media scam is celebrity imposters who pretend to raise funds for charities or disaster relief. These imposters use the familiar faces of some of our favorite media personalities to gain our trust and access our wallets. If you have been solicited by a celebrity for donations, stop and take moment before you give. Make sure it’s their official social media page, which can be often verified on Twitter and Facebook by a small blue checkmark next to their name. You may also Google the celebrity’s name and “scam” to see if others have already reported a trap.
Source: @PatrickDempsey on Twitter
Attacks Targeting Seniors
While scams that target our aging loved ones are a problem year-round, the Consumer Financial Protection Bureau says scammers tend to ramp up their efforts during the holidays to take advantage of seasonal generosity. Most charity scams that target seniors are similar to the ones we all face, including phishing emails, phishing sites, and false charities. However, “Grandkid Scams” are a unique variety.
For this type of fraud, an older adult is contacted by a someone pretending to be a family member in desperate need of money or assistance, often impersonating a grandchild. Speak with the older adults in your life about the common signs of scams, like misspelled emails and requests for wire transfers, and teach them how to hover over a link to check its destination. Remind them to verify whether a family member is reaching out for money, and check in with them more often leading up to the holidays to catch any potential security issues early.
Stop Attacks Early
Vigilance is key in stopping a potential security breach in its tracks. If you believe you may have unwittingly sent money to a scam charity, reach out to the organization you used to send the money, such as your bank or credit card company. Tell them the transaction was fraudulent and ask them to cancel it, if possible. If you believe your personal information was exposed, you can freeze your credit to prevent any long-term damage. Also, if you think you may have encountered a charity scam of any type, be sure to report it to the FTC to help keep others safe.
Even if you don’t think you have suffered a breach, keep an eye on your credit score and monitor your banking and credit accounts closely this holiday season. Paying a little extra attention will help you act quickly if your information has been compromised, potentially saving you and your family major holiday heartache. For an added layer of protection, secure all of your family’s devices behind a trusted VPN, which will keep your private data encrypted and safe should anyone try to intercept information you send over WiFi.
Do you know of a common scam we missed? Have some advice you think we should have included? Let us know in the comments!
How to Keep Your Kids Safe Online
As digital natives become more immersed in and dependent upon technology, they are likely to experience “cyber fatigue,” which can be thought of cybersecurity complacency. Paired with the invincible feeling that often accompanies being young, this can be a dangerous combination. It’s easy to mistakenly believe that hacked devices and identity theft are things that only happen to adults. Kids and teenagers, however, are just as high-risk and the impacts of cybersecurity breaches could potentially affect them for years into their future. So how can we protect our kids’ digital lives in the same way we protect their offline lives?
Frank Conversations
The internet may seem like a playground of endless entertainment, but we need to educate our children about the dangers that exist there as well. Have you had a friend or family member who’s been hacked or somehow had important information compromised? Talk to your kids about it, how it happened, why it happened, and the work needed to fix it. These real-life examples may be one of your most powerful education tools, as they help children more concretely understand the concept of cybersecurity threats. Demonstrating that these things can happen to anyone, including them, is the quickest way to get their cybersecurity guard up. Looking for fresh ideas on how to talk to your kids about cybersecurity? Check out the Webroot Community for advice and tips.
Common Scams
Teach your children about the most common cybersecurity threats, especially ones that are particularly pervasive on social media, including phishing, identity theft, and malicious websites. They should never accept private messages from people they don’t know, or click on links from friends or family that seem out of character or suspect. If they aren’t sure a message from a friend is actually from that individual, they should not hesitate to verify their identity by calling them, or by asking specific questions only that individual would know. The comments sections of websites like YouTube are also potential flashpoints. Clever comments can entice users into clicking on a risky link that navigates them to a malicious site.
Illegal Downloads
The temptation to download an illegal copy of a favorite movie, game, or album can be strong, but ethical and legal implications aside, it remains one of the most risky online behaviors. In fact, a recent study found that there was a 20% increase in malware infection rates associated with visits to infringing sites. Make sure your kids know the impact illegal downloads have on their security, and inform them of alternative streaming and download options. If you’re able, give your child an allowance for services like Steam for video games, or Amazon Video for films and shows. Providing them with alternative options is the best way to keep your child from giving into the temptation of illegally torrenting content.
Mobile Safety
A recent study found that people aged 15 to 24 spend about four hours a day on their phones. This works out to roughly 1,456 hours of mobile engagement a year, making mobile devices one of the most vulnerable entry points for cybersecurity breaches. Make sure your child’s phone is protected with a pin number, password, or biometrics on the lock screen, and that they know to leave Bluetooth turned off when not in use. Connecting to public WiFi networks could also leave your child vulnerable, but you can protect their devices from open networks by securing them with a VPN.
Digital Footprint
Many young people today use anonymous or “private” messaging services, like Whisper, Sarahah, or Snapchat, believing that they are protected by the apparent anonymity. However, cybersecurity experts have long been critical of these services, as nothing online is 100% anonymous.
“There is no single app that is capable of providing complete anonymity,” says Randy Abrams, Sr. Security Analyst at Webroot. “Even though someone may think they are anonymous, our online behavior allows people to track and identify us. Apps that claim to provide anonymity often collect and sell personally identifying data left behind from internet searches.”
“Some apps may offer much higher degrees of anonymity, but it takes a tremendous amount of knowledge and discipline to be anonymous,” he adds. “If an app requires access to your contacts, pictures, storage, location or the ability to make and receive phone calls or SMS messages, anonymity quickly starts to disappear.”
Free applications have to make a profit somewhere, which often means that they are storing, tracking and selling user data. This is particularly dangerous as users are lulled into a false sense of security, which can quickly be shattered when these services are affected by a cybersecurity breach. Make sure your kids know nothing they say online is truly private, and that a negative digital footprint can drastically alter the course of their lives.
Shared Responsibility
We believe cybersecurity is a shared responsibility, and that it is not just up to parents to educate digital natives. This is why we’ve developed a cybersecurity awareness initiative with the Aurora Public School System in Colorado. In addition to providing students with online safety tips, we’ve given them insights on potential career paths, and connected them with our engineers to solve problems using skills like math and coding that could benefit them later in their careers.
We encourage parents to explore and advocate for cybersecurity and STEM education opportunities for children in their local communities. For more educational content to help keep your family safe from cyber threats, visit the Home + Mobile section of our blog.
Cyber News Rundown: Infowars Hacked by Card Skimmers
Infowars Online Site Compromised by MageCart Attack
Earlier this week, a security researcher found payment card-stealing scripts running on the Infowars online site. The scripts managed to stay active for nearly 24 hours. At least 1,600 users of the site may have been affected during this period, though many were returning customers who wouldn’t have had to re-enter their payment information into the compromised forms. As of writing, the malicious scripts being used by Magecart are active on nearly 100 other online stores, with almost 20% getting re-infected within a two-week period.
Scammers Syphon €19 Million From French Film Company
A lawsuit recently revealed that savvy scammers successfully took nearly €19 million through a series of unauthorized transfers from a spoofed personal email address of the company’s CEO. After requesting additional information from the scammers, who continued to provide highly-detailed documents suggesting their legitimacy, several payments were transferred from the company’s main cash pool with promises of a quick payback from the scammers.
Chinese Headmaster Caught Cryptomining on School’s Systems
The headmaster of a Chinese school was fired after staff discovered an excessively high power bill previously written off as a faulty HVAC system was actually caused by several cryptomining rigs running off the school’s electricity. The headmaster brought the mining machines into the school in mid-2017 and evaded blame for the excess power consumption until the physical proof was discovered. While it appears no other harm was done, cryptomining software can be dangerous, as you can never be sure nothing else is bundled with it.
New Botnet Exploits Unpatched Bug in Over 100,000 Devices
Researchers have been monitoring a relatively new botnet that is currently controlling over 100,000 devices, including 116 device types from multiple manufacturers. By taking advantage of well-known bugs within Universal Plug n Play, hackers can quickly take control of the device and begin monitoring traffic from outside of the network.
Cathay Pacific Airlines Cyberattack Occurred Over Several Months
After originally claiming a data breach had taken place last month, affecting 9.4 million customers, new findings have shown the attacks have been happening regularly since March. Even though local laws didn’t require the company to notify authorities regarding a data breach, it is still surprising that it has taken almost nine months to determine what data had been exposed and what hadn’t.
Cyber Monday: Big Savings, Big Risks
What business owners and MSPs should know about the year’s biggest online retail holiday
It’s no secret that Black Friday and Cyber Monday are marked by an uptick in online shopping. Cyber Monday 2017 marked the single largest day of online sales to date, with reported sales figures upwards of $6.5 billion. Data from Webroot charted a 58 percent increase in traffic to shopping sites on that day. And while Black Friday originated as a day to tussle with your neighbors for deals in person, online retailers like Amazon and eBay wouldn’t be left out and have begun offering their own deals.
What’s less often discussed is the corresponding rise in cybercrime that accompanies these online retail holidays. Webroot noted a surge in phishing and fraud sites of 203 percent between November 19 and December 5, with the number of such sites peaking on Cyber Monday. Instances of spyware and adware also rose 57 percent during the busy holiday shopping period, again peaking on Cyber Monday.
The Problem with Cyber Monday
For business owners and those in IT, Cyber Monday likely means lost productivity as employees bargain hunt at work rather than actually work. (It’s interesting to note that, according to CNET, the first Cyber Monday in 2005 was intentionally made to fall on a weekday so workers could browse shopping sites on faster computers.) As our data shows, more than just a few hours of lost productivity are at stake.
Employees expose business owners to greater risks of phishing scams, ransomware, and other types of attack that could significantly lengthen downtimes for all employees, or even shutter a business completely. According to a Better Business Bureau study on cybercrime, more than half of businesses would cease to be profitable within a month if a ransomware attack were to lock them out of essential data.
What’s a Business Owner to Do about Cyber Monday?
Whether you’re a business owner or provide IT services, you’re likely to see employees or clients indulging in deals this Cyber Monday. But there are strategies for limiting your risk on November 26. As with much of cybersecurity, you can manage your policy for online shopping based on what you consider acceptable levels of risk.
With network-level protection it’s possible to block access to any sites categorized as “shopping,” while still whitelisting trusted domains. Our research shows Amazon, the Apple iTunes Store, and Walmart rounded out the top three most visited shopping sites last Cyber Monday, so employers may want to consider whitelisting those sites specifically, while still blocking less reputable ones. Webroot offers DNS protection with the ability to filter according to more than 80 categories, including gambling, adult content, and weapons, as well as shopping. Set a policy to block the shopping category this Cyber Monday, with your own tailored exceptions and presto, problem solved.
There are also other, less prohibitive strategies for protecting employees and clients, too. Tools like Webroot’s Web Classification and Reputation services forecast the risks of visiting more than 27 billion URLs, which can help user determine if that deal really is a little too good to be true. IP Reputation Services make a similar determination based on an IP’s risk score.
Real-Time phishing protection and hands-on phishing simulations can go a long way toward improving security, too. The surge in these types of attacks represents cybercriminals focus on the weakest element of a company’s IT security: the end users themselves. Catching phishing attacks before they’re clicked and teaching users to be vigilant about threats by using custom phishing templates are paramount to your business’s security posture.
So there are a variety of methods for limiting disruption from online shopping in the workplace, so business owners and managed service providers shouldn’t let Cyber Monday come and go without preparation. Employees will almost certainly be on an online hunt for deals and cybercriminals know it.
Focus on security now, before a user’s big savings end up costing you.
Cyber News Rundown: HSBC Data Breach
Data Breach Nabs HSBC Account Info
HSBC has been monitoring some unauthorized access occurring over a ten-day period on their customer’s online accounts. During this time, attackers used credentials that were likely part of prior breaches to access numerous accounts. HSBC worked quickly to disable online access to any accounts that showed suspicious activity. The bank also began notifying potential victims of the incident and have taken additional steps in securing their online access points.
Latest Chrome Iteration Cracks Down on Annoyances
With the rollout of Google’s Chrome 71, the company is looking to enhance the user experience by blocking all advertisements on sites that have continued to allow the hosting of offensive material. Chrome 71 will also be more efficient at blocking phishing attacks and misleading pop-up notifications that may redirect users. Fortunately, sites that are flagged can check their status and are given 30 days to correct for offending content.
University Shuts Down Network Over Cryptomining
A Canadian University was forced to shut down its entire network after IT staff discovered a cryptocurrency miner operating illicitly on several university systems. While they are still unsure who installed the cryptominer, they have removed the software from the systems and brought the remainder of the networks back online. Along with slowly restoring the remaining services taken offline, the university also forced a password change for all current users.
Cardless ATMs Lead to Rise in Phishing Attacks
Several arrests in Ohio have recently revealed a new scam that leverages SMS phishing attacks to withdraw money from ATMs that don’t require the use of a bank card. By sending a victim’s smartphone an SMS message containing a link to “unlock” their accounts, they are redirected to a phony site that steals their credentials. The scam has netted the attackers nearly $68,000 over a two-week period.
Twitter Bitcoin Scammers Take Over Verified Accounts
Even as Twitter-based Bitcoin scams have slowed, a new Elon Musk spoof account has popped up with the usual offer to multiply any amount of Bitcoins received and return the inflated amount. This scammer may have the benefit of taking over a verified account, but modifications to the profile name and obvious spelling errors reveal its clearly not legitimate, though it does leave raise questions regarding the verification system’s security.
Reducing Risk with Ongoing Cybersecurity Awareness Training
Threat researchers and other cybersecurity industry analysts spend much of their time trying to anticipate the next major malware strain or exploit with the potential to cause millions of dollars in damage, disrupt global commerce, or put individuals at physical risk by targeting critical infrastructure.
However, a new Webroot survey of principals at 500 small to medium-sized businesses (SMBs), suggests that phishing attacks and other forms of social engineering actually represent the most real and immediate threat to the health of their business.
Twenty-four percent of SMBs consider phishing scams as their most significant threat, the highest for any single method of attack, and ahead of ransomware at 19 percent.
Statistics released by the FBI this past summer in its 2017 Internet Crime Report reinforce the scope of the problem. Costing nearly $30 million in total losses last year, phishing and other social engineering attacks were the third leading crime by volume of complaints, behind only personal data breaches and non-payment/non-delivery of services. Verizon Wireless’s 2018 Data Breach Investigations Report, a thorough and well-researched annual study we cite often, blames 93 percent of successful breaches on phishing and pretexting, another social engineering tactic.
Cybersecurity Awareness Training as the Way Forward
So how are businesses responding? In short, not well.
24 percent of principals see phishing scams as the number one threat facing their business. Only 35 percent are doing something about it with cybersecurity awareness training.
One of the more insidious aspects of phishing as a method of attack is that even some otherwise strong email security gateways, network firewalls and endpoint security solutions are often unable to stop it. The tallest walls in the world won’t protect you when your users give away the keys to the castle. And that’s exactly what happens in a successful phishing scam.
Despite this, our survey found that 65 percent of SMBs reported having no employee training on cybersecurity best practices. So far in 2018, World Cup phishing scams, compromised MailChimp accounts, and opportunist GDPR hoaxers have all experienced some success, among many others.
So, can training change user behavior to stop handing over the keys to the castle? Yes! Cybersecurity awareness training, when it includes features like realistic phishing simulations and engaging, topical content, can elevate the security IQ of users, reducing user error and improving the organization’s security posture along the way.
The research and advisory firm Gartner maintains that applied examples of cybersecurity awareness training easily justify its costs. According to their data, untrained users click on 90 percent of the links within emails received from outside email addresses, causing 10,000 malware infections within a single year. By their calculations, these infections led to an overall loss of productivity of 15,000 hours per year. Assuming an average wage of $85/hr, lost productive costs reach $1,275,000 which does not necessarily account for other potential costs such as reputational damage, remediation cost, or fines associated with breaches.
One premium managed IT firm conducted its first wave of phishing simulation tests and found their failure rate to be approximately 18 percent. But after two to three rounds of training, they saw the rate drop to a much healthier 3 percent.1
And it’s not just phishing attacks users must be trained to identify. Only 20 percent of the SMBs in our survey enforced strong password management. Ransomware also remains a significant threat, and there are technological aspects to regulatory compliance that users are rarely fully trained on. Even the most basic educational courses on these threats would go a long way toward bolstering a user’s security IQ and the organizations cybersecurity posture.
Finding after finding suggests that training on cybersecurity best practices produces results. When implemented as part of a layered cybersecurity strategy, cybersecurity awareness training improves SMB security by reducing the risks of end-user hacking and creating a workforce of cyber-savvy end users with the tools they need to defend themselves from threats.
All that remains to be seen is whether a business will act in time to protect against their next phishing attack and prevent a potentially catastrophic breach.
You can access the findings of our SMB Pulse Survey here.
1 Webroot. “Why Security Awareness Training is an Essential Part of Your Security Strategy” (November, 2018)
Password Constraints and Their Unintended Security Consequences
You’re probably familiar with some of the most common requirements for creating passwords. A mix of upper and lowercase letters is a simple example. These are known as password constraints. They’re rules for how you must construct a password. If your password must be at least eight characters long, contain lower case, uppercase, numbers and symbol characters, then you have one length, and four character set constraints.
Password constraints eliminate a number of both good and bad passwords. I had never heard anyone ask “how many potential passwords, good and bad, are eliminated?” And so I began searching for the answer. The results were surprising. If you want to know the precise number of possible 8-character passwords there are if all of the character sets must be used, then the equation looks something like this.
A serious limitation of this approach is that it tells you nothing about the effects of each constraint alone or relative to other constraints. (I’m also not sure if there were supposed to be four consecutive ∑s or if the mathematician was stuttering.)
We choose to use a Monte Carlo simulation to analyze the mathematical impact of the various combinations of constraints. A Monte Carlo simulation uses a statistical analysis approach that provides a close approximation of the answer, while also providing the flexibility to quickly and easily measure the impact of each constraint and combination of constraints.
A look at minimum length limits
To start, let’s look at the impact of an eight-character length constraint alone. There are 95^8 possible combinations of 8 characters. 26 uppercase letters + 26 lowercase letters + 10 numerals + 33 symbols = 95 characters. For a length of 8 characters, we have 95˄8 possible passwords.
If a password must be at least 8 characters long, then there are also about 70.6 trillion otherwise viable passwords you are not allowed to use (95+(95^2 ) +(95^3 ) +(95^4 ) +(95^5)+(95^6 )+(95^7)). That’s a good thing. It means you can’t use 95 one character passwords, 9,025 two character passwords, and so on. Almost 70 trillion of those passwords you cannot use are seven characters long. This is a great and wholly intended effect of a password length constraint.
The problem with a lack of constraints is that people will use a very small set of all possible passwords, which invariably includes passwords that are incredibly easy to guess. In the analysis of over one million leaked passwords, it was found that 30.8 percent passwords eight to 11 characters long contained only lowercase letters, and 43.9 percent contained only lowercase letters and numbers. In fact, to perform a primitive brute force attack against an eight-character password containing only lower case letters, it’s only necessary to try about 209 billion character combinations. That does not take a computer very long to crack. And, as we know from analyzing large numbers of passwords, it’s likely to contain one of the most popular ten thousand passwords.
To beef up security, we begin to add character constraints. But, in doing so, we decrease the number of possible passwords; both good and bad.
Just by requiring both uppercase and lowercase letters, more than 15 percent of all possible 8-character combinations have been eliminated as possible passwords. This means that 1QV5#T&|cannot be a password because there are no lowercase letters. Compared to Darnrats,which meets the constraint requirements, 1QV5#T&|is a fantastic password. But you cannot use it. Superior passwords that cannot be used are acceptable collateral damage in the battle for better security. “Corndogs” is acceptable, but “fruit&veggies” is not. This clearly is not a battle for lower cholesterol.
As constraints pile up, possibilities shrink
If a password must be exactly eight characters long and contain at least one lower case letter, at least one uppercase letter and at least one symbol, we are getting close to one-in-five combinations of 8 characters that are not allowable as passwords. Still, the effect of constraints on 12 and 16 character passwords is negligible. But that is all about to change… you can count on it.
Are you required to use a password that is at least eight characters long, has lower and uppercase letters, number and symbols? Just requiring a number to be part of a password removes over 40 percent of 8-character combinations from the pool of possible passwords. Even though you can use lowercase and uppercase letters, and you can use symbols, if one of the characters in your password must be a number then there are far fewer great passwords that you can use. If a 16 character long password must have a number, then 13 times more potential passwords have become illegal as a result of that one constraint than the combined constraints of lower and uppercase letters and symbols caused. More than one-in-four combinations of 12 characters can no longer become a passwords either.
You might have noticed that there is little effect on the longer passwords. Frequently there is also very little value in imposing constraints on long passwords. This is because each additional character in a password grows the pool of passwords exponentially. There are 6.5 million times as many combinations of 16 character pass words using only lowercase letters than there are of eight character passwords using all four character sets. That means that “toodlesmypoodles” is going to be a whole lot harder to crack than “I81B@gle”
Long and simple is better than short and hard
People tend to be very predictable. There are more symbols (than there are in any other characters set. Theoretically that means that symbols are going to do the most to make a password strong, but 80 percent of the time it is going to be one of the top five most frequently used symbols, and 95 percent of the time is will be one of the top 10 most frequently used symbols.
Analysis of two million compromised passwords showed that about one in 14 passwords start with the number one, however for those that started with the number one, 75 percent of them ended with a number as well.
The use of birthdays and names, for example, make it much easier to quickly crack many passwords.
Password strength: It’s length, not complexity that matters
As covered above, all four character sets (95 characters) in an eight character password allow for about 6.634 quadrillion different password possibilities. But a 16 character password with only lowercase letters has about 43.8 sextillion possible passwords. That means that there are well over 6.5 million times more possible passwords for 16 consecutive lowercase letters than for any combination of eight characters regardless of how complex the password is.
My great password is “cats and hippos are friends!”, but I can’t use it because of constraints – and because I just told you what it is.
For years password experts have been advocating for the use of simple passphrases over complex passwords because they are stronger and simpler to remember. I’d like to throw a bit of gasoline on to the fire and tell you, those 95^8 combinations of characters are only half that many when you tell me I have to use uppercase, lowercase, numbers, and symbols.
Cyber News Rundown: DemonBot Rising
DemonBot Botnet Gaining Traction
DemonBot, while not the most sophisticated botnet discovered to date, has seen a significant rise in usage over the last week. With the ability to take control of Hadoop cloud frameworks, DemonBot has been using the platform to carry out DDoS attacks across the globe. By exploiting Hadoop’s resource management functionality, the infection can quickly spread itself and allows for remote code execution on affected servers.
Cyber Attack Leaves Pakistani Bank Under Scrutiny
Bank Islami, one of the largest banks in Pakistan, announced that an unusual attack had occurred involving local cards used far outside of the country’s borders. While the bank was quick to return the funds removed from customer’s accounts, the remainder of the malicious transactions processed internationally have the bank being on the hook for nearly $6 million in phony withdrawals, mainly in the US and Brazil. Unfortunately, due to a lack of information regarding the malicious transactions, several other top banks in the country were forced to temporarily restrict international purchases to protect their own clients.
UK Industrial Credentials for Sale
Researchers recently discovered the credentials for over 600,000 individuals, all closely tied to construction or building firms, available for sale on the dark web. Presently it appears that the credentials were all compromised during breaches involving third-parties users would have given corporate email into, rather than specific breaches for the industry group. Fortunately, it appears there haven’t been any related breaches thus far, though this type of data could lead to additional sensitive information being stolen.
Ransomware Demands RDP Access to Encrypted System
A new ransomware variant has been making an unusual request from its victims: allowing remote desktop access in order to decrypt their files. Dubbed CommonRansom, due to the appended extension on the encrypted files, the variant also demands a 0.1 Bitcoin payment before making the request for administrator credentials to the victim’s computer. Even though this variant isn’t widespread, it does appear to be using a similar Bitcoin wallet as other infections, as 65 Bitcoins were recently sent from the designated wallet.
USGS Auditors Find Porn-related Malware on Government Network
Following a recent audit of the US Geological Survey, agency inspectors discovered Russian malware circulating the internal network and were able to trace it back to one employee who had visited over 9,000 pornographic websites from his government-issued computer. The employee was also found to be
Cyber News Rundown: Medicare Data Breach
Data Breach Affects Centers for Medicare & Medicaid Services
The Centers for Medicare & Medicaid Services (CMS) announced last week they had discovered malicious activity within their direct enrollment pathway, which connects patients and healthcare brokers. At least 75,000 individuals were affected. The pathway has since been disabled to prevent further exposure. Until the pathway is fixed, hopefully within a week, CMS is contacting affected patients and offering them credit protection services.
Ransomware Disables City’s Computer Systems
City officials in West Haven, Connecticut finally gave in to ransom demands following a cyberattack against their systems. The attack began early Tuesday morning and disabled 23 individual servers before a decision was made to pay a ransom in hopes for the return of their data. While it is still unclear if the systems were fully restored, the town was lucky to receive a relatively small ransom request ($2,000 given the significant amount of data stolen.
User Data Exposed on Adult Sites
A string of eight adult sites, all owned by the same individual, fell victim to hackers who took advantage of poor security to expose records for up to 1.2 million individuals. While not as large as similar adult-related breaches, it still presents questions as to why proper security measures aren’t put in place on these sites proactively. The owner of the sites has since taken them down and replaced them with messages warning users to update their passwords and take extra security precautions.
McAfee Tech Support Scam on the Rise
A new browser-based tech support scam has been spotted recently that warns users their McAfee subscription has run out and needs to be renewed. Rather than redirect victims through an affiliate link to the real McAfee site, though, this latest scam directly prompts the user to input payment card information and other personal data into a small pop-up window. To top it off, once payment info is entered, an additional pop-up appears that suggests contacting support to help install your new software and eventually falsely claiming payment wasn’t successful and users must re-purchase the software.
Iowa City Shuts Down After Ransomware Attack
The city of Muscatine, Iowa is working to determine how several of their main computer systems, both within city hall and its library, were infiltrated by ransomware that’s knocked them offline. Officials have announced that no information was stolen and the city does not maintain any payment records, so citizens shouldn’t be worried. The city’s emergency services were also unaffected and continue to operate as normal.
5 Tips for Optimizing Your VPN Experience
By now, you likely know that a Virtual Private Network (VPN) is essential to remaining safe when working remotely. But, once set up, how can you optimize your VPN to work well with your devices and meet your security needs? Here are our top five tips for maximizing your VPN experience.
Pair it with an Antivirus
One of the biggest misconceptions about VPNs is that they protect your device from malicious programs. While a VPN will encrypt your network traffic, preventing others from viewing intercepted data, most do not warn you when you visit dangerous sites. If your VPN provides advanced web filtering for risky sites, that can be an additional defense against cyber threats such as malware and phishing. Alternatively, while strong antivirus software actively monitors for viruses and malware within files and applications, it does not encrypt your data or prevent it from being monitored. Both are equally important for protecting your devices, and are ideally used together. Combining the two services provides additional security.
Enable a Kill Switch
Setting up a VPN to keep your data safe is an important first step, but what happens if your VPN server goes down or disconnects while you are entering sensitive data and you don’t notice the connection was lost? Without the protection of a VPN kill switch, your devices will often automatically reconnect to the network without alerting you, this time without the protection of your VPN. A kill switch feature blocks sending and receiving data until the VPN connection is re-established.. For maximum protection, select a VPN with a kill switch feature and ensure it has been enabled.
Understand the Impact of Setting Up a VPN on Your Router
Having a VPN on your home router may seem like a helpful boost to your cybersecurity, but it’s actually the opposite. Most routers lack the processing power of a modern CPU, meaning that even older personal devices (phones, tablets, computers) will have a much easier time handling the task of encrypting/decrypting data than your router will. Instead, set up a VPN for each personal device to prevent a bottleneck of data to your router while simultaneously securing it at all access points. Selecting an easy-to-use VPN solution with cross-device functionality will make this task much easier on the end user, while providing maximum security.
Protect All of Your Smart Devices
When it comes to cybersecurity, we tend to imagine a nefarious hacker out to steal and sell your data. But not all data collection is illegal. Your Internet Service Provider (ISP) has a vested interest in tracking your streaming habits, and they may even throttle your network depending on your usage. Our phones, computers, and tablets are each a potential interception point for our private data. Securing each of your smart devices with a VPN, even those that stay in your home, is the best way to prevent your data from potentially being monitored by third parties.
Encrypt Your LTE Connection
While your cellular network is more secure than public WiFi options, it remains vulnerable to an attack. LTE user data can be exploited by what is known as an “aLTEr attack”. This attack redirects domain name system (DNS) requests, performing a DNS spoofing attack that can fool your device into using a malicious DNS server. This spoofed DNS server will deliver you to websites as normal until you request a high-value website the attack is targeting, like your banking or email provider. Oftentimes this fake website will scrape your data before you realize what has happened. You give yourself an extra layer of security by wrapping your LTE connection in a VPN, allowing you to access your most sensitive data confidently.
When it comes to getting the most out of your VPN, this list is just the beginning. Our privacy concerns and security needs will continue to change as our connected devices mature and we recommend keeping an eye on your VPN provider for any potential updates to their services.
Ready to take back control of your privacy? Learn how our Webroot WiFi Security VPN protects what matters most wherever you connect.
Cyber News Rundown: Voter Records for Sale
2018 Voter Records for Sale
As the United States midterm elections draw closer, concern surrounding voter information is on the rise, and for good reason. Records for nearly 35 million registered voters from 19 different states were found for sale on a hacker forum, with prices ranging from $500 to $12,500, depending on the state. Unfortunately, a crowdfunding campaign has begun on the forums to purchase each database and post them publicly, with 2 states already being published.
County Water Utility Struck by Ransomware
Just a week after Hurricane Florence hit land in North Carolina, a coastline county’s water utilities fell victim to a ransomware attack. Effectively shutting down all services during a time when they are working on emergency operations left the local water authority with limited capabilities until they began the lengthy process of restoring everything from backup files. By choosing to ignore the ransom and restore manually, the utility service has taken on a more time and resource consuming task, as they continue operating without any of their online systems.
PS4 Exploit Causes System Crash
A new exploit has been discovered that allows attackers to send a malicious message to other PlayStations that will effectively render the console unusable. The message itself doesn’t even need to be opened to cause considerable damage, resulting in most users performing a factory reset to return everything to normal. While some users have been successful in deleting the message from the mobile app before it causes any harm, others still had to rebuild the system’s database.
iPhone Passcode Bypass Still Active
Days after Apple released a patch for iOS 12.0 that shutdown a passcode bypass method, the same researcher was able to find yet another way to access the phone illicitly. By using a combination of Siri and the VoiceOver feature, anyone with physical access to the device could obtain pictures, and other data with ease. To make matters worse, the latest bypass also gives attackers the ability to send files to other devices and view them in full resolution, rather than minimized like the previous bypass allowed.
Massive Phishing Campaign Targets Iceland
Over the weekend, thousands of emails were sent out to the relatively small population of Iceland, most of which claimed to be from the local police and threatened judicial action if they did not comply. The email then linked victims to a nearly perfect replica of the official Icelandic Police website and requested their social security number. The attack itself was focused on gaining bank details and further compromising already infected computers for more information.