All posts by Rob Sobers

60 Must-Know Cybersecurity Statistics for 2018

cybersecurity facts 2018

Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data lass.

We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.

Data Breaches by the Numbers

The increasing amount of large-scale, well-publicized breaches suggests that not only are the number of security breaches going up — they’re increasing in severity, as well.

  1. In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)Click To Tweet
  2. In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
  3. In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (LeakedSource)Click To Tweet
  4. In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
  5. According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)Click To Tweet
  6. Thirty-one percent of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
  7. 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Malware Tech Blog)Click To Tweet
  8. Attacks involving cryptojacking increased by 8,500 percent in 2017. (Symantec)
  9. In 2017, 5.4 billion attacks by the WannaCry virus were blocked. (Symantec)Click To Tweet
  10. There are around 24,000 malicious mobile apps blocked every day. (Symantec)
  11. In 2017, the average number of breached records by country was 24,089. The nation with the most breaches annually was India with over 33k files; the US had 28.5k. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. In 2018, Under Armor reported that its “My Fitness Pal” was hacked, affecting 150 million users. (Under Armor)
  13. Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches. (ID Theft Resource Center)Click To Tweet

Cybersecurity Costs

Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity part of their regular budget.

  1. In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million. (Accenture)Click To Tweet
  2. The average cost of a malware attack on a company is $2.4 million. (Accenture)
  3. The average cost in time of a malware attack is 50 days. (Accenture)Click To Tweet
  4. From 2016 to 2017 there was an 22.7 percentage increase in cybersecurity costs. (Accenture)
  5. The average global cost of cyber crime increased by over 27 percent in 2017. (Accenture)Click To Tweet
  6. The most expensive component of a cyber attack is information loss, which represents 43 percent of costs. (Accenture)
  7. Ransomware damage costs exceed $5 billion in 2017, 15 times the cost in 2015. (CSO Online)Click To Tweet
  8. The Equifax breach cost the company over $4 billion in total. (Time Magazine)
  9. The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190). (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  10. In companies with over 50k compromised records, the average cost of a data breach is $6.3 million. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  11. Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)

Cybersecurity Facts and Figures

It’s crucial to have a grasp on the general landscape of metrics surrounding cybersecurity issues, including what the most common types of attacks are and where they come from.

  1. Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2 percent of all ransomware attacks. (Symantec)Click To Tweet
  2. Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
  3. Most malicious domains, about 60 percent, are associated with spam campaigns. (Cisco)Click To Tweet
  4. Seventy-four percent of companies have over 1,000 stale sensitive files. (Varonis)
  5. Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense. (Accenture)Click To Tweet
  6. The financial services industry takes in the highest cost from cyber crime at an average of $18.3m per company surveyed. (Accenture)
  7. Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)Click To Tweet
  8. About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)
  9. Over 20 percent of cyber attacks in 2017 came from China, 11 percent from the US and 6 percent from the Russian Federation. (Symantec)Click To Tweet
  10. The app categories with most cybersecurity issues are lifestyle apps, which account for 27 percent of malicious apps. Music and audio apps account for 20 percent. (Symantec)
  11. The information that apps most often leak are phone numbers (63 percent) and device location (37 percent). (Symantec)Click To Tweet
  12. In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks. (Symantec)
  13. Between 2015 and 2017, the U.S. was the country most affected by targeted cyber attacks with 303 known large-scale attacks. (Symantec)Click To Tweet
  14. In 2017, overall malware variants were up by 88 percent. (Symantec)
  15. Among the top 10 malware detections were Heur.AdvML.C 23,335,068 27.5 2 Heur.AdvML.B 10,408,782 12.3 3 and JS.Downloader 2,645,965 3.1 (Symantec)Click To Tweet
  16. By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media)

Cybersecurity Risks

With new threats emerging every day, the risks of not securing files is more dangerous than ever, especially for companies.

  1. 21 percent of all files are not protected in any way. (Varonis)Click To Tweet
  2. 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
  3. 70 percent of organizations say that they believe their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  4. 69 percent of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  5. Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)Click To Tweet
  6. 7 out of 10 organizations say their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  7. 65 percent of companies have over 500 users who never are never prompted to change their passwords. (Varonis)Click To Tweet
  8. Ransomware attacks are growing more than 350 percent annually. (Cisco)
  9. IoT attacks were up 600 percent in 2017. (Symantec)Click To Tweet
  10. The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)
  11. 61 percent of breach victims in 2017 were businesses with under 1,000 employees. (Verizon)Click To Tweet
  12. Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)
  13. Variants of mobile malware increased by 54 percent in 2017. (Symantec)Click To Tweet
  14. Today, 1 in 13 web requests lead to malware (Up 3 percent from 2016). (Symantec)
  15. 2017 represented an 80 percent increase in new malware on Mac computers. (Symantec)Click To Tweet
  16. In 2017 there was a 13 percent overall increase in reported system vulnerabilities. (Symantec)
  17. 2017 brought a 29 percent Increase in industrial control system–related vulnerabilities. (Symantec)Click To Tweet
  18. By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion. (Cybersecurity Ventures)
  19. The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet

There’s no question that the situation with cybercrime is dire. Luckily, by assessing your business’s cybersecurity risk, making with company-wide changes and improving overall security behavior, it’s possible to protect your business from most data breaches.

Make sure you’ve done everything you can do to avoid your company becoming a victim to an attack. The time to change the culture toward improved cybersecurity is now.

Must-know cybersecurity statistics

The Anatomy of a Phishing Email

Recognize a phishing scam

Have you been hooked by a phishing email?

Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information. In fact, according to the Verizon’s 2018 Data Breach Investigations Report, phishing is involved in 70 percent of breaches that feature a social engineering component.

What is Phishing?

At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.

If your employees don’t know the signs of a phishing email, your company is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT.

Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company.

How to Spot a Phishing Scam

We’ve broken out the most common components of a phishing email. Check out our full infographic to test your knowledge.

how to spot a phishing scam

How many did you get? Read on to learn more about the identifying characteristics of a typical phishing email.

scare tactics phishing

Subject line
Phishing campaigns typically aim to create a sense of urgency using intense language and scare tactics, starting with the email’s subject line. Common themes among phishing emails are that something sensitive, such as a credit card number or an account, has been compromised. This is done to induce the recipient into responding quickly, without recognizing the signs of a scam.

“From” field
To work, phishing campaigns must trick the email recipient into believing that the message is from a reputable company. As such, the email will appear to come from a legitimate entity within a recognized company, such as customer support. Upon closer look, however, you can see that both the name of the sender and the sender’s email address is a spoof on a known brand, not a real vendor.

phishing email body copy

“To” field
Phishing emails are often impersonal, addressing the recipient as a “user” or “customer.” This is a red flag; while businesses may send out mass eblasts announcing a sale or service, legitimate companies will address you by name when asking for an update to financial information, or dealing with a similarly sensitive matter.

Body copy
As with the subject line, the body copy of a phishing email is typically employs urgent language designed to encourage the reader to act without thinking. Phishing emails are also often riddled with both grammar and punctuation mistakes.

phishing scam malicious link

Malicious link
A suspicious link is one of the main giveaways of a phishing email. These links are often shortened (through bit.ly or a similar service) or, as above, are formatted to look like a legitimate link that corresponds with the company and message of the fake email. However, rolling over the link shows a malicious address that doesn’t take you to the stated web address.

Scare tactics
In addition to urgent language, phishing emails often employ scare tactics in hopes that readers will click malicious links out of alarm or confusion. Such messaging is often framed around updates that are immediately required or payments that must be made within a certain amount of time.

phishing scam footer

Email sign-off
As with the email’s greeting, the sign-off is often impersonal — typically a generic customer service title, rather than a person’s name and corresponding contact information.

Footer
A phishing email’s footer often includes tell-tale signs of a fake, including an incorrect copyright date or a location that doesn’t correspond with that of the company.

malicious attachment

Attachment(s)
In addition to malicious links, phishing scams often include malicious downloadable files, often compressed .zip files, which can infect your computer.

malicious landing page

Malicious landing page
If you do click on a phishing link, you’ll often be taken to a malicious landing page, much like the one above. There are several ways to spot a malicious landing page:

  • Website address: The web address of a malicious landing page attempts to mimic the web address of a legitimate company, but errors such as misspellings and unsecure connections denote an unsafe website.
  • Missing navigation and footer: The goal of a malicious landing site is to take your information. As such, these pages are often bare-bones. Here, you can see that the landing page is missing both the header and footer of Apple’s ID sign-in page.
  • Misspelling: Like in the phishing email, the malicious landing page will attempt to mimic a real company, but small oversights can tip you off: like above, where “Apple Pay” is misspelled as one word.
  • Information collection: The goal of phishing scams is to get you to enter personal or financial information, so malicious landing pages will almost always include some type of information collection form that deviates slightly from the company’s legitimate landing page. In the malicious page above, users are required to enter their Apple ID password; this is not required on the actual Apple ID login page.

So, were you able to spot all the errors? As phishing attacks become more common — and phishing tactics more sophisticated — it’s important to inspect all unsolicited emails with a careful eye.

Email recipients don’t shoulder all the burden, however. To truly combat phishing tactics, companies must become more vigilant, through both employee training and the use of security software, to better spot and prevent potentially debilitating attacks.

Is Your Company Prepared for a Cyber Attack?

Is Your Company Prepared for a Cyber Attack?

In December of 2016, a researcher approached credit card reporting agency Equifax with a simple message: Your website is vulnerable to a cyber attack. The company did nothing to patch the flaw. They were breached six months later, in May of 2017, with hackers stealing the sensitive data of 145.5 million Americans.

It’s an extreme example of an all-too-common business failing: that of cybersecurity preparedness.

As hacks continue to proliferate the news cycle, targeting both large corporations and small businesses, companies that previously didn’t see a need to invest in cybersecurity training and prevention are increasingly focusing in on one question: Are we prepared in the event of an attack? And, resoundingly, the answer is “no.”

Cybersecurity readiness involves developing a complex, proactive strategy that goes far beyond a basic response plan — although research suggests that many businesses don’t have one of those in place, either.

We’ve compiled the major steps you need to take to prepare your business for a cyber attack. Take a look at them below, and decide for yourself how your company would fare.

would your company survive a cyber attack

Creating an effective cybersecurity preparedness plan is a mix of implementing company-wide, procedural policies; utilizing data protection and taking technical precautions to protect your data; and putting a reactive plan in place in case the worst case does happen.

So, is your company prepared?

Sources
Verizon Data Breach Investigations Report | PWC Global State of Information Security Survey

Is Your Biggest Security Threat Already Inside Your Organization?

Are insiders compromising your security

The person in the cubicle next to you could be your company’s biggest security threat.

The large-scale attacks we’re accustomed to seeing in the news — Yahoo, Equifax, WannaCry ransomware — are massive data breaches caused by cyber criminals, state-sponsored entities or hacktivists. They dominate the news cycle with splashy headlines that tell an all-too recognizable story: one of name-brand corporations vs. anonymous cyber villains.

We focus in outsider threats because they’re both terrifying and thrilling, and because they’re familiar. They often have a clear-cut storyline, one that we’ve seen before. But the hyper-focus on cyberattacks caused by outside parties can lead organizations to ignore a major cybersecurity threat: insiders already in the organization.

We’ve seen these threats before too: attacks of dramatic espionage from Snowden, Reality Winner and Gregory Chung — but insider threats aren’t always so obvious, and they pose a risk for organizations that don’t operate in the national security space. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches.

They’re dangerous for a number of reasons, including because of how much they vary: from rogue employees bent on personal gain or professional revenge to careless staffers without proper cybersecurity training, insider threats can come from almost anyone, making them a prime concern for businesses. Check out our full infographic to learn more about the motives and methods behind these types of threats.

Insider threats cybersecurity

Are you doing everything you can to prevent insider threats?

If you’re granting unnecessary internal permissions, lack an auditing system for high-risk people or sensitive data, or aren’t paying close attention to possible behavioral indicators of malicious activity, your organization is at risk. You’re more vulnerable than you think — assess your risk today to see what you can do to ward off threats that come from the inside.

Infographic sources:
U.S. Department of Homeland Security | 2018 Insider Threat Report | Digital Guardian | MetaCompliance | ITProPortal | IT Governance | Wired

Social Media Security: How Safe is Your Information?

Comparing social media privacy

In 2012 a massive cyber attack by a hacker named “Peace” exploited over 117 million LinkedIn users’ passwords. After the dust settled from the initial attack, new protocols were put in place and the breach was all but forgotten in the public eye, the same hacker reared their head again. Nearly five years later, “Peace” began releasing the stolen password information of the same LinkedIn users from the earlier hack.

With millions of users’ data (or billions, in the case of Facebook) floating around the web, the need for tight security from social media platforms is obvious. Facebook alone has reported receiving more than 600,000 security hack attempts each day. (Although that is nothing compared to the NSA’s 300 million attempted hacks each day!)

The wide age range and technology experience level of social media users makes security management even more complex. A social platform needs to not only combat hackers, but also has to protect users whose personal security practices might be elementary. Only 18 percent of Americans report changing their social media password regularly.

So with the constant threats of hacks coming in — from both foreign and domestic hackers — what exactly are these platforms doing to keep our information safe?

Each of the major social platforms has their own security blog that keeps users and industry infosec bloggers in the loop about new security advancements, tactics for combating fraud and the occasional public statement about hacks.

We’ve broken down the security initiatives and features to compare what LinkedIn, Twitter and Facebook security teams are doing to protect the social platforms that people use each day.

comparing social media settings

While each platform has its unique set of challenges, one of the main initiatives from each is the bug bounty program. You can read more about each platform’s policy below:

Each policy been very successful for its respective site. However, even though these safety precautions exist, there are always hackers trying to get one step ahead of the curve.

For instance, Twitter is attempting protect the safety and integrity of of their platform by reducing the number of automated bots. They publicly announced their battle in a blog post, stating “While bots can be a positive and vital tool, from customer support to public safety, we strictly prohibit the use of bots and other networks of manipulation to undermine the core functionality of our service.” However, bots are clearly still an issue, with their hands in everything from the Oscars to local elections.

It is clear the fight to protect the safety and privacy of social media is far from over, but as data security teams in companies continue to grow, learn and share knowledge, there is hope that they will remain ahead of the game.

Infographic sources:

LinkedIn 1, 2, 3 | Threatpost | Vice | Twitter | Harvard Business Review | Wired | Facebook | The Telegraph

Do Americans Ever Change Their Passwords?

computer with data

Just how cautious are Americans when it comes to cybersecurity?

In today’s hyper-connected, highly-digitized society, data breaches are becoming increasingly commonplace. And they affect both corporations and individuals. In 2017 alone, the Equifax breach — considered by some to be the worst security breach in recent history — put 145.5 million Americans at risk of exposed information and identity theft.

Additionally, a Gmail phishing attack last year put 1 million users at risk of exposed information, and an Instagram hack revealed the contact information of 6 million users. Yahoo also revealed that a 2013 data breach affected the private information associated with all of their users — 3 billion in total.

According to the Pew Research Center, 64 percent of Americans have experienced some type of data breach in their lifetime. Despite this, the center found that the majority of Americans fail to follow cybersecurity best practices in their own digital lives.

In an effort to uncover more on password security habits (and associated feelings of cybersecurity), we put these numbers to the test. Read on to discover what we found after surveying 1,000 Americans.

Americans and Password Security

While cyberattacks are top-of-mind for many Americans, first-hand experiences and worry about imminent attacks doesn’t seem to get people to change their digital habits.

Despite the Pew Research Center’s report that the majority of Americans have personally experienced a major data breach and even anticipate an attack within the next five years, the majority of adults surveyed still seem largely unconcerned with personal password safety.

The most common reason users change their passwords is because they’ve simply forgotten their current one. Half of people surveyed cited this as the most common reason to change a password. In contrast, despite the increasing amount of hacks in the news cycle, only 1 in 5 Americans said they change their password as a result of a hack in the news.

americans changing their passwords data

Which Password Is Changed Most Often?

Our research revealed that the most common password Americans change is the password to their online banking or loans account, at 29 percent.

which passwords do americans change data

This is perhaps unsurprising, considering that financial security is one of the major concerns for Americans when it comes to cybersecurity. According to Pew, 66 percent of Americans anticipate the banking and financial systems to experience major cyberattacks in the near future, 41 percent say that they’ve experienced credit card fraud, and 14 percent have had loans taken out in their name.

However, recent hacks in the news have shown that individual users are increasingly affected across a number of entities, including email, social media, online shopping, and software and applications.

How Are Passwords Saved?

Our research also found that the majority of Americans use memorization or pen and paper to keep track of their passwords.

This is in contrast to the password best practices outlined by cybersecurity professionals, which recommend using third-party password management services, changing passwords on a regular basis and most importantly, never leaving passwords accessible or in plain text.

how do americans remember passwords

Although there are some memory tricks you can use to remember complex passwords, memorization can be difficult, given that ideal passwords are meant to be a combination of letters, numbers and symbols. Additionally, using the same password for different sites isn’t recommended.

Despite the fact that password management services are the easiest and most highly recommended form of keeping passwords safe, only 7 percent of respondents said that they use this kind of software to keep track of their passwords.

We found that the biggest demographic difference in how people manage and remember their passwords is between men and women. Both men and women agree that memorization is the best way to remember a password. However, men are considerably more likely to use password managing software.

men vs. women password management data

In all, there seems the be a major discrepancy between Americans’ real-life experiences with cyber breaches and their personal online practices. Learn more about how Americans approach cybersecurity and password security by downloading our full infographic, below.

download varonis infographic

Varonis Brings Data Security to Nasuni

Nasuni Cloud NAS

We’re excited to announce that, in an upcoming release, the Varonis Data Security Platform will bring data-centric audit and protection to Nasuni Enterprise File Services. Nasuni is a key Varonis partner in the growing market for hybrid cloud Network Attached Storage (NAS).

If Nasuni is a critical part of your IT infrastructure, adding Varonis will enable you to:

  • Discover and classify sensitive, regulated files
  • Detect and alert on suspicious activity like ransomware and insider threats
  • Lock down file systems and permissions to only the right people
  • Capture and analyze a fully searchable audit trail of file system activity
  • Automatically find and flag stale data

Varonis will use the Nasuni API to analyze access events, lock down file systems and permissions, capture a detailed audit trail for compliance and forensics, and automate reporting. You’ll have unprecedented visibility and protection on your Nasuni edge appliances, helping you stay safe from insider threats and cyberattacks.

If you’re in the Boston area this week and are looking to leverage the cloud for more scalable file sharing, NAS consolidation, or multi-site file collaboration, head on over to Nasuni Summit on October 5 where you can hear more about our partnership. We’re also participating in panel discussions on security, compliance, and cloud.

Stay tuned to learn more about the official release of our Nasuni integration. If you’d like to be one of the first to try it out, simply reach out.

🚨 Petya-Inspired Ransomware Outbreak: What You Need To Know

NotPetya Ransomware

On the heels of last month’s massive WannaCry outbreak, a major ransomware incident is currently underway by a new variant (now) dubbed “NotPetya.” For most of the morning, researchers believed the ransomware to be a variant of Petya, but Kaspersky Labs and others are reporting that, though it has similarities, it’s actually #NotPetya. Regardless of its name, here’s what you should know.

This malware doesn’t just encrypt data for a ransom, but instead hijacks computers and renders them completely inaccessible by encrypting their Master Boot Record (MBR).

Petya is another fast-spreading attack which, like WannaCry, uses the NSA exploit EternalBlue. Unlike WannaCry, Petya can also spread via remote WMI and PsExec (more on that in minute). A few scary things about this new malware:

  • It doesn’t have a remote kill switch like WannaCry
  • It is far more sophisticated — it has a variety of automated ways to spread
  • It renders machines completely unusable

A number of prominent organizations and companies have already been badly hit, including the Ukranian government, which has quite the sense of humor:


Infections have been reported across the globe: affecting metro systems, national utilities, banks and international enterprises: the scope is not yet known, but reports continue to come in of infected computers and stalled IT systems across industries and throughout the world.

How is Petya spreading?

Petya was initially thought to have gotten a toehold in corporate networks via emails with infected Word document attachments which exploit CVE-2017-0199. (If you’ve patched Microsoft Office, you should be protected from this attack vector.)

While phishing is a viable attack vector, one of the primary vectors is MeDoc, a financial software firm based in the Ukraine. MeDoc’s software update feature was hacked and attackers used it to distribute the Petya ransomware (source). This explains why the Ukraine has been hit hardest.

Once a single machine is infected, Petya spreads peer-to-peer to other Windows-based endpoints and servers that are vulnerable to MS17-010 — the SMB vulnerability that everyone was instructed to patch during WannaCry.  It can also spread via PsExec to admin$ shares, even on patched machines. We’ve written a detailed guide about PsExec and how to disable PowerShell recently. That’ll come in handy here.

A silver lining, at least at this juncture, is that the peer-to-peer infection doesn’t seem to leap beyond the local network. Petya can buzz through an entire LAN rather efficiently, but is unlikely to hop to other networks. As @MalwareTechBlog, the pizza-loving surfer dude who famously hit the WannaCry kill switch points out:

The Current Petya attack is different in the sense that the exploits it uses are only used to spread across a local network rather than the internet (i.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected). Due to the fact networks are of limited size and fairly quick to scan, the malware would cease spreading once it has finished scanning the local network and therefore is not anywhere near as infectious as WannaCry, which still continues to spread (though is prevented from activating via the “kill switch”).

 

How to Detect PsExec with DatAlert

If you’re a DatAlert customer on the version 6.3.150 or later you can do the following to detect PsExec.exe dropped on Windows file servers:

1. Select Tools –> DatAlert –> DatAlert

2. Search for “system admin”

3. For each of the selected rules (expand the groups to see them), press “Edit Rule” and tick “Enabled”

If PsExec is detected, DatAlert will generate sysadmin tools alerts in the “Reconnaissance” alert category such as “System administration tool created or modified” or “An operation on a tool commonly used by system administrators failed.”

This should help you detect if Petya is using PsExec to spread across your file servers. Keep reading because there is more you can do to prevent initial infection and stop Petya from spreading on your endpoints.

What does Petya do?

Once on a machine, NotPetya waits for a hour and a half before performing any attack, likely to give time for more machines to be affected, and to obfuscate the point of entry.

After waiting:

  1. It encrypts the Master File Table (MFT) of locally attached NTFS drives
  2. Copies itself into the Master Boot Record (MBR) for the infected workstation/server
  3. Forces a reboot of the machine so that users are locked out
  4. Displays the ransom demand lock screen on boot (shown below)

By encrypting the MFT, the individual workstation or server is taken offline until the ransom is paid. This has the potential to disrupt an organization to a much greater degree than if some files on a server are encrypted. In many cases, IT may need to individually address each machine; the standard ransomware response of “We’ll just restore those files from backup” is rendered ineffective.

If remote boot / imaging processes aren’t in place to restore infected machines, it may be necessary to put hands on the workstations to fix them. While possible in most cases, for companies with many remote installations it can be extremely challenging and time consuming. If you’re a shipping company with 600+ cargo ships on the move at any moment nearly impossible.

As Microsoft notes, “Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code” — if the infected user does not have admin privileges on the machine, it will try to encrypt user data matching the following extensions:

It does not add a unique extension to the encrypted files (such as .locky) — it encrypts the contents and preserves the original filename and extension.

What To Do?

Preventing Petya closely mirrors the steps that you may have previously taken for WannaCry:

  • Disable SMBv1 while you patch
  • Block TCP port 445 from outside (or between segments if possible)
  • Apply the patch!

Local Kill Switch

There is also somewhat of a local kill switch. On any given machine, if the file %WINDIR%\perfc exists (no extension) the ransomware will not execute. You can get creative with ways to deploy that file to all workstations in your environment.

Additionally, you can see which endpoint AV products are able to detect Petya by looking at the VirusTotal results.

A sample of Petya acquired by researchers was compiled on June 18:

Should You Pay?

A Posteo (an email service provider) account was included in the Ransomware message. The abuse and security team at Posteo have posted an update at:

https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

They have:

  1. Blocked the account
  2. Confirmed that no decrypt keys were sent from the account
  3. Contacted the authorities to offer what assistance they can

All of which adds up to the fact that you shouldn’t pay the ransom as you won’t receive the necessary decryption keys.

This is a developing story and we’ll keep this post updated as we learn more.

Other Helpful Links

Reality Leah Winner and the Age of Insider Threats

Reality Leah Winner and the Age of Insider Threats

Prosecutors allege that 25-year-old federal contractor Reality Leah Winner printed a top-secret NSA document detailing the ongoing investigation into Russian election hacking last November and mailed it to The Intercept. This raises a series of questions when it comes to protecting sensitive information from insider threats.

First, should Winner have been granted access to documents related to the Russian hacking investigation in the first place? Were there any processes in place at Pluribus to periodically review access controls and revoke access to documents and emails that employees don’t need?

According to the released affidavit, Winner had only been employee of Pluribus International Corporation since February 2017, but reportedly gained top-secret security clearance in 2013. While her access was legitimate, there is no indication that the leaked document was relevant to her job. In fact, in the affidavit, Winner admits to not having a “need to know.”

The Epidemic of Open Access

This leads to a much broader question about access control: should every employee or contractor with top-secret clearance have access to everything? Likewise, should the CEO of a company have access to every sensitive file and email in her company? Most security pros would argue no. It’s certainly a violation of the rule of least privilege.

Excessive access can be linked to increased risks from insider threats, and the problem is only getting worse. In a recent Ponemon Institute study 62% of end users said they have access to company data they probably shouldn’t see and 76% of IT pros said they’d experienced data loss or theft in the past two years.

The open access epidemic can result in even more damage when accounts are compromised. Even if Winner hadn’t intentionally leaked the document to the media, had her account been compromised by an outside attacker, that information would be vulnerable.

One has to wonder whether Pluribus has a clear picture of it’s most sensitive information. Many organizations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — in the 2017 Varonis Data Risk Report, we found that 47% of organizations have at least 1,000 sensitive files open to every employee.

Detecting Insider Threats by Combining Metadata

What’s more, there seems to have been a failure in insider threat detection. It was only when the news outlet contacted an unnamed intelligence agency that federal investigators began their audit to determine who had accessed the leaked document. Was it consistent with Winner’s normal data access behaviors to access files relating to the Russian election hacking investigation? Even though she had legitimate access, there may have been abnormalities in her data access patterns that could have sounded an insider abuse alarm.

Lastly, and perhaps one of the most interesting facets of the story, is how The Intercept accidentally outed Winner by posting a copy of the leaked document which contained tracking metadata. Winner accessed the data and then printed it. Investigators knew it was printed because of invisible micro dots on the page, so they could trace it to a specific printer and date. That narrowed it down to six users, one of which had email contact with The Intercept.

Image credit: http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html

It was a combination of different types of forensic metadata that identified Winner as the leaker. Just knowing the printer and date wouldn’t have been enough on its own without it being correlated with email behavior, but together Winner could be conclusively identified.

Want to learn more about insider threats and techniques to mitigation them? Troy Hunt produced an hour-long video course called The Enemy Within. It’s 100% free. Click here to enroll.

If you want to get a handle on insider threats within your organization, Varonis can help.

WannaCry’s Accidental Hero

WannaCry’s Accidental Hero

Quick update on the massive #WannaCry cyber attack. Before I begin, this is going to SOUND like good news, and it is, but please realize that the propagation of this malware can be restarted VERY easily, so please follow the instructions we laid out here to patch.

Apparently there was a kill switch built into the malware. It attempts a HTTP GET on iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the request succeeds, it stops propagating, as noted by Talos Intellgience:

Earlier today, @MalwareTechBlog observed the traffic to the fake domain, registered it, and sinkholed it, thus stopping the bleeding in a major way. Funny enough, he didn’t realize the domain check kill switch existed. It was sort of dumb luck:

There you have it. @MalwareTechBlog: #WannaCry’s accidental hero.

UPDATE: As Didier Stevens points out, the kill switch is NOT proxy aware. Won’t work for companies that have a proxy.

What is a Data Security Platform?

What is a Data Security Platform?

A Data Security Platform (DSP) is a category of security products that replaces traditionally disparate security tools.

DSPs combine data protection capabilities such as sensitive data discovery, data access governance, user behavior analytics, advanced threat detection, activity monitoring, and compliance reporting, and integrate with adjacent security technologies.

They also provide a single management interface to allow security teams to centrally orchestrate their data security controls and uniformly enforce policies across a variety of data repositories, on-premises and in the cloud.

Data Security Platform (DSP)

Adapted from a figure used in the July 2016 Forrester report, The Future Of Data Security And Privacy: Growth And Competitive Differentiation.

The Rise of the Data Security Platform

A rapidly evolving threat landscape, rampant data breaches, and increasingly rigorous compliance requirements have made managing and protecting data more difficult than ever. Exponential data growth across multiple silos has created a compound effect that has made the disparate tool approach untenable. Siloed tools often result in inconsistently applied data security policies.

Many organizations are finding that simply increasing IT security spend doesn’t necessarily correlate to better overall data security. How much you spend isn’t as important as what you spend it on and how you use what you buy.

“Expense in depth” hasn’t been working. As a result, CISOs are aiming to consolidate and focus their IT spend on platforms over products to improve their enterprise-wide security posture, simplify manageability, streamline processes, and control costs.

According to Gartner, “By 2020, data-centric audit and protection products will replace disparate siloed data security tools in 40% of large enterprises, up from less than 5% today.”

(Source: Gartner Market Guide for Data-Centric Audit and Protection, March 21, 2017).

What are the benefits of a Data Security Platform?

There are clear benefits to consolidation which are generally true in all facets of technology, not just information security:

  • Easier to manage and maintain
  • Easier to coordinate strategy
  • Easier to train new employees
  • Fewer components to patch and upgrade
  • Fewer vendors to deal with
  • Fewer incompatibilities
  • Lower costs from retiring multiple point solutions

In information security, context is king. And context is enhanced drastically when products are integrated as part of a unified platform.

As a result, the benefits of a Data Security Platform are pronounced:

  • By combining previously disparate functions, DSPs have more context about data sensitivity, access controls, and user behavior, and can therefore paint a more complete picture of a security incident and the risk of potential breaches.
  • The total cost of ownership (TCO) is lower for a DSP than for multiple, hard-to-integrate point solutions.
  • In general, platform technologies have the flexibility and scalable architecture to accommodate new data stores and add new functionality when required, making the investment more durable
  • Maintaining compatibility between multiple data security products can be a massive challenge for security teams.
    • DSPs often result in an OpEx reduction because the security teams are dealing with fewer vendors and maintaining, tuning, and upgrading fewer products.
    • Capex reduction by retiring point solutions
  • CISOs want to be able to apply their data security strategy consistently across data silos and easily measure results.

Why context is essential to threat detection

What happens when your tools lack context?

Let’s take a standalone data loss prevention (DLP) product as an example.

Upon implementing DLP it is not uncommon to have tens of thousands of “alerts” about sensitive files. Where do you begin? How do you prioritize? Which incident in the colossal stack represents a significant risk that warrants your immediate, undivided attention?

The challenge doesn’t stop here. Pick an incident/alert at random – the sensitive files involved may have been auto-encrypted and auto-quarantined, but what comes next? Who has the knowledge and authority to decide the appropriate access controls? Who are we now preventing from doing their jobs? How and why were the files placed here in the first place?

DLP solutions by themselves provide very little context about data usage, permissions, and ownership, making it difficult for IT to proceed with sustainable remediation. IT is not qualified to make decisions about accessibility and acceptable use on its own; even if it were, it is not realistic to make these kinds of decisions for each and every file.

You can see a pattern forming here – with disparate products we often end up with excellent questions, but we urgently need answers that only a DSP can provide.

Which previously standalone technologies does a Data Security Platform include?

  • Data Classification & Discovery
    • Where is my sensitive data?
    • What kind of sensitive, regulated data do we have? (e.g., PCI, PII, GDPR)
    • How should I prioritize my remediation and breach detection efforts? Which data is out of scope?
  • Permissions Management
    • Where is my sensitive data overexposed?
    • Who has access to sensitive information they don’t need?
    • How are permissions applied? Are they standardized? Consistent?
  • User Behavior Analytics
    • Who is accessing data in abnormal ways?
    • What is normal behavior for a given role or account?
    • Which accounts typically run automated processes? Which access critical data? Executive files and emails?
  • Advanced Threat Detection & Response
    • Which data is under attack or potentially being compromised by an insider threat?
    • Which user accounts have been compromised?
    • Which data was actually taken, if any?
    • Who is trying to exfiltrate data?
  • Auditing & Reporting
    • Which data was accessed? By whom? When?
    • Which files and emails were accessed or deleted by a particular user?
    • Which files were compromised in a breach, by which accounts, and exactly when were they accessed?
    • Which user made this change to a file system, access controls or group policy, and when?
  • Data Access Governance
    • How do we implement and maintain a least privilege model?
    • Who owns the data? Who should be making the access control decisions for each critical dataset?
    • How do I manage joiners, movers, and leavers so only the right people maintain access?
  • Data Retention & Archiving
    • How do we get rid of toxic data that we no longer need?
    • How do we ensure personal data rights (right to erasure & to be forgotten)?

Analyst Research

A number of analysts firms have taken note of the Data Security Platform market and have released research reports and market guides to help CISOs and other security decision-makers.

Forrester’s “Expense in Depth” Research

In January 2017, Forrester Consulting released a study, commissioned by Varonis, entitled The Data Security Money Pit: Expense in Depth Hinders Maturity that shows a candy-store approach to data security may actually hinder data protection and explores how a unified data security platform could give security professionals the protection capabilities they desire, including security analytics, classification and access control while reducing costs and technical challenges.

The study finds that a fragmented approach to data security exacerbates many vulnerabilities and challenges, and 96% of these respondents believe a unified approach would benefit them, including preventing and more quickly responding to attempted attacks, limiting exposure and reducing complexity and cost.. The study goes on to highlight specific areas where enterprise data security falls short:

  • 62% of respondents don’t know where their most sensitive unstructured data resides
  • 66% don’t classify this data properly
  • 59% don’t enforce a least privilege model for access to this data
  • 63% don’t audit use of this data and alert on abuses
  • 93% suffer persistent technical challenges with their current data security approach

Point products may mitigate specific threats, but when used tactically, they undermine more comprehensive data security efforts.

According to the study, “It’s time to put a stop to expense in depth and wrestling with cobbling together core capabilities via disparate solutions.”

Almost 90% of respondents desire a unified data security platform. Key criteria to include in such a platform as selected by the survey respondents include:

  • Data classification, analytics and reporting (68% of respondents)
  • Meeting regulatory compliance (76% of respondents)
  • Aggregating key management capabilities (70% of respondents)
  • Improving response to anomalous activity (68% of respondents)

Forrester concludes:

Forrester on Data Security Platforms

Gartner’s DCAP Market Guide

Gartner released the 2017 edition of their Market Guide for Data-Centric Audit and Protection. The guide’s summary concisely describes the need for a platform approach to data security:

Garter on Data-Centric Audit and Protection

Gartner recommends that organizations “implement a DCAP strategy, and ‘shortlist’ products that orchestrate data security controls consistently across all silos that store the sensitive data.” Further, the report advises, “A vendor’s ability to integrate these capabilities across multiple silos will vary between products and also in comparison with vendors in each market subsegment. Below is a summary of some key features to investigate:”

  • Data classification and discovery
  • Data security policy management
  • Monitoring user privileges and data access activity
  • Auditing and reporting
  • Behavior analysis, alerting and blocking
  • Data protection

Demo the Varonis Data Security Platform

The Varonis Data Security Platform (DSP) protects enterprise data against insider threats, data breaches and cyberattacks by analyzing content, accessibility of data and the behavior of the people and machines that access data to alert on misbehavior, enforce a least privilege model and automate data management functions. Learn more about the Varonis Data Security Platform →

What customers are saying about the Varonis Data Security Platform

City of San Diego on the Varonis Data Security Platform

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.