24 Feb Cyber-Threats aren’t inevitable. Are they?
I’m not going to beat around the bush. I get excited just seeing all those red boxes stacked up together.
I’ll tell you why.
I absolutely despise cleaning up after malware and virus infections. Seeing first hand the stress it places on business owners and the unlucky staff who open fraudulent or malicious email. It’s one of the worst parts of the job when you have to tell someone it’s all been lost. In case you haven’t guessed, the protection of IT systems for business owners is my passion.
Last week a business we support was infected with a piece of Malware – nothing strange there!
The infection was downloaded from the web via an URL embedded and masked within a very well crafted Phishing email, jargon I know but stay with me, I will break that down for you soon and again from a technical standpoint this is hardly surprising.
What was VERY strange and VERY surprising was that the infected file was pulled down from a HTTPS Server rather than a HTTP.
For those who are not familiar with the difference, HTTPS ensures the connection between the website and your computer is encrypted to ensure the details of the exchange are not visible to anyone on the internet who doesn’t hold the necessary public and private ‘codes’. It stops people intercepting the transaction while it is in transit between two computers. It is the same protocol that is used online by banks, online payment platforms and email systems to keep your data safe.
In fact the use of HTTPS to try and make the internet safer is increasing rapidly. Google will penalise your site rankings if you don’t have a secure HTTPS website, no matter what your site is about or contains, they consider it to be that important to a safe internet experience. Yet in this instance, the customer was undone by the very same mechanism designed to make browsing the internet safer!
Throughout 2016 there has been plenty of articles and blogs spruiking that HTTPS would soon become a very active ‘attack vector’ as the ability to analyse or inspect /scan the HTTPS traffic is quite difficult and relies upon either an enterprise hosted cloud service like Cyren or iBoss, or you can host your own on-site Unified Threat Management (UTM) Firewall like a Watchguard.
Lets just say, they cost a bit more then your average Netgear modem.
Unfortunately Cloud services like Cyren and iBoss are not available in Australia and on-site firewalls are not only expensive but many IT companies lack the training required to make them effective. So they take the position that infections are inevitable. I have heard more then one IT professional quip that at least the process of removing infections for clients is good for the bottom line. Wow.
Unfortunately they could very well be right about it being inevitable, as the following report might show.
On the 14th of February an email arrived in this user’s inbox. I copied the URL that was displayed in the email when you hover your mouse over the link and copied it into the free URL lookup service offered by Virus Total – NO HITS! But something still didnt look right.
The very next day I performed the same task and bingo – only 2 on this occasion though.
So I uploaded the zip file containing the malware to the same Virus Total system – only 4 out of 57 of the most commonly used and well known Antivirus Vendors were aware this infection existed.
The good news with this incident was that our Endpoint Antivirus / Anti-Malware system Webroot was one of the lucky four and it went to work detecting and cleaning the infection before any serious damage could be done. Still a narrow escape.
To be as open and honest about the clients security setup as possible, they had done everything ‘right’ and were using our full security suite. It was our recommended Antivirus, our preferred Anti-Spam and they also had a Watchguard Firewall installed and configured appropriately.
A very solid solution that will stop most threats.
So why didn’t it work?
As I eluded to earlier, the file was downloaded from a HTTPS website. So the clients Watchguard Firewall with HTTPS Content Inspection was key. Content inspection would have decrypted the traffic, scanned the file using it’s in-built antivirus and uploaded the file for additional behavioural analysis to WatchGuard’s Lastline servers, detect and stop the file before it reached the user’s computer. But that didn’t happen.
With this customer, the WatchGuard Firewall was installed when they were a much smaller business with much lighter internet usage. Like most technology recommendations it was suitable (at the time). But as the business experienced significant growth and the security solution had not been reviewed, enabling a CPU intensive service like HTTPS Content Inspection became impractical as the load was beyond it’s capabilities. So the virus was left uncontested to work it’s way into the network.
The ugly truth is, content inspection wasn’t running at the time of the email being opened and here lies our point. You have to review your technology solutions to ensure they continue to be fit for purpose. You can’t invest in a piece of technology and expect it to never need attention again. The world of cyber-security is far too dynamic.
How you can test your web security protection.
Security companies like Cyren and ZScaler offer online testing and reporting tools which are free, easy to use and can help ensure you can easily identify whether your IT Partner is up to the challenge of trying to protect your business – try for yourself!
If they have engaged the decision makers within a business correctly and have implemented a layered security model comprising of a well configured UTM Firewall and Endpoint Security…
Well see for yourself. Click Here.
These results are not perfect but I hope you are collating your own results ready for your next IT strategy discussion. Don’t get me wrong, all the safeguards available might still not cover every attack vector or exploit attempt that hackers can engineer, but there are many cost effective ways that are within reach of small and medium businesses.