A study of AV-TEST, the Independent IT-Security Institute, has revealed that the number of malware infections that threaten individuals and businesses has been exponentially growing since 2013. With 20 million malicious programs a decade ago, now, in the first quarter of 2018, their quantity amounts to almost 750 million and the Institute registers more than 250,000 new malicious codes every day.
Figure 1. The quantity of malicious software globally
In 2017, cyber attacks caused $450 billion of losses worldwide, with the average cost of an attack of $9.5 million. In 51% cases of breaches, cyber criminals used a malware infection, and an increasing number of businesses have become exposed to this type of attack. In this article, we will try to find out how the infections may endanger businesses, and how companies can withstand the threat.
Know Your Enemy by Sight
Malware, a term formed from “malicious” and “software,” is a type of software that serves ill-intentioned goals and is cast in the form of computer viruses, Trojan horses, worms, ransomware, adware, scripts, codes and other programs.
Malicious software falls into numerous types, depending on the way it penetrates into a targeted network, and how it operates further. To successfully prevent and combat malware, we need to know malware symptoms and what malware can do.
There are numerous malware infection types, as follows:
- Ad fraud that fraudulently creates ad impressions to produce a profit
- Adware that displays annoying ads
- Backdoors that create a gap in a system to let intruders penetrate it or implant other malware
- Browser hijacker that modifies web browser settings to inject required information and redirect to targeted content
- Downloader that downloads, installs and executes malicious software
- A keylogger that records all that users type to worm out sensitive information
- Ransomware that prevents users from accessing their data and demands a ransom for the restoration of their ownership of the data
- Rogue security software that pretends to be an antivirus program and cheats users out of their money for removing an imaginary virus
- A rootkit that enables an unauthorized access to a system or software
- Spyware that tracks a user’s internet activity and behavior
- A trojan that governs other system resources, and quite often is involved in denial-of-service attacks
- A virus that attaches itself to various files and destroys them
- A worm that destroys system operating files and data files until the hard drive is ruined
Before developing an efficient malware prevention strategy, businesses need to understand the motives of cyber criminals. Usually, hackers have two reasons for their attacks: make money or satisfy their vanity.
Radware’s research reveals the following motives:
- Ransom (41%)
- Insider threat (27%)
- Political reasons (26%)
- Competition (26%)
- Cyberwar (24%)
- Angry user (20%)
- Motive unknown (11%)
Since money and politics are in the lead, criminals usually zero in on industries that meet these requirements, which is why manufacturing, information, finance, healthcare and education are the primary targets.
Why are companies concerned about malware? In 2016, the majority were frightened of them because they were feared the attacks would compromise their reputation (18%) and cause them to lose sensitive data (23%). Also, an effect on service (18%) and productivity (12%) played critical roles, while revenue loss motive amounted to only 10%.
Below, we will explore in more detail the types of malware infections that were most common in 2017, and some of them have even become a great risk for users of computer technologies.
Figure 2. Malware distribution by type, Q1 2017
Increased ransomware attacks make them the number one cyber threat now – it was involved in more than 60% of cyber security incidents. Statistics provided by Kaspersky showcases that ransomware attacks businesses every 40 seconds. Also, the number of their modifications grows at the speed of light – it increased elevenfold within two quarters of 2016, reaching 32,091.
There are two types of ransomware that behave differently, as follows:
- Cryptors that encrypt information on users’ devices, which makes it impossible for users to access their data
- Blockers that shut down devices so that users cannot run them, while the information remains untouched
Users get a screened ransom demand that is usually camouflaged with a law-enforcement authority notification about accessing illegal content and claiming users must pay the ransom.
As Verizon wittily remarks in its 2017 Data Breach Investigations Report, “ransom notes are the most profitable form of writing,” as ransom payout amounts may reach stratospheric hundred millions of US dollars. Indeed, in 2017, NotPetya ransomware extorted over $310 million from Merck, a pharmaceutical giant, $300 million from FedEx, a leading package express company, and $200 million from Maersk, the world-largest container ship operator.
After a company gets a ransom demand, there is little left to do. It can refuse to fulfill the requirement and lose all the information, or pay the required sum, which does not guarantee that criminals will provide access to the data.
With its 20% share, ad fraud — a.k.a. invalid traffic — is a malware that ranks second according to the distribution of types of malware in 2017. This type of malware covers all forms of online ad fraud that is intended to deceive advertisers by providing fake traffic and leads and deliberately inefficient advertising activities.
Most frequently, it relies on fraudulent banner, video and in-app ads and can be classified into the following types:
- Ad stacking that heaps several ads together to generate page impressions, while users do not see them all
- Click fraud that generates fake traffic automatically, with hitbots or by a click farm
- Domain spoofing that means placing an ad on a fraudulent domain instead of a legitimate one
- Pixel spoofing that hides advertisements behind pixels, which increases impressions while visitors do not see these ads
- Search ad fraud that creates fake websites and then places high-cost keywords on them
That is why marketers invest large sums of money in the advertising budget and get no effect in return. According to Forrester, ad fraud cost businesses $7.4 billion in 2016, and the amount is predicted to grow. Ad fraud against the Financial Times website (ft.com) alone comes out to $1.3 million per month.
With downloaders, cyber criminals do not need to trigger users on accessing suspicious content or downloading contaminated software. Downloaders facilitate the penetration into a targeted system, which is why they are especially useful in advanced persistent threat (APT) attacks.
We hope that these examples of malware attacks constitute convincing evidence for companies to take action in protecting their operations. Usually, businesses are exposed to carefully orchestrated attacks, and malware activity is a part of it. These attacks are extremely difficult to address after intruders have penetrated the environment. That is why we highly recommend prioritizing prevention measures, as they allow to put a plug on an attack in germ.
Malware Prevention at Large Enterprises
Big market players are usually primary targets for cyber criminals. The high revenues that they get allow shelling out considerable amounts for the return of data ownership. That is why hackers engineer sophisticated strategies to penetrate their victims’ environments and access sensitive data.
In most cases, cyber criminals use malware as a component of their malicious strategies. Below, we will work out measures that help prevent malware from penetrating business environments of large companies, whether the malware is a part of a large attack or acts independently. A secure corporate environment should include the following components: an efficient SIEM system, threat intelligence, protected cloud and safe mobile software.
SIEM (security information and event management) systems provide a comprehensive control over a company’s IT landscape. Quite frequently, such a system is mistakenly considered to be a one-man army that detects and destroys possible threats.
However, a SIEM system is not capable of fighting malware that has already infiltrated into a network, as it is purposed to monitor the corporate environment and detect tampering attempts. After the system reveals anomalies and factors out false positives, security analysts investigate the issue and address it.
SIEM systems cover all network components — such as numerous endpoints, assets and applications, gather flow data and log events that they produce, and then parse this information to get valuable insights.
In accordance with Gartner’s 2017 Magic Quadrant for SIEM and the new Forrester Wave™ for Security Analytics Platforms, IBM QRadar is the number one security analytics platform nowadays.
Let’s study the capabilities of such systems as exemplified by this leading solution:
- The detection of insider threats, APTs and frauds
- Event parsing, normalization and correlation
- Near real-time event visibility
- Incident prioritization based on advanced analytics
- Compliance with corporate security policy and statutory safety regulations, enforcement of the internal policy
An integral part of security intelligence, cyber threat intelligence enables companies to be aware of possible and real attacks that threaten their corporate environments.
Threat intelligence relies on sharing platforms that contain comprehensive information on potential, existing and past threats. This information helps security analysts monitor corporate IT landscapes for the signs of malware infection or other possible exploits and threats and proactively address them.
Businesses use threat intelligence solutions for the following purposes:
- Prioritize vulnerabilities
- Detect phishing attacks
- Detect rogue software
- Reveal frauds
- Monitor social media, web and brands
The exponentially growing expansion of cloud computing in information technologies raises the exposure of the cloud to malware attacks. It necessitates companies to place utmost importance on cloud security and safety.
Figure 3. The size of the cloud computing and hosting market worldwide from 2010 to 2020 (in billion U.S. dollars)
Cloud security is an approach that requires a number of measures to be fulfilled, such as:
- System integrality. In a cloud, the systems of various companies share resources, which makes them extremely exposed to cyber attacks. That is why businesses should provide the reliability of their cloud environments to prevent data breaches and malware penetration.
- Reliable credential, identity and access management. Prevent unauthorized users from accessing your cloud-based data and environment, including services and user accounts.
- Well-secured interfaces and APIs. The overall cloud safety and reliability depends heavily on the security of APIs, which is why the interfaces must protect cloud-based assets and workloads against illegal infiltration.
- Reliable staff. To prevent insider threats, companies need to eliminate the possibility of rogue and malicious employees who have access to sensitive information, for example, system administrators.
- Resistance to DoS attack. Since clouds are prone to denial-of-service attacks, businesses need to prevent their systems from allowing attackers to consume vast amounts of cloud-based resources.
- Resilient shared technologies. Many companies rely on cloud components that are not designed to securely isolate multitenant software and architectures, which may cause security violations.
The increasing demand for mobile applications has given a boost to various cyber attacks that are performed via portable devices. Usually, mobile devices are connected to different networks, which raises the prospect of malware infiltration. That is why mobile security is a prerequisite, regardless of whether you develop software for end customers or use it in your corporate IT environment for your own purposes.
Malware Prevention at SMEs
Statistics show that malware makes the top three types of cyber attacks, to which small and medium businesses are exposed. And the majority of polled companies state that the root causes of breaches are employee or contractor negligence, which is why employee conduct must be the number one concern in SMEs.
Figure 4. The root causes of data breaches in SMEs
Some of the above measures are quite costly, and not many businesses can afford to implement them to fight off malware. However, there are some measures that do not require a big investment while still helping to create a fairly reliable defense of a corporate IT landscape against malware.
Solutions for application security testing help businesses detect possible breaches that malware may use to infiltrate the source code of their applications and inflict damage. We will study their capabilities using the example of the leader solution of Gartner’s 2017 Magic Quadrant for Application Security Testing – HPE Security Fortify.
This solution provides a complete visibility of a company’s software, detects and helps eliminate possible vulnerabilities, and allows users to review, manage and prioritize remediation measures.
HPE Security Fortify embraces the family of products for streamlined security testing that perform the following functions:
- Real-time vulnerability detection and remediation
- Real-time attack and security violation identification
- The identification of the root causes of vulnerabilities and their prioritization
However, security or penetration testing is the best way to examine the safety and reliability of a company’s infrastructure and get a 360-degree overview. By simulating malicious actions that criminals may take, ethical hackers check a system’s immunity to attacks. This approach provides the most thorough analysis of a company’s infrastructure and allows identifying vulnerabilities, bottlenecks and possible breaches that malicious software may use to infiltrate the source code.
Companies should use only reliable software and get it from trusted sources; otherwise, it may turn out to be a masqueraded malware. Instead of downloading the first available files, use software centers or publishers’ websites. Also, any risky or ill-famed application should be removed and replaced with a trustworthy one.
Forehanded software updating is another measure that contributes to higher system reliability. Current software versions usually have more reliable defenses, which is why companies should update their operating systems and other software as soon as their new versions become available.
Also, there is a range of software that should be installed on all of the assets in an IT network to help protect it from malware penetration, such as:
- Antiviruses that detect and remove viruses and other malicious programs
- Anti-spyware software that scans incoming traffic for spyware and prevents it from installing
- Spam filters that quarantine or block emails with suspicious content
- IDS and firewalls that scan traffic and alert of malware, while not preventing its installation
- Security scans that check corporate websites and applications for the symptoms of a malware infection
Robust Internal Security Policy
A company’s internal security policy should specify certain requirements that the employees must fulfill.
Watch out for suspicious USB devices. USB devices that look lost or forgotten may turn out to be a major hazard, as chances are, criminals have planted them to kick off an elaborate attack. The devices may contain malware that penetrates the network as soon as it can and kicks off a broad-scale attack. That is why employees must not use unattended USBs; instead, they should destroy them or alert security officers.
Keep away from fishy URLs and attachments. As far back as 2011, Microsoft reported that one in 14 downloads contains malware, and the incidence is growing more frequent. That is why users should avoid any suspicious and unexpected attachments or URLs, as attachments can contain camouflaged malware, while URLs may lead to rogue websites.
Rock-solid passwords. An unreliable password is probably one of the easiest gaps that intruders may use to get an access to corporate endpoints. That is why sufficient password management may prevent criminals from implanting malicious programs into a company’s IT landscape.
Defend with Skeptical Computing
As time passes, malware infections become more sophisticated and widespread, which is why businesses should pay considerable attention to the protection of their IT landscapes. A reliable defense is no longer a desirable measure – it has become an indispensable prerequisite.
Companies choose different protection measures, depending on their size and available budgets. However, regardless of whether you can afford to implement a high-end SIEM system, to perform security or penetration testing of your network or only to install an anti-malware program, skeptical computing must be your motto.