Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Symantec

infograph-path-cyberattacker

2015 Security Predictions

symantec_7m2p1

The full article can be found here.

95% of enterprises allow BYOD

winning-with-mobile-infographic-700x2520

Courtesy of Symantec.

Top 10 Tips for Cyber Resilience in businesses

The dramatic increase in both the sophistication and frequency of cyber risks and attacks on businesses has profoundly changed the security threat landscape. Gone are the benign days of the Anna Kournikova virus or the “I Love You” bug. Today cyber risks and threats can lead to breaches of sensitive data, harming consumers, businesses and governments of all sizes. But there is a way to stay ahead of these risks by crafting an effective security strategy, and being cyber resilient.

Cyber resilience is not just about installing point products into your IT environment but rather it is about understanding a broader set of business and technical challenges. These include understanding the risks in an increasingly connected cyber world and in particular the risks facing an organisation with rapidly evolving technologies such as mobile, cloud, virtual, big data, and social; as well as increasing dependence on the Internet to conduct business.

Many businesses currently don’t have holistic IT security practices and technologies in place to deal with all of these new challenges. Breaches can and will happen. How businesses prepare for a breach is just as important as how they respond to one. Organisations should consider the following measures to mitigate the risk of an attack and become cyber resilient:

  1. Make security personal to your business – understand your business and how security can be built into your IT practices
  2. Baseline your security regularly – analyse your state of readiness, so that you can interpret the symptoms that can lead to a security incident
  3. Get executive and board engagement – cyber resilience starts at the top of the organisation
  4. Have a plan – security incidents happen every day. Develop a plan that addresses how businesses identify the important incidents and ensure they remain up and running no matter what
  5. Education – from board to new hire, it’s essential that everyone understands that they are responsible and accountable. All employees need to know what part they play in the bigger picture
  6. Do the basics well – leverage government and industry guidelines. This includes aspects such as patching and good user-level access management
  7. Plan for today and scale for the future – for example, BYOD is here to stay. Don’t just apply quick fixes; align your IT to a longer-term strategy
  8. Start small, but think big – Information protection is a long-term project, but organisations need to start where they will add the most business value and then expand where there is further, long-term value. For example, the supply chain and how an organisation interacts with its wider network of vendors and partners. The key is to think big but have a maturity plan, which must be linked to strategic business value and growth
  9. Be accountable – understand what the regulatory, legislative and peer-to-peer controls are that the business needs to adhere to. Make sure there is a clearly defined owner for each of these and an executive sponsor
  10. Don’t wait for it to happen – test your processes, procedures and people regularly. Make sure the business has clearly defined lifecycles that reflect changes in business strategy, technology use and culture. Make sure the strategy is current and effective for the business and the risks.

For an organisation to be cyber resilient there needs to be in place a strategy that adapts to the ever changing cyber security landscape. This strategy should not only make your organisation cyber resilient but it should be designed to make security your competitive advantage.

Written by Brenton Smith, Managing Director & VP Pacific at Symantec and original posted here.

How Employees are Putting Your Intellectual Property at Risk

“What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk” is a white paper produced by the Ponemon Institute on behalf of Symantec.

The paper reviews the way employees perceive corporate data and their mindset and motivations for copying data and Intellectual Property

Key Findings

  • Employees are moving IP outside the company in all directions
  • When employees change jobs, sensitive business documents often travel with them
  • Employees are not aware they are putting themselves and their companies at risk
  • They attribute ownership of IP to the person who created it
  • Organizations are failing to create a culture of security

Impact on Organizations

According to Ponemon Institute, employees are moving IP outside the company in all directions

  • Over half admit to emailing business documents from their workplace to their personal email accounts
  • 41% say they do it at least once a week
  • 44% also say they download IP to their personally owned tablets or smartphones, leaving confidential information even more vulnerable as it leaves corporate-owned  devices

The data loss continues through employees sharing confidential information in the cloud

  • 37% use file-sharing apps (such as Dropbox or Google Docs) without permission from their employer
  • Worse, the sensitive data is rarely cleaned up; the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it.

When employees change jobs, sensitive business documents often travel with them. In most cases, the employee is not a malicious insider, but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer

  • Half of the survey respondents say they have taken information
  • 40% say they will use it in their new jobs

This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.

Understanding Employee Attitudes about IP Theft

The attitudes that emerged from the survey suggest that employees are not aware that they are putting themselves and their employers at risk when they freely share information across multiple media. Most employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong. A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company. Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data.

To shed further insight, over half do not believe that using competitive data taken from a previous employer is a crime. Employees attribute ownership of IP to the person who created it. When given the scenario of a software developer who re-uses source code that he or she created for another company, 42% do not believe it is wrong and that the a person should have ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today’s knowledge workers as unaware that intellectual property belongs to the organization.

Recommendations from the paper

Given these findings, what can companies do to minimize risk? We suggest that companies take a multi-pronged approach:

  • Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical, companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
  • Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
  • Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed. Implement a data protection policy that monitors inappropriate access/use of IP and notifies employees of violations, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

.

Symantec MessageLabs June 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec have released their June 2011 Intelligence Report. The Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011.

Report highlights

  • Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011)
  • Phishing – One in 330.6 emails identified as Phishing (a decrease of 0.05 percentage points since May 2011)
  • Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011)
  • Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011)
  • 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011):
  • 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011)
  • Review of Spam-sending botnets in June 2011
  • Clicking to Watch Videos Leads to Pharmacy Spam
  • Wiki for Everything, Even for Spam
  • Phishers Return for Tax Returns
  • Fake Donations Continue to Haunt Japan
  • Spam Subject Line Analysis
  • Best Practices for Enterprises and Users

Spam Analysis

In June 2011, the global ratio of spam in email traffic decreased by 2.9% points since May 2011 to 72.9% (1 in 1.37 emails).

Country May April Change %
United States  29% 31% -2
India  5% 4% 1
Russia  5% 5%  
Brazil  5% 5%  
Netherlands  5% 5%  
Taiwan  3% 4% -1
South Korea  3% 3%  
Uruguay  3% 3%  
Ukraine  3% 2% 1
China 2% 3% -1

As the global spam level declined in June 2011, Saudi Arabia became the most spammed geography, with a spam rate of 82.2%, overtaking Russia, which moved into second position.

In the US, 73.7% of email was spam and 72.0% in Canada. The spam level in the UK was 72.6%. In The Netherlands, spam accounted for 73.0% of email traffic, 71.8% inGermany, 71.9% in Denmark and 70.4% in Australia. In Hong Kong, 72.2% of email was blocked as spam and 71.2% in Singapore, compared with 69.2% in Japan. Spam accounted for 72.3% of email traffic in South Africa and 73.4% in Brazil.

Global Spam Categories

Spam Category Name  June 2011
Pharmaceutical  40%
Adult/Sex/Dating 19%
Watches/Jewelry  18%
Newsletters  12%
Casino/Gambling  7%
Unknown  3%
Degrees/Diplomas  2%
Weight Loss  1%

Phishing Analysis

In June, Phishing activity decreased by 0.06 percentage points since May 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack

Phishing Sources: Country  May April % change
United States 44% 55% -11
Chile 15%  15%   unlisted N/A
Canada  5% 5%  
Germany  5% 6% -1
United Kingdom  4% 6% -2
China 2%  2%   unlisted N/A
France 2% 3% -1
Netherlands  2% 2%  
Russia  1% 2% -1
Australia 1% 3% -2

South Africa remained the most targeted geography for Phishing emails in June, with 1 in 111.7 emails identified as phishing attacks. South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, phishing accounted for 1 in 130.2 emails. Phishing levels for the US were 1 in 1,270 and 1 in 207.7  for Canada. In Germany Phishing levels were 1 in 1,375, 1 in 2,043 in Denmark and 1 in 543.7 in The Netherlands. In Australia, Phishing activity accounted for 1 in 565.2 emails and 1 in 2,404 in Hong Kong; for Japan it was 1 in 11,179 and 1 in 2,456 for Singapore. In Brazil, 1 in 409.8 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by phishing activity in June, with 1 in 83.7 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 897.3 and 1 in 798.3 for the IT Services sector; 1 in 663.2 for Retail, 1 in 151.4 for Education and 1 in 160.8 for Finance.

Email-borne Threats

The global ratio of email-borne viruses in email traffic was one in 300.7 emails (0.333%) in June, a decrease of 0.117 percentage points since May 2011.

The UK remained the geography with the highest ratio of malicious emails in June, as one in 131.9 emails was blocked as malicious in June.

In the US, virus levels for email-borne malware were 1 in 805.2 and 1 in 297.7 for Canada. In Germany virus activity reached 1 in 721.0, 1 in 1,310 in Denmark and in The Netherlands 1 in 390.3. In Australia, 1 in 374.5 emails were malicious and 1 in 666.5 in Hong Kong; for Japan it was 1 in 2,114, compared with 1 in 946.7 in Singapore. In South Africa, 1 in 280.9 emails and 1 in 278.9 emails in Brazil contained malicious content. With 1 in 73.1 emails being blocked as malicious, the Public Sector remained the most targeted industry in June. Virus levels for the Chemical & Pharmaceutical sector were 1 in 509.4 and 1 in 513.8 for the IT Services sector; 1 in 532.8 for Retail, 1 in 130.4 for Education and 1 in 182.3 for Finance.

Malware Name % Malware
Exploit/SuspLink-d1f2  4.85%
Link-Trojan.Generic.5483393-4cac  2.89%
W32/NewMalware!836b  2.41%
W32/NewMalware!0575 2.39%
Exploit/Link-FakeAdobeReader-8069  2.32%
Trojan.Bredolab!eml-1f08  1.97%
Exploit/LinkAliasPostcard-d361  1.52%
W32/Packed.Generic-7946 1.46%
W32/Bredolab.gen!eml  1.36%
Exploit/FakeAttach-844a 1.39%

Web-based Malware Threats

In June, MessageLabs Intelligence identified an average of 5,415 Web sites each day harboring malware and other potentially unwanted programs including spyware and adware; an increase of 70.8% since May 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity. The 70.8% rise marks a return to the highest rate since December 2010, as can be seen in the chart below; the rate had previously been diminishing during the first half of 2011.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 35.1% of all malicious domains blocked were new in June; a decrease of 1.7 percentage points compared with May 2011. Additionally, 20.3% of all Web-based malware blocked was new in June; a decrease of 4.3 percentage points since the previous month.

Endpoint Security Threats

The endpoint is often the last line of defense and analysis; however, the endpoint can often be the first-line of defense against attacks that spread using USB storage devices and insecure network connections. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks and threats facing mobile workers. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering. The table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec Web Security.cloud or Symantec Email AntiVirus.cloud.

Malware Name Malware %
W32.Ramnit!html  9.47%
W32.Sality.AE  8.49%
Trojan.Bamital 8.23%
W32.Ramnit.B!inf  7.59%
W32.DownadupageB  3.76%
W32.Virut.CF  2.70%
W32.Almanahe.B!inf  2.50%
W32.SillyFDC  1.99%
Trojan.ADH. 1.91%
Trojan.ADH  1.90%
Generic Detection 16.90%

For further details visit the Symantec website here.

March’s Report summary can be found here.

April’s Report summary can be found here.

May’s Report summary can be found here.

.

Symantec’s May 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec have released their May 2011 Intelligence Report. A summary of the results are below.

Report highlights

  • Spam – 75.8% in May (an increase of 2.9 percentage points since April 2011)
  • Viruses – One in 222.3 emails in May contained malware (a decrease of 0.14 percentage points since April 2011)
  • Phishing – One in 286.7 emails comprised a Phishing attack (a decrease of 0.06 percentage points since April 2011)
  • Malicious web sites – 3,170 web sites blocked per day (an increase of 30.4% since April 2011)
  • 36.8% of all malicious domains blocked were new in May (an increase of 3.8 percentage points since April 2011)
  • 24.6% of all web-based malware blocked was new in May (an increase of 2.1 percentage points since April 2011)
  • For the First Time, Spammers establish their own fake URL-shortening services

Spammers are establishing their own their own fake URL-shortening services to perform URL redirection. This new spamming activity has contributed to this month’s increase in spam by 2.9 percentage points, a rise that was also expected following the Rustock botnet takedown in March.

Under this scheme, shortened links created on these fake URL-shortening sites are not included directly in spam messages. Instead, the spam emails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake URL-shortening Web site, which in turn redirects to the spammer’s own Web site.

MessageLabs Intelligence has been monitoring the way that spammers abuse URL-shortening services for a number of years using a variety of different techniques so it was only a matter of time before a new technique appeared,” said Paul Wood, MessageLabs Intelligence Senior Analyst. “What is unique about the new URL-shortening sites is that the spammers are treating them as ‘stepping stones’ – a link between public URL-shortening services and the spammers’ own sites.”

To make things more interesting, these new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse.

“With legitimate URL-shortening services attempting to tackle abuse more seriously, spammers seem to be experimenting with ways to establish their own services to better avoid disruption,” Wood said. “However, as long as new URL-shortening services are being created, we expect spammers to continue abusing them.”

 Symantec MessageLabs Email AntiVirus.cloud

The global ratio of email-borne viruses in email traffic was one in 222.3 emails (0.450%) in May, a decrease of 0.143 percentage points since April 2011.

In May, 30.0% of email-borne malware contained links to malicious Web sites, an increase of 16.9 percentage points since April 2011. A large number of emails containing variants of Bredolab related malware, accounted for 16.3% of all email-borne malware, compared with 55.1% in the previous month. These variants were commonly attached as ZIP files, rather than hyperlinks, and as the volume of these attacks diminishes, the proportion of attacks using hyperlinks increased.

The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May. A large number of variants of Bredolab malware continued to be observed in a number of countries during May, as highlighted in the table below.

In the US, virus levels for email-borne malware were 1 in 540.3 and 1 in 334.5 forCanada. In Germany virus activity reached 1 in 435.9, 1 in 1,197 in Denmarkan d in The Netherlands 1 in 330.1. In Australia, 1 in 513.5 emails were malicious and 1 in 377.2 in Hong Kong; for Japan it was 1 in 1,164, compared with 1 in 706.7 in Singapore. In South Africa, 1 in 178.7 emails and 1 in 378.3 emails in Brazil contained malicious content. With 1 in 28.9 emails being blocked as malicious, the Public Sector remained the most targeted industry in May. Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9 and 1 in 367.9 for the IT Services sector; 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

Phishing Analysis

In May, Phishing activity decreased by 0.06 percentage points since April 2011; one in 286.7 emails (0.349%) comprised some form of Phishing attack.

South Africa remained the most targeted geography for Phishing emails in May, with 1 in 80.2 emails identified as Phishing attacks.South Africa suffers from a high level of Phishing activity targeting many of its four major national banks, as well as other international financial institutions.

In the UK, Phishing accounted for 1 in 100.1 emails. Phishing levels for the US were 1 in 1,227 and 1 in 239.2 forCanada. In Germany Phishing levels were 1 in 1,540, 1 in 2662 in Denmark and 1 in 780.9 in The Netherlands. In Australia, Phishing activity accounted for 1 in 1,022 emails and 1 in 2,235 in Hong Kong; for Japan it was 1 in 10,735 and 1 in 2,111 for Singapore. In Brazil, 1 in 589.5 emails were blocked as Phishing attacks.

The Public Sector remained the most targeted by Phishing activity in May, with 1 in 33.2 emails comprising a Phishing attack. Phishing levels for the Chemical & Pharmaceutical sector were 1 in 982.8 and 1 in 738.9 for the IT Services sector; 1 in 537.0 for Retail, 1 in 141.4 for Education and 1 in 267.0 for Finance.

Symantec MessageLabs Web Security.cloud

In May, MessageLabs Intelligence identified an average of 3,142 Web sites each day harboring malware and other potentially unwanted programs including Spyware and adware; an increase of 30.4% since April 2011. This reflects the rate at which Web sites are being compromised or created for the purpose of spreading malicious content. Often this number is higher when Web-based malware is in circulation for a longer period of time to widen its potential spread and increase its longevity.

As detection for Web-based malware increases, the number of new Web sites blocked decreases and the proportion of new malware begins to rise, but initially on fewer Web sites. Further analysis reveals that 36.8% of all malicious domains blocked were new in May; an increase of 3.8 percentage points compared with April 2011. Additionally, 24.6% of all Web-based malware blocked was new in May; an increase of 2.1 percentage points since the previous month.

Endpoint Protection

The endpoint is often the last line of defense and analysis. The threats found here can shed light on the wider nature of threats confronting businesses, especially from blended attacks. Attacks reaching the endpoint are likely to have already circumvented other layers of protection that may already be deployed, such as gateway filtering.

The most frequently blocked malware for the last month was W32.Ramnit!html. This is a generic detection for .HTML files infected by W32.Ramnit3, a worm that spreads through removable drives and by infecting executable files. The worm spreads by encrypting and then appending itself to files with .DLL, .EXE and .HTM extensions. Variants of the Ramnit worm accounted for 14.0% of all malicious software blocked by endpoint protection technology in May.

Geographical Trends:

  • Russia became the most spammed in May with a spam rate of 82.2 percent.
  • In the US 76.4 percent of email was spam and 75.3 percent in Canada and 75.4 percent in the UK.
  • In The Netherlands, spam accounted for 77.5 percent of email traffic, in Germany 75.5 percent, 75.1 percent in Denmark and 73.9 percent in Australia.
  • Spam levels in Hong Kong reached 75.2 percent and 74.0 percent in Singapore. Spam levels in Japan were 72.3 percent.
  • In South Africa, spam accounted for 75.9 percent of email traffic and 74.8% in Brazil.
  • The UK had the highest ratio of malicious emails in May, as one in 91.7 emails was blocked as malicious in May.
  • In the US virus levels were 1 in 540.3 and 1 in 334.5 forCanada. In Germany, virus levels reached 1 in 435.9, 1 in 1,197 in Denmark and 1 in 330.1 for The Netherlands.
  • In Australia, 1 in 513.5 emails were malicious and, 1 in 377.2 forHong Kong, for Japan it was 1 in 1,164 compared with 1 in 706.7 forSingapore.
  • In South Africa 1 in 178.7 emails contained malicious content and in Brazil it was 1 in 378.3

Vertical Trends:

  • In May, the most spammed industry sector with a spam rate of 80.2 percent was the Wholesale sector.
  • Spam levels for the Education sector were 77.4 percent, 76.0 percent for the Chemical & Pharmaceutical sector, 75.4 percent for IT Services, 75.4 percent for Retail, 74.5 percent for Public Sector and 74.7 percent for Finance.
  • In May, the Public Sector remained the most targeted industry for malware with 1 in 28.9 emails being blocked as malicious.
  • Virus levels for the Chemical & Pharmaceutical sector were 1 in 305.9, 1 in 367.9 for the IT Services sector, 1 in 377.7 for Retail, 1 in 108.8 for Education and 1 in 313.5 for Finance.

For further details visit the Symantec website here.

March’s Report summary can be found here.

April’s Report summary can be found here.

.

Best Practice Guidelines for Enterprises – an IT Security Guide

Image representing Symantec as depicted in Cru...
Image via CrunchBase

In Symantec’s Intelligence Report: June 2011 they produced a Best Practice Guidelines for Enterprises wishing to improve their IT Security.

The details of the Best Practice Guide are below. 

1. Employ defense-in-depth strategies: Emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated firewalls, as well as gateway antivirus, intrusion detection, intrusion protection systems, and Web security gateway solutions throughout the network.

2. Monitor for network threat, vulnerabilities and brand abuse. Monitor for network intrusions, propagation attempts and other suspicious traffic patterns, identify attempted connections to known malicious or suspicious hosts. Receive alerts for new vulnerabilities and threats across vendor platforms for proactive remediation. Track brand abuse via domain alerting and fictitious site reporting.

3. Antivirus on endpoints is not enough: On endpoints, signature-based antivirus alone is not enough to protect against today’s threats and Web-based attack toolkits. Deploy and use a comprehensive endpoint security product that includes additional layers of protection including:

  • Endpoint intrusion prevention that protects against un-patched vulnerabilities from being exploited, protects against social engineering attacks and stops malware from reaching endpoints;
  • Browser protection for protection against obfuscated Web-based attacks;
  • Consider cloud-based malware prevention to provide proactive protection against unknown threats; o File and Web-based reputation solutions that provide a risk-and-reputation rating of any application and Web site to prevent rapidly mutating and polymorphic malware;
  • Behavioral prevention capabilities that look at the behavior of applications and malware and prevent malware;
  • Application control settings that can prevent applications and browser plug-ins from downloading unauthorized malicious content;
  • Device control settings that prevent and limit the types of USB devices to be used.

4. Use encryption to protect sensitive data: Implement and enforce a security policy whereby sensitive data is encrypted. Access to sensitive information should be restricted. This should include a Data Loss Protection (DLP) solution, which is a system to identify, monitor, and protect data. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organization.

5. Use Data Loss Prevention to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use and protect it from loss. Data loss prevention should be implemented to monitor the flow of data as it leaves the organization over the network and monitor copying sensitive data to external devices or Web sites.DLP should be configured to identify and block suspicious copying or downloading of sensitive data.DLP should also be used to identify confidential or sensitive data assets on network file systems and PCs so that appropriate data protection measures like encryption can be used to reduce the risk of loss.

6. Implement a removable media policy. Where practical, restrict unauthorized devices such as external portable hard-drives and other removable media. Such devices can both introduce malware as well as facilitate intellectual property breaches—intentional or unintentional. If external media devices are permitted, automatically scan them for viruses upon connection to the network and use a DLP solution to monitor and restrict copying confidential data to unencrypted external storage devices.

7. Update your security countermeasures frequently and rapidly: With more than 286M variants of malware detected by Symantec in 2010, enterprises should be updating security virus and intrusion prevention definitions at least daily, if not multiple times a day.

8. Be aggressive on your updating and patching: Update, patch and migrate from outdated and insecure browsers, applications and browser plug-ins to the latest available versions using the vendors’ automatic update mechanisms. Most software vendors work diligently to patch exploited software vulnerabilities; however, such patches can only be effective if adopted in the field. Be wary of deploying standard corporate images containing older versions of browsers, applications, and browser plug-ins that are outdated and insecure. Wherever possible, automate patch deployments to maintain protection against vulnerabilities across the organization.

9. Enforce an effective password policy. Ensure passwords are strong; at least 8-10 characters long and include a mixture of letters and numbers. Encourage users to avoid re-using the same passwords on multiple Web sites and sharing of passwords with others should be forbidden. Passwords should be changed regularly, at least every 90 days. Avoid writing down passwords.

10. Restrict email attachments: Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be included as email attachments.

11. Ensure that you have infection and incident response procedures in place:

  • Ensure that you have your security vendors contact information, know who you will call, and what steps you will take if you have one or more infected systems;
  • Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss;
  • Make use of post-infection detection capabilities from Web gateway, endpoint security solutions and firewalls to identify infected systems;
  • Isolate infected computers to prevent the risk of further infection within the organization;
  • If network services are exploited by malicious code or some other threat, disable or block access to those services until a patch is applied;
  • Perform a forensic analysis on any infected computers and restore those using trusted media.

12. Educate users on the changed threat landscape:

  • Do not open attachments unless they are expected and come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses;
  • Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;
  • Do not click on shortened URLs without previewing or expanding them first using available tools and plug-ins;
  • Recommend that users be cautious of information they provide on social networking solutions that could be used to target them in an attack or trick them to open malicious URLs or attachments;
  • Be suspicious of search engine results and only click through to trusted sources when conducting searches, especially on topics that are hot in the media;
  • Deploy Web browser URL reputation plug-in solutions that display the reputation of Web sites from searches;
  • Only download software (if allowed) from corporate shares or directly from the vendors Web site;
  • If users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), have users close or quit the browser using Alt-F4, CTRL+W or the task manager.

The Symantec Security Response web page can be found here.

.

Symantec MessageLabs April 2011 Intelligence Report

Image representing Symantec as depicted in Cru...
Image via CrunchBase

Symantec MessageLabs have released their April 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 72.9% in April (a decrease of 6.4 percentage points since March 2011)
  • Viruses – One in 168.6 emails in April contained malware (an increase of 0.11 percentage
    points since March 2011)
  • Phishing – One in 242.2 emails comprised a phishing attack (an increase of 0.02
    percentage points since March 2011)
  • Malicious web sites – 2,431 web sites blocked per day (a decrease of 18.2% since March
    2011)
  • 33.0% of all malicious domains blocked were new in April (a decrease of 4.0 percentage
    points since March 2011)
  • 22.5% of all web-based malware blocked was new in April (a decrease of 1.9 percentage
    points since March 2011)
  • Targeted attacks increase in intensity: What does a recent targeted attack look like?
  • Shortened URLs: Do you know what you’re clicking on?

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for April, many of which take advantage of malicious hyperlinks. Overall, 55.1% of email-borne malware was associated with Bredolab, Sasfis, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011. 

Malware % Malware
Trojan.Bredolab!eml  37.67%
Exploit/FakeAttach  4.54%
HeurAuto-08ba  3.88%
Gen:Variant.Kazy.17074 3.53%
Trojan.Bredolab 3.31%
W32/Bredolab.gen!eml-19251 3.27%
W32/Bredolab.gen!eml 2.83%
Gen:Variant.Kazy.16615 1.80%
W32/Generic-afcd 1.79%
W32/Delf-Generic-ad9e 0.70%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month. This includes data from endpoint devices protected by Symantec technology around the world, including data from clients which may not be using other layers of protection, such as Symantec MessageLabs Web Security.cloud or Symantec MessageLabs Email AntiVirus.cloud.

Malware % Malware
W32.Sality.AE  8.10%
W32.Ramnit.B!inf  7.80%
W32.Ramnit!html  6.90%
Trojan.Gen 6.80%
Trojan Horse  6.80%
Trojan.Bamital  5.30%
W32.Downadup.B 4.10%
Trojan.Gen.2  3.80%
Downloader  3.80%
W32.Almanahe.B!inf  2.50%

See entire Symantec MessageLab’s Intelligence Report here

The March report summary can be found here.

.

Symantec MessageLabs March 2011 Intelligence Report

Image representing MessageLabs as depicted in ...
Image via CrunchBase

Symantec MessageLabs have released their March 2011 Intelligence Report which as usual makes very interesting reading.

The highlights of the Intelligence Report are below:

  • Spam – 79.3% in March (a decrease of 2.0 percentage points since February 2011)
  • Viruses – One in 208.9 emails in March contained malware (an increase of 0.13 percentage points since February 2011)
  • Phishing – One in 252.5 emails comprised a phishing attack (a decrease of 0.07 percentage points since February 2011)
  • Malicious websites – 2,973 web sites blocked per day (a decrease of 27.5% since February 2011)
  • 37.0% of all malicious domains blocked were new in March (a decrease of 1.9 percentage points since February 2011)
  • 24.5% of all web-based malware blocked was new in March (an increase of 4.2 percentage points since February 2011)
  • Global spam volumes drop by one third, as Rustock botnet is dismantled
  • First review of spam-sending botnets in 2011 identified Bagle as most active botnet as Rustock fell silent

SPAM. The Russian Federation is now the most frequent source of spam in March; perhaps in large part given that there are a large number of bots for Bagle, Lethic and Maazben located in this geography.

Country % of Spam
Russian Federation 12.4%
India 8.8%
Brazil 5.9%
United States 4.5%
Ukraine 4.4%
Colombia 3.9%
Romania 3.8%
Argentina 2.8%
Vietnam 2.5%
Korea, Republic of 2.5%

Symantec MessageLab’s table below shows the most frequently blocked email-borne malware for March, many of which take advantage of malicious hyperlinks. In March, 35.3% of email-borne malware was associated with Bredolab, SpyEye and Zeus variants, a trend initially reported in the MessageLabs Intelligence Report for February 2011.

Malware % Malware
Trojan.Bredolab!eml 24.0%
Exploit/SuspLink-7d87 17.1%
W32/Bredolab.gen!eml-19251 4.8%
Trojan.Bredolab 1.9%
Exploit/SuspLink.dam 1.8%
Exploit/SuspLink-6c7b 1.6%
W32/Bredolab.gen!eml 1.5%
W32/Bredolab!gen-ad91 1.4%
Exploit/LinkAliasPostcard-b354 0.8%
W32/Delf-Generic-ad9e 0.7%

Symantec MessageLab’s table below shows the malware most frequently blocked targeting endpoint devices for the last month.

Malware % Malware
W32.Sality.AE 8.3%
Trojan.Gen* 7.7%
Trojan Horse 7.4%
W32.Ramnit!html 5.8%
Trojan.Gen.2* 4.9%
W32.Ramnit.B!inf 4.3%
Trojan.ADH.2 4.3%
Trojan.Bamital 4.3%
W32.Downadup.B 3.9%
Downloader* 3.5%

See the whole Symantec MessageLab’s Intelligence Report here.

It is also worth reading the earlier posts on Phishing and the impact on the UK Banks and the Fraud Intelligence Report.

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: