2015 Security Report

Editor's Notes

1. Good morning. Every year, Check Point publishes the findings that it observes of security events to better inform our customers and the public about security incidents as well as how they can mitigate them.
2. In the 2015 Check Point Annual Security Report, we analyzed trends from Events discovered through ThreatCloud which connects to security gateways of over 16,000 organizations around the world Over 1300 security check up reports that we performed in organizations representing a wide range of businesses and industries; More than 3000 gateways using ThreatCloud emulation services and over 1 Million smartphones In all, over 122 countries and 300,000 hours of monitoring have gone into our trend analysis. (Note the 122 countries was obtained from last year’s report. There was no mention of the number of countries in this report but this is a good stat to have).
3. When we look at anything over time, some of the mystery dissolves and trends emerge – trends that can help us predict the future. The world of cyber threats has evolved over the past 25 years as protections are introduced and cyber criminals find pathways around them. Cyber criminals study defensive structures and think through how they can achieve their desired outcomes. The have one big advantage, launching attacks is both low risk and inexpensive so they can launch a lot and see what works. So let’s see how the trends have evolved this past year.
4. Let’s start with a true story about a German steel mill. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network. [Source: http://www.wired.com/2015/01/german-steel-mill-hack-destruction/]
5. Most in the security industry know about Spear Phishing – the concept of an email coming from a known and trusted source that has malicious content. An estimated 91% of hacking attacks begin with a phishing or spear-phishing email. It only takes one click to launch the payload. And that’s where the German steel mill’s story begins, with a spear phishing attack. Here is how it worked. [Source of the 91% figure: http://www.wired.com/2015/04/hacker-lexicon-spear-phishing/]
6. Phase 1 started the process. An email got sent that appeared to come from a trusted source. The intent of the email was to trick the recipient into opening a malicious attachment or visiting a malicious web site where malware was downloaded to the individual’s computer. Worth noting is a study by the Online Trust Alliance: Of the more than 1000 breaches in the first half of 2014, more than 25% were caused by employees clicking on phishing links. When they click, the payload is launched. It is believed that this is how the attackers gained initial access to the steel mill. [Source of the 25%, https://otalliance.org/system/files/files/resource/documents/dpd_2015_guide.pdf]
7. In most phishing attacks, the payload will exploit a vulnerability in employees’ computers allowing external access. Once that access is gained, additional attacks can be launched.
8. The initial infected network is often called a ‘beachhead’, or a stable starting point from which internal movements throughout the network can take place. In an ideally structured network, this is as far as an attack would progress because each network would be segmented, but this was not the case in the German steel mill incident.
9. Once the attackers got a foothold on one system, they were able to explore the company’s networks, including the industrial components on the production network. The industrial controls were supposed to be completely segmented from the Internet-connected network.
10. In the case of the German mill, “Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner” which resulted in “massive damage to the system.”
11. Now let’s turn our attention back to what Check Point researchers learned across the key areas we focus on: Unknown Malware, Known Malware, Mobility, High-Risk Applications, and Data Loss Prevention.
12. In general, the trend of the past several years has shown an exponential rise in new malware. 2014 was no different. New malware variants increased 71% from 83 Million in 2013 to 142 million in 2014. Malware kits capable of creating new malware variants are readily available for even novice users to execute.
13. We observed across our gateway network that 63% of organizations analyzed attempted download of a malicious payload in 2014. Every 34 seconds, a new piece of unknown malware is downloaded because for most organizations there are no protections in place to stop them. Every 6 minutes a known malware is downloaded.
14. It raises the question, which is more scary, unknown malware or known malware? Most organizations think unknown malware is more dangerous. But that’s not necessarily true. Both are equally as dangerous should they get inside your network. The only difference is the type of protection needed to defend against them. Even if a malware is known, if system vulnerabilities are not patched or the intrusion prevention system not updated with the latest signatures, it can wreak havoc. Let’s look a little closer at unknown malware.
15. Unknown malware is one that most IPS or AV systems don’t recognize or don’t have a signature for. It can be zero-day or simply a small modification on known malware to change the signature of it so that it is not recognized. Of the 41% of organizations that downloaded at least one infected file with unknown malware, 52% of those files were PDFs where people thought they were safe by definition. Our research showed that one piece of unknown malware is being downloaded every 34 seconds.
16. And yet, as frightening as unknown malware is, known malware keeps chugging along, continuing to at a steady rate. One of the more efficient ways to amplify and accelerate its spread is through bots – where an infected computer allows third party control over some or all of the machine’s functions. In 2014, there was a rise in the number of infected organizations. 83% of the organizations studies were infected with bots--and these bots communicate with their command and control every minute. When it is time to launch a distributed denial of service, these bots can be organized to attack a specific target at a specific time. Some of their objectives: to steal credentials, disable security services, perform click fraud, enable remote access or any number of other backdoor attack scenarios.
17. In 2014, Distributed Denial of Service (DDoS) accounted for 60 percent of all attacks, almost double from the previous year. DDoS attacks, which temporarily knock a server or other network resource out of service, were occurring 48 times per day in 2014—up from eight times per day in 2013 representing a 500 percent increase! In 2013, the majority of DDoS attacks were found largely in the consulting sector. In 2014, they spanned almost two thirds of businesses across all industries.
18. Within the category of malware, we have many areas that show vulnerability. In 2013, servers were the preferred target. In 2014, this all changed. Clients are now the weakest link. Client-side attacks increased from 32% to 60% while server side dropped from 68% to 40% at the same time. The shift is due to increases in phishing attacks. Why? Because hackers discovered that through social engineering, humans are easier to trick than machines.
19. When looking across all of the known and unknown event types, the most dominant points of entry are enterprise endpoints. And, the biggest cause of enterprise endpoint vulnerabilities is negligence. According to our findings, 20 percent of enterprise hosts are not running a desktop firewall; 10 percent of enterprise hosts don’t have updated service packs; 25 percent don’t have updated versions of their software; and 17 percent don’t have anti-virus installed at all. In addition, 35 percent of enterprise hosts are configured such that users have local administrator permissions, putting their operating systems at greater risk for malware exploitation. And 54% are still allowing Bluetooth – a communication avenue that is known to have real vulnerabilities.
20. In our mobile threat research, more than 500,000 Android and 400,000 iOS devices that connected to corporate Wi-Fi through Check Point firewalls in more than 100 countries were studied. If devices communicated with a command and control (C&C) server, they were considered infected. Researchers found that 1 out of every 1,000 devices was infected. Commercial mobile surveillance kits, typically used for monitoring children—or in some cases spying—were put under the microscope. Such products are vulnerable to mobile remote-access Trojans (mRATs), which top the list of mobile malware. If there are 2,000 devices or more in an organization, there is a 50 percent chance that there are at least six infected or targeted mobile devices on their network. By mobile platform, that breaks down to 60 percent Android and 40 percent iOS. Check Point found that 42% of businesses suffered mobile security incidents costing more that $250,000 to remediate.
21. As we just reviewed, the next big attack are employee mobile devices. Malicious mRATs allow potential attackers to steal sensitive information from a device. They can take control of the different sensors to execute keylogging, steal messages, turn on video cameras, and more. There are many types of mobile RATs and by type, here is what we found in terms of popularity and usage. Now let’s look at High-Risk Applications.
22. We found that the combining of personal and business on the same devices breeds poorer security postures. Users will tend to engage high risk applications more often on their personal devices mostly because they don’t understand the risks. High risk applications come in many forms, but one of the main categories that people voluntarily use are called peer-to-peer file sharing applications. BitTorrent Protocol and SoulSeek are just two popular examples of what is typically used for media exchange like music, videos, or real-time communication, and 2014 saw an increase in usage of P2P file-sharing applications. People love getting things for free, and P2P gives the illusion that they are getting videos and songs for free. But it may be coming at the cost of their jobs if hackers steal information from their corporate network.
23. When safeguards are put in place by Corporate IT, many users try to get around it by using tools like anonymizers—browser plugins or web services such as Tor or OpenVPN allow users to interact online, anonymously. These can be used legitimately, to minimize risk, but all too often, they are used for malicious purposes. Last year’s top three included Tor, Ultrasurf, and Hide My Ass. This year: Tor slipped to third place; OpenVPN and Coralcdn were numbers one and two. Organizations experience nearly 13 high risk application usages every hour. That’s 305 times per day, or about once every 5 minutes.
24. But even if you’re doing everything right and keeping high-risk applications in check, there’s another security issue that lurks: data loss from the inside. In general, every 36 minutes sensitive data is sent out side the organization. The question becomes how well this data is safeguarded. Data loss is the biggest risk an organization faces. In 2014, organizations suffered a data loss at a rate of 1.7 times per hour, or 41 times per day. In 2014, 81% of organizations experienced at least one potential data loss incident. Although we saw a decline from last 2013, 81% is still a very large number.
25. Of the information sent by employees, 30% involve credit card data and 25% is sensitive personal information. The result is a lot of data being sent – some safeguarded, some not.
26. So what can you do?
27. Close the gaps It is vital to have a multi-layered security strategy. Protect against known malware with IPS and anti-virus. If infected, then leverage anti-bot to ensure that communication does not occur to a command and control center. That said, protecting against known malware, only solves part of the puzzle. Zero day protection solutions such as CPU and OS level sandboxing identify new, unknown malware. And for complete threat removal, threat extraction reconstructs documents so that they are malware free. Source: 1- Kaspersky Labs Virus Bulletin (www.virusbtn.com) – October 2014
28. Best practices in security recommend segmentation. By partitioning your network, you limit access if infiltrated to simply that segment versus your whole network. Smaller network segments are easier to protect and limit the scope should a breach occur.
29. Multi-layer protection is the best protection approach. Weaponized documents like Microsoft Office and PDFs can be analyzed and protected using threat emulation. It’s recommended that both CPU level and OS level sandboxing is used. Also, to ensure your employees always receive malware free documents, it’s recommended to use threat extraction to ensure that only safe documents are delivered. Command and control communications can be blocked using anti-bot protection. Malware infestation can be blocked using IPS and anti-malware protections such antivirus
30. For management and visibility, a single console view gives you holistic view of the events that are happening on your network and provide the best possible security approach. With so many protection tools, it is vital to be able to visualize and control them in concert rather than one at a time. Having integrated real time event management that uses unified policies across all of the tools and automates changes to they are simultaneous and orchestrated are vital to real protection.
31. The cyber war is happening whether you decide to protect yourself or not. The trends are quite real and will continue to advance at the same pace. Check Point Security will protect your organization from today’s and tomorrow’s threats.
32. Together, we secure the future.
33. Download the entire security report today at www dot checkpoint dot com.