What You Need to Know About This New Bank Account Threat

Piggy bank icon

Sophos Researcher James Wyke recently did an analysis of the malware Vawtrak. He found that Vawtrak has been targeting financial institutions, especially banks.

Vawtrak injects a DLL code into the targeted bank’s website, which allows a bypass of the victim’s two-factor authentication and infects the victim with a mobile malware. The malware then automatically transfers money out of the victims account and hides any traces of the transfer.

If you notice unusual activity in your bank account or strange requests from your bank online, you may be Vawtrak’s latest victim.

REMEMBER- By not consistently updating your security software, you are more vulnerable to these types of malware attacks.

Contact Towerwall for more information about the best types of protection against Vawtrak and future malware attacks.

The 4 Es of Enterprise Security

The4EsofEnterpriseSecurity

Building a solid security program takes time. Every organization is different. It’s very important to assess your technology, and consider both internal and external threats. An assessment will reveal vulnerabilities. The remediation process will help you take full advantage of your existing security assets and point you at any gaps that need filling. Even once your defenses are in place, vigilance is an ongoing requirement because new threats are emerging all the time.

In the face of our increasing reliance upon the cloud, and trends like BYOD, enterprise security is at greater risk than ever before. That’s why Gartner is predicting that more than 50% of organizations will be engaging security services firms by 2018. Every business needs to have a security program in place. Here are four Es that can help guide you through the process: Evaluate, Establish, Educate, and Enforce.

Evaluate

You can’t begin to create a security strategy until you have a clear, big picture view of where you stand. You need to conduct a complete security assessment, ideally by engaging a third-party expert that can give you an unbiased outside overview of your current systems and policies. The first time you do this it will be a major undertaking, but thereafter it should be a less burdensome recurring responsibility.

This evaluation should encompass all devices used in the business from desktop PCs and laptops, to smartphones and tablets. It needs to take into account your IT infrastructure, your networks, internally developed software and databases, and third-party systems and apps. Regulatory requirements must be taken into account, for example, HIPAA in the health care industry. It’s important to identify compliance failures.

Establish

It will undoubtedly be necessary to establish and/or develop your information security program in the wake of your assessment. Every situation that could constitute a risk for the business must be catered for, from an established procedure for wiping company data and deleting user accounts when an employee leaves, to a detailed MDM (Mobile Device Management) policy to configure mobile devices on your network and safeguard your data.

A regular schedule of program and policy evaluation will be required to ensure that new technologies, software, and processes are catered for as they’re introduced. It will also serve as a check that no superfluous policies are retained that may pertain to outdated technology or discontinued processes.

Educate

Creating a comprehensive set of policies is only the start. You’ll have to educate and train employees if you expect those policies to be followed. Explain the underlying reasons, the potential risks, and the consequences of a breach. Proper training is an investment worth making and a necessary prerequisite for any enterprise security strategy to work effectively.

Proper training protects the organization from legal liability and enables management to hold staff accountable for their actions. You could have the best policy in the world, but a failure to educate your staff will render it useless.

Enforcement

It’s not enough to create your program, develop policy and educate the staff, you need systems in place that allow you to monitor compliance. Employees that breach security procedures must be punished. Systems that fail to meet your security standards must be replaced. Only by closely observing your data flow in action can you understand how well your security strategy is working.

When new vulnerabilities are identified they must be flagged immediately. As your program and policies evolve there must be IT resources in place to measure and enforce. Many threats, particularly data breaches, are the result of internal actions, so you need systems and metrics in place to cover every conceivable angle of attack.

Take a long term view

You have to balance the investment against the risk of lost revenue and business, legal liability, and serious decline in customer and shareholder confidence. It’s expensive to find, fix, and clean-up data breaches before you even begin to tackle the confidence issue.

While initial costs may seem high, once you have a solid security strategy in place and a schedule for ongoing monitoring and evaluation, maintenance needn’t be expensive. Measured against the potential costs — an average $3.5 million for companies in 2014 according to the Ponemon Institute — the four Es of enterprise security look like a bargain.

The Cybersecurity Skills Gap

TW_Cybersecuritygap

The information security profession, which evolved largely in reaction to threats, is now paying the price of an entire “missing generation.” Companies are challenged finding pros with the combination of business and technical savvy that is needed to combat growing threats. Compounding this problem, educational institutions are not graduating enough students with the necessary skills or experience for entry-level positions. It is estimated that between 300,000 and 1,000,000 current cybersecurity positions are vacant. Demand is expected to rise as public, private and government sectors face unprecedented numbers of data breaches and cybersecurity threats.

The lack of qualified security talent leads to ripple effects throughout the industry and economy. There is a proven link between a weak security posture and lack of security expertise within an organization. Today, the lack of cybersecurity talent can be an organization’s biggest vulnerability, exposing it to serious risk, and is even more dangerous than technology vulnerabilities. The lack of talent may even lead to inhibited economic growth.

“The onslaught of breaches…
will continue to escalate.”

Despite the spotlight on cybersecurity skills as a global priority, widely accepted career definitions are still evolving. This lack of consensus makes it difficult for the industry to attract new entrants and for pros to advance their careers.

One step in solving these issues is to begin defining common job titles. Imagine if “network security analyst” described the same position not only in the U.S. but also in other parts of the world. Common job titles would allow professionals to effectively re-late to their peers globally and even work in other countries. It would also allow them to focus their time and resources on building the skills and experience most relevant to their career path. And it would allow businesses to hire professionals based on standardized skill sets and expectations of roles.

Then, there is no clear career mapping for setting goals and growth. Many have the misconception that in order to grow and mature the ultimate endpoint is a security executive, which many believe to be the CISO. Nothing could be further from the truth. Not all security pros want to be a CISO, nor is a CISO the only executive position; there are those who are considered the same level with the titles of chief scientist or chief security architect. The important thing is that the career map fit the individual and that may include remaining as a “senior member” of a cybersecurity team.

It was over a year ago that the Information Systems Security Association (ISSA) started to investigate the cybersecurity skills gap and to evaluate how it could identify and deliver the services that are most appropriate to its mem-bers. What became clear is that there is an overarching need for an internationally accepted framework that defines the cybersecurity career for individuals in our profession. Thus the ISSA Cybersecurity Career Lifecycle (CSCL) was born.

It also became clear that this challenge cannot be solved by one single entity. It must be an industry-wide collaboration.

This is a key opportunity for the profession to stop being reactive and to begin to drive our own destiny. In response, the ISSA will be calling for participation in the International Consortium for Cybersecurity Education, bringing together key stakeholders from the public and private sectors around the world to find a common solution for this shared problem.

Without consensus and collaboration, the onslaught of breaches to corporations and threats to critical infrastructure will continue to escalate. To keep pace, we need to mature the cybersecurity profession into a proactive, not reactive, model.

 

By Candy Alexander, Senior GRC Consultant, Towerwall
Special to SC Magazine

This article was recently published in SC Magazine

Debunking 5 Reasons Businesses Use to Not Invest In Computer Security

TW_Debunking

The rise of malware seems to have passed some people by. As the ranks of cybercriminals grow and they find new ways to exploit our systems and steal our data, a lot of computer users and small-business owners have convinced themselves that it won’t happen to them.

Here are five common excuses that explain why some people think they don’t need computer security and the reasons why they do.

 

“I have nothing to hide.”

Just because you don’t have risqué photos on your hard drive or a dossier of state secrets doesn’t mean you have nothing to hide. Do you want criminals to get their hands on your personal details? You’d be surprised at what they could do with your name, address and Social Security number. Imagine if they got your credit card numbers or bank account details. They may not be able to steal as much by attacking a small business as they could from a large one, but if it’s easier to do and they can get away with it, they will.

 

“I have old software or hardware.”

You have this expensive piece of legacy software, or some aging hardware that won’t play nice with the latest platform. It’s a classic excuse to stick with old operating systems or avoid important security updates. If you have an old system that’s no longer supported, the latest exploits and breaches won’t be patched. If you don’t keep up with the latest updates, you’re an easy target.

 

“I hate it when my computer slows down.”

Any software you run is going to have some kind of overhead, and security software does impact your system speed. But so does a hard drive full of malware. The truth is that a lot of modern security software is deliberately designed to have a light footprint. Schedule major scans for quiet times, tweak the settings and you shouldn’t have to deal with a major speed bump.

Is it really worth shaving off a few extra seconds by ditching encryption or using a simple password?

 

“I only visit trustworthy sites.”

It doesn’t take much to run into trouble. Click the wrong link in your search results, follow the link in an email, or tap a duplicitous ad and you’ve invited malware onto your system. Phishing scams use exact replicas of real websites and trusted brands. Third-party ad providers can be hacked, allowing legitimate sites to be compromised.

 

“I have a Mac or an iPhone.”

The idea that certain platforms are immune to threat is false. Both iOS and Mac OS are at risk from malware just like every other platform, and you should take precautions to safeguard your system. Criminals tend to attack the most popular platforms and while they prefer the path of least resistance, they’re always adapting and coming up with new exploits and attacks. Any platform with millions of users is a target.

The argument for computer security is classic common sense. Look at what you stand to lose and compare it with the relatively low cost of safeguarding your system.

 

By Michelle Drolet,  Founder and CEO, Towerwall
Special to Worcester Business Journal Online

This article was recently published in Worcester Business Journal Online

Towerwall Security Alert V13.79 – How to clear out cookies, Flash cookies and local storage

by Mark Stockley

This quick fix will show you how to clear out cookies and the cookie-like things that can be used to track you online.

If you already know what cookies are all about then you can skip the next bit and go straight to the instructions.

Why cookies are important

Cookies are very small pieces of information given to your web browser by the sites you visit. Your browser will store the cookies until they expire and will include them in any messages it sends to the website they originally came from.

Cookies are a normal and extremely important part of the way the web operates because they enable a sort of short-term memory.

The HTTP protocol – the language used by web browsers to talk to websites – is stateless and no information is retained between any two HTTP events.

Simplistically, a basic website will behave as if it’s the first time you’ve ever been there every single time you ask it for a web page.

However, if the website gives you a unique cookie the first time you ask for a page, you’ll give it back every time you ask for another page. If all your page requests contain the same unique cookie the website can see that they’re all coming from the same source.

Being able to link individual, stateless actions together like this is a fundamental building block of the web.

Without this, short-term memory websites would just be brochures – there would be no Facebook, Twitter, Pinterest, LinkedIn, Amazon, eBay, Wikipedia, PayPal, WordPress, Gmail…

Of course, if anyone wants to track you, being able to identify two or more actions as coming from the same source is also the fundamental thing.

Third party cookies

A website can only read the cookies that it has created – it cannot read cookies created by other sites.

In order to track an individual from one website to another, the different sites all have to share some code from a third party website. The code that creates and reads the tracking cookie is hosted by the third party and it can keep reading its own cookies as you hop from site to site.

That’s how advertisers and tracking companies work, it’s how the same adverts can appear to follow you around the web and it’s how, for example, Twitter knows what websites you’ve visited.

‘Super’ cookies

Although cookies are the most well known way to track somebody, there are other technologies that can be used for the same ends.

The most recent version of HTML, version 5, has a feature variously called web storage, DOM storage or local storage that allows websites to create small but significant databases on users’ machines.

Adobe’s Flash player has a similar feature that allows Flash content embedded in web pages to create and read locally shared objects (LSOs). LSOs are sometimes referred to as Flash cookies or super cookies.

Because LSOs are stored by your Flash player and not your browser they can be used to track all the web activity originating from one computer, not just from one browser.

ETags

When a web server sends you a web page, an image or any other kind of file, it sometimes sends a text string called an entity tag (ETag) with it. The ETag is a short ID that uniquely identifies a specific version of a specific file.

If your browser asks for the same file again it will send the ETag with the request. If you already have the latest version, the web server doesn’t need to send it to you all over again which saves bandwidth and speeds things up.

Unfortunately, it didn’t escape the notice of tracking companies like KISSmetrics that ETags are something that websites give to users that they give back again in later requests.

By embedding the same file, such as a transparent image, in every web page and ensuring each new visitor is given a different ETag they could be turned in to de facto cookies – or used as a sneaky way to recreate cookies that users have deleted.

Fingerprinting

Recent research suggests that many browsers have a profile so distinct that theycan be individually fingerprinted. The fingerprint is made up from information that can be gathered passively from web browsers such as their version, user agent, screen resolution, language, installed plugins and installed fonts.

I don’t know of any cases where fingerprinting has been used in the wild, but if it were it would be difficult to detect and it’s certainly accurate enough to be used as a cookie re-spawning technique, if not for tracking proper.

I’m sure it’s a technique we’ll be hearing more about.

Clearing cookies, web storage and ETags

Thankfully modern browser vendors assume that you want to clear web storage when you delete your cookies so the procedure is the same for both.

Because ETags are used to manage which files are cached, they’re discarded when you delete your cache.

Before you ditch your cache, bear in mind that the cost of aggressively discarding your cache is, potentially, slower browsing.

Here’s how to clear out the cookies, web storage and ETags that you already have and how to find the settings that allow you take a bit more control over what you’ll accept from now on.

Firefox

·         Click History and then Clear Recent History

·         Tick Cookies

·         Tick Cache to clear your cache

·         Click Clear now

image001

While you’re looking at the Privacy tab, a range of options for controlling cookies are available under History. You can configure these by choosing Use custom settings for history under Firefox will.

Chrome

·         Click the Menu button

·         Click Settings

·         Click Show advanced settings

·         Scroll to Privacy

·         Click Clear browsing data…

·         Tick Cookies and other site and plug-in data

·         Tick Cached images and files to ditch your cache

·         Click Clear browsing data

image002

Under the Privacy heading you’ll also find a range of options for controlling cookies if you click Content settings….

Safari

·         Click Safari and then Preferences

·         Select the Privacy tab

·         Click Remove all website data

·         Click Remove Now

image003

While you’re looking at the Privacy tab you’ll see a few options for controlling cookies too.

Clearing the cache is a far from obvious process.

·         Click Preferences

·         Select the Advanced tab

·         Tick Show Develop menu in menu bar

·         Click Develop (it’ll have just appeared in the menu bar at the top)

·         Click Empty caches

image004

Internet Explorer

·         Click the gear/cog icon in the top right

·         Click Internet options

·         Select the General tab

·         Under Browsing history click Delete…

·         Tick Cookies and website data

·         Tick Temporary Internet files and website files for the cache

·         Click Delete

image005

Options for controlling cookies can be found under Browsing history and under the Privacy tab.

Clearing Flash cookies

Here’s how to clear out the LSOs that you already have and how to find the settings that allow you take a bit more control over them.

Windows

·         Click Start (if you’re lucky enough to have one)

·         Search for Control Panel

·         Click System and Security

·         Click Flash Player

·         Select the Storage tab

·         Click Delete All…

·         Tick Delete All Site Data and Settings

·         Click Delete Data

Mac

·         Click System Preferences in the Apple menu

·         Click Flash Player

·         Select the Storage tab

·         Click Delete All…

·         Tick Delete All Site Data and Settings

·         Click Delete Data

Private browsing and add-ons

All modern browsers come with a Private or Incognito mode that makes it much more difficult for websites to track you. Typically they’ll ditch your cache and cookies when your browser session is over, meaning that while you might be tracked during a session, you won’t be tracked across multiple sessions.

Private browsing works for Flash LSOs too. According to Adobe, Flash Player version 10.1 and later will clear out Flash cookies at the end of your browsing session if you use private browsing in the following browsers:

·         Google Chrome

·         Mozilla Firefox

·         Microsoft Internet Explorer

·         Apple Safari

There are also a range of add-ons for each major browser that can help you manage some or all of the tracking techniques I’ve mentioned.

Going through all of them is well beyond the scope of this article but Ghostery is a good place to start. I’ll leave it for readers to chime in with their favorites in the comments.