A surge in attacks on Point of Sale (POS), payment systems and the increased use of encryption by cybercriminals are among the key findings in the latest Dell Security Annual Threat Report. The report which can be download here (registration required), raises some difficult issues for the security industry.
According to the report, in 2014 Dell Security recorded:
- 1.7 trillion IPS attacks blocked
- 4.2 billion malware attacks blocked
- 37 million malware samples collected almost double the 19.5 million from 2013
- Point of Sale malware up over 3x from 2013
- Attackers using encryption to hide their attacks and the data collected
- Attacks against supervisory control and data acquisition (SCADA) systems doubled
POS and payment systems under continual attack
According to Dell, the US is the most likely country to face attack on Point of Sale systems. However this could be misleading as the legal requirement to report attacks in the US is something that not all countries demand. The US is also where most security companies get their data from and therefore any reporting of attacks will show the US as the most likely to be attacked.
Following on from 2013’s attacks on Target and Nieman Marcus, there were 12 high profile retail breaches in the US. This includes the details of 56 million customers lost by Home Depot and the fact that many attacks were active for months in large national chains before they were detected. As a result, it has been difficult to get accurate numbers around the breaches at Kmart, Dairy Queen, P F Changs and UPS.
Irrespective of this there is clearly a major problem in the POS market. One of the questions that Dell asks in this report is how can so many systems be compromised and so much data stolen when the Payments Card Industry (PCI) standards are mandatory not optional. It speculates that the causes are:
- Inadequately trained employees
- Lax firewall policies between network segments and the B2B portal
- Reliance on a single layer of defence
- Poorly integrated security products
- Granting higher level of permissions to third-parties than required
- Servers and computers controlling terminals not being properly patched or secured
In the report, Dell suggests a range of 13 different steps that companies should be taking to improve their POS security. It will be interesting to see next year how many companies have failed to implement these steps and have fallen prey to attacks against their POS systems.
Encryption used to hide attacks
The use of encrypted connections to protect the communication channel between end users and the sites they connect to is pretty standard. However, after the discovery of Heartbleed last year followed by multiple other vulnerabilities that were discovered when researchers looked at OpenSSL, the system is no longer seen as being so secure.
Despite this, Dell saw an increase of more than 2x in the global number of HTTPS web connection from 182 billion in January 2014 to 382 billion in January 2015. By March 2015, that number was up another 14% or 55 billion to a staggering 437 billion. At first glance these seems like a smart job by websites to try and protect data in motion but according to Dell, this increase harbours a more sinister secret.
In the report, Dell claims: “In early 2014, hackers successfully distributed malware to about 27,000 Europeans per hour over the course of four days, simply by infecting a group of banner advertisements on Yahoo’s news site. Since Yahoo’s site was encrypted, this malware was able to tunnel through users’ firewalls unseen.”
This use of encryption to hide malware and the data being exfiltrated from enterprises is a major blow to the security industry. Over the past year IB, HP, Symantec, Huawei, Dell and many others have focused on using security intelligence to detect signs of attacks. Part of that approach means monitoring traffic but encrypted traffic makes the monitoring harder to do.
It is not just IT security teams and vendors who are driving the conversation around encryption. The reaction to the Edward Snowden revelations of global surveillance of IT systems has also driven companies to increase the amount of encryption that they use to prevent unauthorised spying on traffic. This has led to arguments between governments, police forces, intelligence services and businesses across the globe and cybercriminals are taking advantage of the situation.
Dell is recommending that companies implement SSL inspection of all traffic as part of their threat detection plans but the reality is that few companies are going to be able to do that effectively. The danger is that ISP’s will be asked to do some of this which will only raise the spectre of surveillance again. To solve this problem, there is a real need for industry and governments to get together to find an acceptable compromise to ensure encryption does not give cybercriminals a free run.
SCADA system attacks have doubled
The use of SCADA systems to provide remote information on industrial systems and critical infrastructure is not new. What is new is the continued emergence of attacks targeting these systems. Dell believes that this is not about money but political issues. With the rise of political hacktivism both state sponsored and ideology based on the increase, there has been a significant increase in the pace of attacks on SCADA systems.
Using figures from the Dell report the January numbers from 2012-2014 are:
2012 – 91,767
2013 – 163,228
2014 – 675,186
Between 2012 and 2013 the number of attacks increased 80% but by January 2014, the year on year increase was more than 4-times the previous year. Finland was the country attacked the most with the UK and US someway behind. What is most worrying about these attacks is that the analysis conducted by Dell show that none of the attack vectors are new. For example, over 25% of the attacks use buffer overflows.
The report highlights that these attacks may be massively unreported as there are no requirements to report data breaches as no personal or payment data is lost. It should be noted that the Stuxnet virus that damaged the Iranian nuclear programme was targeted at industrial control systems. The effectiveness of that attack suggests that there is a significant risk as companies begin to integrate their industrial control systems as part of their Internet of Things (IoT) plans.
A move to 2FA
To improve security, Dell believes that companies are likely to enforce policies that require two-factor authentication (2FA). This means that even when a data breach takes place, the criminal will need additional data in order to exploit the stolen data. It doesn’t mean that they won’t exploit it, just that exploitation will be harder than it is today.
Despite calls for 2FA to become the norm, current implementations are not always easy and can be inconvenient to users. Anything that makes life harder for users will drive business away which is something that retailers in particular are wary of. Deploying it for business purposes across a wide internal user base is much easier as users often have little choice but to accept the security controls that are deployed by the enterprise.
Android the mobile OS target of choice
It might be thought that Apple’s iOS would be a more profitable target for malware writers. After all, study after study shows that Apple device owners are seen as wealthier than most, something that websites have exploited by detecting device type and then hiking prices. However, Android continues to be the hackers mobile OS target of choice and not just because it is so popular and easy to attack.
Dell reports that last year the first ransomeware attack AndroidLocker was detected by its security device division Dell SonicWALL. Within weeks it was followed by Simplelocker which not only attacked the phone but all files installed on SD cards. It also used the Tor network to hide its command and control network. Since then, Remote Access Tool (RAT) attacks such as AndroRAT and Dendroid have appeared.
As with last years attacks on French speakers, these new attacks target specific populations and types of devices. While some malware has been shipped with devices in the last year, the majority gets installed either through the Google Play app store or by users adding illegal copies of applications to their phones. To be fair to Google it recently threw a lot of apps out of the Google Play app store and promised to tighten up the rules.
There are three new attack vectors that concern Dell. The first is the increased pairing of devices to laptops allowing malware on smartphones and tablets to make the jump on other machines and into corporate networks. The second is the emerging wearable market especially as developers look to leverage the data from these devices.
The third attack vector is the white and brown goods sector such as fridges, dishwashers and TV’s. These are not just home devices but are often installed inside enterprises. The IT department is often unaware of their installation or that they have been connected to the corporate network. As such, they provide another access route into the enterprise for malware and cybercriminals.
Mobile devices are also likely to have an impact on connected vehicles. We have already seen proven attacks on the computer systems inside systems in the last three years. As we increase the number of connected systems including Internet access to vehicles we run the risk of increased and more aggressive attacks. Car manufacturers are finally facing up to the threat but there is more work to be done especially as hackers look to claim the first big hack on connected vehicles.
At the end of the report this is what Dell has to say about planning for better security.
The most effective approach companies can take today is to establish multiple layers of security and threat intelligence that provide numerous methods for preventing and responding to attacks on their network. These layers, together comprising a defense-in-depth program, include all of the following:
- Continuous security awareness training for employees.
- Vigorous endpoint defense, as most network infiltrations begin with a compromised user device.
- Deploy secure mobile access technology that checks the security posture of user devices before granting network access and enforces policies that grant VPN access only to trusted users, mobile apps and devices.
- Deploy secure workspace technology to establish and enforce on-device data protection policies and app management.
- Implement 2FA for both administrators and users.
- Protect privileged accounts.
- Manage contractor, partner, intern, patient, and vendor access differently than internal resources. Control and monitor access rights regularly.
- Replacement of traditional or legacy firewalls with a Next-Generation Firewall (NGFW).
- Investment in a capable intrusion prevention system.
- Addition of an SSL/TLS inspection capability to detect and block malware that is hidden in SSL/TLS-encrypted traffic.
- Implementation of an around-the-clock threat counter-intelligence feeding security updates to NGFWs and intrusion prevention systems.
- Deployment of an email security solution.
- Consistent software updates.
- Securing of remote work environments by segmenting router access.
- Implementation of the same level of defense throughout a distributed enterprise’s locations, including kiosks, executive homes, and remote offices.
Not only is the rate of attack increasing but attacks are also evolving faster than the security industry can respond. One major concern is that many known attacks are still proving so effective with security teams seemingly not putting into place the most basic of IT security controls.
To make matters worse hackers are better organised than most vendors. They not only sell exploits and stolen data but offer guarantees that they will work and levels of technical support that are more comprehensive than anything the IT industry can match. This has led to large vendors establishing their own threat assessment communities. How effective these will be can will only be known in a year or two.
For now, companies should take not of the 10 points that Dell provides as their final takeaways.