Symantec 2018 Internet Security Threat Report – Review

The Symantec brand is synonymous with cybersecurity. Each year, the Symantec Internet Security Threat Report sets a benchmark in highlighting critical trends for threat vectors for enterprise networks. So much so, that even the report’s name is routinely referred to in shorthand as simply, ISTR. The ISTR 2018 report confirms some alarming trends that Data^#3 customers have tackled over the past 12 months. Please see below a snapshot of the 2018 report’s key findings and implications for companies in the Australian market:

1. Threat analysis from over 175 million endpoints
2. Alarming growth in volume and diversity of threat
3. Australian Notifiable Data Breaches Scheme
4. Shortsighted blind spot in Australia on prevention
5. 80% of attacks involve a human – so train them
6. How to withstand a 600% increase of IoT attacks
7. Cryptomining 8,500% increase – what it means
8. Critical infrastructure could now be at risk
9. Android and iOS devices need to be managed.

Threat Analysis from over 175 million endpoints

There is a very good reason why the Symantec ISTR is eagerly awaited each year. Put simply, the data that Symantec has access to for analysis is mind-bogglingly comprehensive. Symantec has the largest civilian threat collection network in the world, and one of the most comprehensive collections of cybersecurity threat intelligence through the Symantec™ Global Intelligence Network. The Symantec Global Intelligence Network comprises more than 126.5 million attack sensors, monitoring threat activities for over 175 million endpoints located in 157 countries and territories. If there is an emerging trend in security threats, Symantec is one of the first to know.

Alarming growth in volume and diversity of threat

The ISTR 2018 highlights a 13% increase in overall reported vulnerabilities. While many of those vulnerabilities are in areas we have come to expect, there are emerging trends that will surprise some.

The web threats and email spam, perhaps more familiar to many, continue to balloon in volume and sophistication.

So too did malware and ransomware continue to rise over the past year.

However, it is the spike in software supply chain attacks and the rapid acceleration in exploitations of vulnerabilities in Internet of Things (IoT) devices, and the humble smartphone, that have caught many off guard.

Australian Notifiable Data Breaches Scheme

The trends revealed in the ISTR 2018 have immediate legal implications for Australian companies. As an Australian organisation, you no longer just need to protect your organisation and data from cyberthreats, you also now have extensive legal obligations to;

• notify individuals whose personal information has been exposed to data breach,
• include recommendations about steps individuals should take in response, and
• notify the Australian Information Commissioner about eligible data breaches.

While the legislation was passed in 2017, the Australian Notifiable Data Breaches Scheme came into effect on February 22, 2018.

Short-sighted blind spot in Australia on prevention

Since the Notifiable Breaches Scheme came into effect in February 2018, there have already been more breaches declared compared to the entire previous year. How will you remain compliant?

For Data^#3 customers already using Symantec Managed Security Services (MSS), this can assist in identifying potential breaches and provide critical information if an event occurs. For customers without an outsourced managed service, now is the time to explore options.

Regardless of the managed service you use, Data^#3 consultants are concerned by a recurring pattern we are seeing across Australia. Companies are starting to notify about data breaches under the scheme and after they do, they look to how they can remedy. What is concerning is that few companies are remedying adequately ahead of being breached because of misguided resistance to financial investment in preventative measures. However, the minute the organisation experiences a live attack, those budgetary restraints evaporate and financial support is forthcoming to put extra systems in place to prevent it ever happening again. Don’t wait – the financial arguments against investment in defences immediately appear short-sighted after the damage is done.

80% of attacks involve a human – so train them

80% of attacks succeed because a human is involved. Take for example these scenarios where a user inadvertently does something they shouldn’t:

• A user receives an email believed to be from the CEO and clicks on the link in the email. The clicked link installs malware, resulting in a $10k demand to unlock the machine. They didn’t take the time to carefully check or verify the email address it was coming from.
• An employee visits a website on a work device clicks on an apparently innocuous pop-up notice saying they need to install the latest Java to continue. These are known as “drive-by attacks”.

While it seems low tech, ongoing training clearly has a role to play in bolstering organisational defences. Data^#3’s Security Awareness Training ensures organisations can get staff to understand the value of the information they interact with on a daily basis, and give them the knowledge and tools to be your first line of defence.

There is an equally strong case for ongoing training and professional development for IT staff in relation to server security. While Windows laptops have presented fewer issues over the past year, as a result of continuous/rolling updates and security patches, Data^#3 consultants have reported far more client issues with servers. Anecdotally, many of the server vulnerabilities our consultants are seeing result from people issues, not the availability of a suitable security patch. There’s a long-standing belief that patching a suitably functioning server might cause issues, or that systems reliant on that server will be impacted. Suffice to say, the feeling is – if it’s working, don’t touch it. However, once an exposed server is breached, the damage can be catastrophic and with mandatory reporting, the reputational damage can be equally painful. Organisations should continue to invest in security training to avoid this.

How to withstand a 600% increase in IoT attacks

The ISTR 2018 reveals that there was a 600% increase in IoT attacks from 2016 to 2017. Part of that is likely to be attributable to the increase in IoT devices on the network. Whilst connected devices have been around for years, think TVs connecting to Netflix, what is surprising is how frequently Data^#3 consultants meet customers who off-the-cuff will respond “Yes IoT is a growing trend, but it doesn’t really impact our organisation yet.” When you delve further, there’s a plethora of connected devices throughout most organisations.

A few select examples highlights the growing vulnerability:

• A branch manager concerned about suspected warehouse theft can unilaterally, and easily, install a home property security camera; purchased off the shelf with plug and play camera, logic board, and network interface card. A lot of these soft components have hard coded passwords to access configuration. A threat actor could attempt to obtain component passwords and then instead of connecting to the device, could connect to the network interface card and get access.
• Businesses and universities use increasingly sophisticated building automation systems with sensors all over the place for temperature, humidity and air control. These sensors use the network to talk to the building control centre. If this occurs in your organisation, how involved is your IT team and how do you ensure security upgrades are applied in a timely way? How do you detect threat intrusions on these devices?
• The office manager attempts to install Netflix to the new smart TVs purchased for the boardroom and so uses her own credentials to set up. It’s just the boardroom screen – but vulnerability is built into it by design and the device can be compromised.
• Fridges are in every office kitchen across the country. They are becoming increasingly ‘smart’ and some have an interface to order more coffee and biscuits directly from the local supermarket across the business network. Clearly it is a connected device, but kitchen whitegoods have not traditionally been a focus for IT teams. In this scenario, would your IT team be on the front foot with IoT defence systems, or would the first time they hear about it be after an external threat actor breaches your network through the fridge? It is not a fanciful example when you see the most used passwords for IoT attacks in the ISTR 2018 report:

It is no longer good enough to say “IoT is the future but our organisation isn’t there yet.” How can you be sure? What are you doing to find out?

Cryptomining 8,500% increase – what it means

ISTR 2018 describes coin mining as “a modern gold rush”, which no doubt explains why it has attracted new threat actors. Cyber criminals who have been firmly focused on ransomware for revenue generation are now starting to explore other opportunities. During the past year, the astronomical rise in cryptocurrency value inspired many cybercriminals to shift to coin mining, or crypto mining, as an alternative revenue source. This coin mining gold rush resulted in an 8,500 percent increase in detections of coinminers on endpoint computers in 2017.

Coinminers are used to mine cryptocurrencies. Cryptocurrencies are digital currencies created using computer programs and computing power, and recorded on blockchain. The safety, integrity and balance of the ledger essential to the integrity of a cryptocurrency is maintained by a community of mutually distrustful parties referred to as miners – they use their computers to help validate and timestamp transactions, adding them to the ledger in accordance with a particular timestamping scheme. That requires a lot of computing power so cryptocurrencies rely on distributing that computing across many computers.

File-based coin mining involves downloading and running an executable file on your computer. Browser-based coin mining, which saw the biggest jump in prevalence in 2017, takes place inside a web browser and is implemented using scripting languages. This changes the crypto mining landscape from one of willing participants actively engaged with cryptocurrency processes, to one of unaware end-users inadvertently agreeing to mining through something as simple as a website agreement.

Instead of installing malware, it is essentially a phishing attack where someone is coerced into downloading something; a proxy server that a remote application is installed on. Someone clicks on the wrong thing, their system is locked and the only way to unlock it is to pay a ransom. Once they pay, they tighten up security and it won’t happen again. You need to be aware of this new threat vector, and you need to be prepared. Don’t wait until after your security has been breached and a critical system is held to ransom.

Critical infrastructure could now be at risk

While some of the trends in the ISTR 2018 were alarming, they were in areas of vulnerabilities that have become mainstream. What may surprise some is the 29% increase in vulnerabilities related to Industrial Control Systems (ICS) – cutting right to the operational heart of manufacturing organisations to not only stop business systems, but also stop the very means of production.

This trend raises questions about the security of Australian infrastructure, such as power grids and industrial control infrastructure. How would a critical breach impact your business if the power grid went down, or your manufacturing line ground to a halt, or key suppliers were critically wounded?

These doomsday scenarios are dramatic. However, what many fail to realise, is the subtle attacks can have equally damaging impacts. Take for example a box-making company where someone manages to log in remotely to the manufacturing system and alter the specs of a box so that when the product is shipped (pallets of it!) it is the wrong size. This has actually happened, and in this instance, the subsequent insurance claim was successful. Think of the implications of this same scenario under the new reporting obligations. Depending on the data breached during the intrusion, the box company could well have to issue a public notification under the new reporting requirements.

Key insight? Think beyond desktops, servers and mobile devices and take the time to consider the critical control systems throughout your organisation. Are they adequately defended? What do you need to do in 2018, and beyond, to ensure they are?

Android and iOS devices need to be managed

ISTR 2018 reveals that the number of new mobile malware variants increased by 54 percent in 2017, and while threats are on the increase, the problem is exacerbated by the continued use of older operating systems. In particular, on Android, only 20 percent of devices are running the newest major version and only 2.3 percent are on the latest minor release.

Mobile users also face privacy risks from grayware, apps that aren’t completely malicious but can be troublesome. Symantec found that 63% of grayware apps leak the device’s phone number. With grayware increasing by 20% in 2017, this isn’t a problem that’s going away.

The simple fact is that Android is an operating system that is on a lot of phones (a lot of cheap ones), and the only way to overcome vulnerabilities is to ensure software is upgraded – which many people don’t regularly do. The statistics on mobile operating system upgrades in ISTR 2018 are alarming:

The process of notification and installation of iOS upgrades is clearly more robust. The numbers speak for themselves and from a security perspective, they cannot be ignored. To overcome this vulnerability, organisations need to investigate mobile device management solutions to ensure all devices accessing the corporate network have the latest security updates installed.

Explore further

There is no shortage of security reports, warnings and vendor solutions. It isn’t always easy to know where to start in responding to emerging trends, but doing nothing exacerbates organisational risk exposure.
If you need someone to help you navigate the security landscape, Data^#3 security consultants are here to help.

• Download the Symantec 2018 Internet Security Threat Report (ISTR)
• To learn more about Data^#3’s Security Solutions, click here.
• To discuss the implications of ISTR 2018 for your organisation contact Symantec Platinum Partner, Data^#3.