symantec & wsj presents "malware on main street"

IN COLLABORATION WITH

Malware on Main Street: Why Cyberthieves Increasingly Target Small Firms

WSJ. Custom Studios ©2014The Wall Street Journal news organization was not involved in the creation of this content.

TABLE OF CONTENTS

Introduction 3

Thieves Get Personal 4

Key Cyberprotection Steps For Small Business 7

Why Cyberprotection Can’t Wait 11

When cybercriminals set out to steal data from one of America’s largest retailers in 2013, they did not attack the company directly. Instead, they sent malware-laced emails to employees of a small mechanical contractor that had access to the retailer’s network for billing.

When the emails were opened, the malware evaded the small company’s anti-malware software—reportedly a free edition intended for personal use—allowing the hackers to install a password-stealing program on the small company’s computer. The program captured the usernames and passwords that were issued to the small company and the hackers used them to gain access to the large retailer’s network. Once in the network, they inserted malicious software that made its way to cash registers, capturing more than 40 million credit- and debit-card records.

This theft was the largest, most high-profile data breach in U.S. history. It also exposed a growing and serious threat: Cybercriminals are increasingly targeting small companies using sophisticated, highly customized techniques in order to gain access to the data troves of their customers and vendors. “There are more attack campaigns being targeted to small and medium businesses than ever before,” says Kevin Haley, Director of the Security Response Team at Symantec Corporation.


INTRODUCTION

3

THIEVES GET PERSONAL

While small companies have long been vulnerable to cyberattacks and data breaches, thieves have gotten savvier about compromising and breaking into their systems, Haley says. They extensively research their target companies and design highly personalized attacks that con business owners, executives, and employees into providing access to sensitive data. They view small companies as easier targets than large companies because small firms often lack the sophisticated alert systems and other internal procedures designed to fend off attacks.

Techniques that thieves increasingly use against small businesses include:

Sending personalized phishing emails. “Spear-phishing” is when cybercriminals send personalized emails that present themselves as legitimate people seeking specific information, whether a business’s credit-card number or network logon credentials. If an email recipient provides such information, the criminal can use it to break into a network or perpetrate identity

theft. The emails also often contain links to websites that, if clicked, will download malware to the recipient’s computer, potentially infecting the company’s entire network as well as the networks of its vendors and customers.

According to the Symantec Internet Security Threat Report 2014, spear-phishing attacks increased 91% between 2013 and 2014. The study also found that attacks aimed at businesses with 250 or fewer employees accounted for 30% of targeted spear-phishing. Haley warns that attackers “are being very selective” and, rather than sending mass phishing emails to large numbers of people, are personalizing emails to make them appear more authentic and safe.

WSJ. Custom Studios ©2014

According to the Symantec Internet

Security Threat Report 2014, spear-

phishing attacks increased 91%

between 2013 and 2014.

The Wall Street Journal news organization was not involved in the creation of this content.

4

Charles Tendell, CEO of Azorian Cyber Security, a Denver-based consulting firm, says cybercriminals often mine social media for personal information that can be used to cause email recipients to relax their vigilance and increase the odds they will hand over sensitive information. Even a Facebook page in which an employee discusses his or her hobbies or leisure activities can help a thief write an email that seems trustworthy, he says.

Identifying new loopholes. The highly publicized 2014 Heartbleed bug exposed massive amounts of data stored on web servers, including many passwords, by taking advantage

of a security flaw in the commonly used encryption standard OpenSSL. An estimated 17% of all web servers were vulnerable to the bug. Security loopholes like Heartbleed are called “zero-day” vulnerabilities because they become public before software makers are aware of them, giving them no time to prepare

patches before the bug could cause problems. Small companies with internal servers are most at risk of such bugs because they are less likely than large companies to apply preventative patches in a timely manner, security experts say. And zero-day threats are increasing as cyberthieves become better at finding them, Haley says. In 2013, 23 new zero-day vulnerabilities emerged, twice as many as in the prevous year. “I don’t expect these numbers to go back down in the next year or so,” he adds.

Holding networks hostage. An even faster-growing threat to small companies is “ransomware,” a type of malware that renders a computer system useless without a password. After a system is disabled by the malware, a hacker demands a ran-som in exchange for allowing employees to regain access to the system. Ransomware attacks grew 500% in 2013, Symantec’s threat study found. Haley says these attacks have become more malicious because attackers have gotten better at disguising ransomware as legitimate email attachments and get business owners or employees to download it unknowingly.

A particularly vicious and well-known form of ransomware called “CryptoLocker” encrypts files on victims’ computers until

Ransomware attacks grew 500% in

2013, Symantec’s threat study found.


5

they pay for a password key. Without the password, it is im-possible to recover their files. The U.S. Department of Justice reported that CryptoLocker had infected more than 234,000 computers as of April 2014—half in the United States—and each victim was forced to pay up to $700 or more for keys in order to regain access to his or her files. The department cited one estimate that more than $27 million in ransom payments were made in the first two months since the malware appeared.

Hiding malware on reputable websites. “Wa-tering hole” attacks are another form of cyber-crime that has grown quickly. Thieves exploit vulnerabilities in legitimate, but poorly protected,

websites and automatically download malware on visitors’ com-puters. Symantec’s study found that 77% of legitimate websites had exploitable vulnerabilities.

Compromising POS systems. Attacks on point-of-sale systems have grown rapidly, in part because they provide thieves with direct access to payment-card data. They may involve sev-

eral techniques, often starting with spear-phishing, with the

ultimate goal of accessing corporate networks and installing data-stealing malware. The results can be lucrative for thieves and incredibly costly to the business. Last year, it was reported that a specific type of emerging malware called POSCLOUD was being used to target cloud-based POS software often used by small retailers. The malware logs users’ keystrokes and grabs screenshots to monitor customer flow and steal personal data.

Targeting personal devices. As many small companies allow employees to use their personal devices—including smartphones, tablet computers, and laptops—for work, thieves are getting sav-

vier about designing attacks specifically geared toward using less-secure personal devices as a way to break into small busi-nesses’ networks and systems. Many employees use personal devices to store work information or check and send emails.

Many small companies don’t adequately protect themselves against these risks until it’s too late. That’s partly due to lack of awareness of the risks, but also because they wrongly believe that reliable cyberprotection is expensive or time-consuming.


6

KEY CYBERPROTECTION STEPS FOR SMALL BUSINESS

Despite the growing risks to small firms, cyberprotection does not have to be time-consuming or costly. In fact, many times the simplest measures are the most effective. “Cybersecurity cannot make you perfectly secure,” Azorian Cyber Security’s Tendell says. “But it’s going to make you a much harder target than the business next door that doesn’t have anything.”

Here are several ways security experts say small businesses and their IT managers can better protect themselves:

Educate Employees

One of the most effective cybersafety measures is educating employees on key risks and how to avoid them. This includes in-structing them to not hand over sensitive business information, such as account numbers and passwords via email, or clicking on links in emails from unknown senders.

Creating a written cybersecurity policy can help enforce rules and provide information to help employees prevent data

loss. For example, requiring employees to use hard-to-crack passwords with multiple symbols and numbers on all employer-issued and personal computers and devices used for work can prevent hackers from breaking into key accounts. The business

should also consider enacting a policy for cloud-based solutions that allows for the storage and sharing of information online, and employees should be made aware of the risks of using unapproved software or services and freeware. The company can steer employees toward safe software and services by providing IT-approved solutions.

This policy should allow only essential employees access to sensitive data, such as customer networks. Emphasis should


Creating a written cybersecurity policy

can help enforce rules and provide

information to help employees prevent

data loss.


7

be placed on employees most likely to be targeted: According to the Symantec threat report, executive assistants, public rela-tions managers, and senior managers, are most at risk. Back Up Data Regularly

Instituting a formal data backup procedure can prevent the business from becoming completely disabled by a cyberattack, particularly from ransomware that locks employees out of the system. Much of today’s most sophisticated ransomware is unbreakable, even by skilled forensic experts, Tendell says.

Backing up data on a regular schedule, at least weekly, also helps shield against data loss due to a natural disaster, fire,

hardware failure, or accidents. Accidental data loss is a major risk that many small businesses aren’t prepared for, according to Symantec’s Haley. The 2014 Symantec threat report found that 56% of all data loss resulted from accidents, such as smartphones or laptops left in taxis. “While we need to be concerned about breaches, we can’t neglect data that is accidentally lost,” he says.

Keep Security Patches Up-To-Date

A business that outsources its website hosting to a large domestic provider may not have to worry about updating patches, as the hosting company often handles that task, Tendell says. Smaller or very low-cost overseas web-hosting providers, however, may be less reliable. Companies that use third-party hosting services should avoid sharing their physical server with other websites. Those who host their own sites should make sure all security patches are routinely checked and updated. Attackers don’t stop exploiting small businesses just because a patch is available. In fact, they prey on businesses that don’t take immediate action to apply updates.

The 2014 Symantec threat report found

that 56% of all data loss resulted from

accidents, such as smartphones or laptops

left in taxis.


8

Deploy a Robust Cyberprotection Solution

Today’s most comprehensive cyberprotection solutions can pro-vide a small business with robust coverage at a cost-effective price. When choosing a solution, the company’s IT professional should ensure that it provides continuous, always-on coverage—meaning it protects the business around-the-clock and provides a real-time shield against emerging cybersecurity risks.

Given the serious and growing threat of disguised malware attacks, the cyberprotection solution should be able to identi-fy potential malware before employees click on infected links

or unknowingly download malware on their devices. It should provide timely alerts of needed security-patch updates. Today’s leading cyberprotection solutions designed for small compa-nies can detect spyware and malware in real time as employees browse the Internet. It also can identify potentially dangerous websites in online search results before an employee clicks on them and protect against potential attacks when employees are working on public Wi-Fi networks, whether at the airport or a coffee shop.

Small companies may be tempted to try to save money by rely-ing on consumer-grade cyberprotection software they can get for free. However, free versions often lack the most advanced and up-to-date features necessary for warding off today’s rap-idly evolving threats. For example, a free anti-malware program that only provides on-demand scanning of a single system does not provide nearly as much protection as one that constantly scans incoming files for signs of dangerous software.

Many free cybersecurity software programs are intended for personal use only and not designed for the more sophisticated needs of businesses. Customer support on free software is

A free anti-malware program that only

provides on-demand scanning of a single

system does not provide nearly as much

protection as one that constantly scans

incoming files for signs of dangerous software.


9

often very limited or even nonexistent—a major concern if a problem or attack occurs. Free solutions also may not keep up with the ever-changing cyberthreat landscape.

Cyberprotection programs designed specifically for small busi-nesses can be easily managed by a one-person IT department or even a part-time IT consultant. Programs that can be ac-cessed via the cloud (the Internet) allow a small business to easily and quickly set up protection for new devices and em-ployees as it grows.

Another piece of good news: Even as small businesses’ cyber-risks grow, comprehensive protection has become far more affordable. “Stuff that when I started in IT was only

available for enterprises is now available for small- to medium-sized businesses at very reasonable cost,” says Jerod Powell, president of InfinIT Consulting, a San Jose-based chain of small business IT consulting firms. Powell says when security is applied holistically—including setting up network firewalls and data-encrypting employees’ laptops—it can provide very strong protection.

Many free cybersecurity software programs

are intended for personal use only and not

designed for the more sophisticated needs

of businesses.

The Wall Street Journal news organization was not involved in the creation of this content. WSJ. Custom Studios ©2014

10

WHY CYBERPROTECTION CAN’T WAIT

Cyberattacks are only getting more sophisticated and harder to detect. As cyberthieves get savvier, businesses and their

IT professionals must work hard to keep pace with the ever-changing threat landscape. Not too long ago, it would have seemed unlikely that a small mechanical contractor could unwittingly provide entry into a major corporation’s customer billing records. Today, such events make headlines regularly.

Taking the right protective measures, including enacting cybersecurity policies and employee training and using the right solutions, can reduce much of today’s risk. Cloud-based cyberprotection solutions can offer greater security because they provide always-on coverage and automatically update to ensure a small company is protected against the latest risks. As cyberthieves around the world work hard to create more personalized, savvier attacks against small businesses, it’s more critical than ever that businesses are prepared.


Not too long ago, it would have seemed unlikely that a small mechanical contractor could unwittingly provide entry into a major corporation’s customer billing records. Today, such events make headlines regularly.


11

IN COLLABORATION WITH

The Wall Street Journal news organization was not involved in the creation of this content

NEW YORK1155 Avenue of the Americas5th FloorNew York, NY 10036 LONDON222 Grays Inn RoadLondon WC1X 8HBUnited Kingdom

HONG KONG25/F, Central Plaza18 Harbour RoadWanchaiHong Kong

Robin Riddle, Global Publisher212-659-2492Robin.Riddle@wsj.comwww.wsjcustomstudios.com

This work was commissioned by Symantec.

Symantec Corporation350 Ellis Street

Mountain View, CA 94043www.Symantec.com

WSJ. Custom StudiosThe most trusted news source in the world is now

creating best-in-class branded content solutions across all platforms, globally. WSJ. Custom Studios,

the content marketing division of The Wall Street Journal, partners with marketers to create innovative

solutions that inform, inspire and engage the most powerful audience in the world.


symantec & wsj presents "malware on main street"

Business

small companies

small businesses

small companys computer

small firms wsj

small companys antimalware

small mechanical contractor

personalized emails

personalized phishing