®

Cybercrime – The ever-growing threat to your business

An essential guide from Thawte

WHITE PAPER 2015

Contents:

Cybercrime – The ever-growing threat to your business: Introduction 3

Data breaches 4

Phishing 4

Spam 5

Identity theft 6

Vulnerabilities & malware threats 7

Damage to your business 7

A strategy that protects you 8

Fighting back with SSL 8

Take your security to the next level with an ‘Always-On’ approach 9

Conclusion 9

Cybercrime – The ever-growing threat to your business

2

®

Cybercrime – The ever-growing threat to your business

3

Cybercrime – The ever-growing threat to your businessIntroduction‘Cybercrime’ has entered the lexicon in a big way and has become a significant threat to businesses wherever they are located and whatever their size. But how bad is the threat? And why does it cause such high levels of alarm and concern?

2014 saw cybercrime operations grow ever more refined, with specializations, service providers and fluctuating markets very much mirroring the legitimate technology industry. According to the Symantec ‘Website Security Threat Report 2015’1, “a drive-by download web toolkit”, for example, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. Distributed denial of service (DDoS) attacks can be ordered from $10 to $1,000 per day and, in terms of the buyer’s market, credit card details can be bought for between $0.50 and $20 per card, while 1,000 followers on a social network can cost as little as $2 to $12.

A report by Hewlett Packard and the U.S.-based Ponemon Institute of Cybercrime2 stated that hacking attacks cost the average American firm $15.4 million per year, double the global average of $7.7 million. The most costly cybercrimes were those carried out by malicious insiders, DDoS and web-based attacks. The global financial services and energy sectors were the worst hit, with an average annual cost of $13.5 and $12.8 million.

®

$15.4MILLION PER YEAR

Cost the average American firm HACKING ATTACKS

for the globalfinancial services sector is

The average annual cost of

CYBERCRIME

$13.5MILLION

is one of the worst hit costing

on average each year

THE ENERGY SECTOR

$12.8MILLION

1 http://www.symantec.com/security_response/publications/threatreport.jsp2 “Hewlett Packard and the U.S.-based Ponemon Institute of Cybercrime”

Cybercrime – The ever-growing threat to your business

4

®

Data breachesIf 2014’s high-profile data breaches taught us anything, it’s that IT security teams need to step up their game in 2015 and beyond.

Indeed, more recent high-profile hacking attacks, such as those affecting Sony, Netflix, health insurer Anthem and parking ticket website PaymyPCN.net, have served to increase business concerns substantially about the real-world implications of cybercrime. With growing numbers of hacking attacks aimed at harvesting valuable data, such as healthcare records and credit card numbers, enterprises are increasingly recognizing – and often feeling – the effects of data misuse. Their critical systems are facing increasingly sophisticated threats and whilst shoring up the perimeter against known attacks is paramount, it is not enough. Solutions employed right across the business must be just as advanced and persistent as the threats they face, going well beyond traditional approaches. One key reason why cybercrime is flourishing is due to the myriad of opportunities to exploit vulnerabilities in an enterprise’s defence system, such as those resulting from negligence and human error, leaving a company open to data breaches and enabling an external attacker to hijack legitimate credentials to infiltrate a corporate network.

PhishingIt’s worth pinpointing some of the key areas of vulnerabilities that cybercriminals are now exploiting and the damage they can cause. Spear phishing attacks: a virtual trap set by cyber thieves that use official-looking emails to lure you to fake websites and trick you into revealing your personal information.

Phishing attacks start with an innocent-looking email that appears to come from a trustworthy source, but have now evolved to the extent that often neither the individual nor the organisation is even aware an incident has occurred until it is too late and confidential data has already been stolen. They are mainly designed to deceive employees, who are still seen as the ‘weakest link’, but Thawte has observed that many companies simply do not have efficient internal incident response procedures in place to alert their staff about such threats.

There are a number of key processes that should be functional for an organization to be able to resist these external threats, including the length of time before a phishing email is recorded as an incident and having effective out-bound email filters implemented to prevent the leakage of sensitive data. For example, companies should be able to respond to a phishing attack within 15 minutes of receiving the malicious email. Efficiency at the early stages is crucial. Yet many of them fail to react within that time frame.

Cybercrime – The ever-growing threat to your business

5

®

Most phishing scams are distributed through phishing emails or URLs on social media sites. On social media, there’s often a news hook, like the Ebola outbreak, or some kind of celebrity scandal that encourages people to click on links that require them to ‘login’ before they can see the details or video promised. Email distribution can also involve news hooks, but is used to phish for professional account logins, such as banking details, LinkedIn accounts and cloud file storage.3 Some emails pose as security updates or unusual activity warnings that require you to fill in your details on a phishing site, which immediately sends your details to the criminals.

The origins of these phishing sites are often obscured to prevent security warnings when victims open their browsers, and this year saw a new leap forward for the criminals, with the use of AES (Advanced Encryption Standard) . The encryption is designed to make the analysis of phishing sites more difficult and a casual analysis of the page will not reveal any phishing-related content, as it is contained in the unreadable encrypted text. Browser and security software warnings are therefore less likely to appear, more victims are likely to fall for the scam and it’s harder to track4. This is an increasingly menacing world, faceless, aggressive and highly sophisticated. And ignoring it is no protection. Any wise enterprise must assume that they are in line to be targeted, no matter where they are or what size of operation. Accepting that there is a phishing scam somewhere down the line that will have you in its sights is by far the best policy – because then you can plan exactly how to deal with the fallout and possibly spare your business untold damage.

SpamThe most common form of spam is unwanted email, but you can also get text message spam, instant message spam (sometimes known as spim), and social networking spam. Some spam is harmless, but at the other end of the scale, it is used as part of an identity theft scam or other kind of fraud.

A common approach is for spammers to flood the Internet with many copies of the same message, in an attempt to force the message on people who would not otherwise choose to receive it. Most email spam is commercial advertising, often for dubious products, get-rich-quick schemes or bogus legal services. One particularly nasty variant of email spam is sending spam to mailing lists (public or private email discussion forums). Since many mailing lists limit activity to their subscribers, spammers will use automated tools to subscribe to as many mailing lists as possible, so that they can grab the lists of addresses or use the mailing list as a direct target for their attacks.

Spam is big business and the spammers keep doing it because people keep falling for their scams, clicking on links to install key loggers. One seemingly innocent such scam is to add at the end of an email a phrase such as ‘To unsubscribe, click here’, enticing the recipient to respond. By clicking and performing the action, you have told the spammer your email address is valid and reaches a real person. Spammers can now sell your address to another spammer, with the assurance that the email address is legitimate.

3 http://www.symantec.com/connect/blogs/linkedin-alert-scammers-use-security-update-phish-credentials3 http://www.symantec.com/connect/blogs/google-docs-users-targeted-sophisticated-phishing-scam3 http://www.symantec.com/connect/blogs/dropbox-users-targeted-phishing-scam-hosted-dropbox4 http://www.symantec.com/connect/blogs/fresh-phish-served-helping-aes

69%2012 20142013

66% 60%On the plus side, over the last three years, states the Symantec ‘Website Security Threat Report 2015’, the overall spam rate has dropped from 69% in 2012 to 66% in 2013 and 60% in 2014

Cybercrime – The ever-growing threat to your business

6

®

On the plus side, over the last three years, states the Symantec ‘Website Security Threat Report 2015’, the overall spam rate has dropped from 69% in 2012 to 66% in 2013 and 60% in 2014. While this is good news, there are still a lot of scams out there being sent by email – and criminals are still making plenty of money. In October, Symantec reported an increase in a particular scam where emails were sent, often to a recipient working in the finance department of a company, requesting payment by credit card or the completion of a wire transfer. The sender details were sometimes faked or made to look like they had come from the CEO, or other high-ranking member of the victim’s company, and money transfer details were either sent in an attachment or required the victim to email back and request them.5

The rise in this type of scam is most likely due to the fact that scams based on malicious attachments can be more easily filtered by corporate security systems, but many organisations are still not undertaking this simple action, despite the majority of malicious emails still relying on potentially harmful attachments. In contrast, a sharp rise in malicious URLs versus attachments at the end of the year was related to a change in tactics and surge in socially engineered spam emails.

“End users should be mindful when using any social network, keeping an eye out for free offers for gadgets, gift cards and airline tickets or enticing invitations to join adult dating and webcam sites,” cautions the report. “If you are asked to fill out a survey or sign up for a service using a credit card, you are most likely being scammed.” As the old adage goes: ‘If it sounds too good to be true, it probably is.’

Identity theftIdentity theft – the process of your on-line self gradually being taken over – could start when someone hacks your webmail, and then your PayPal and iTunes accounts. That becomes the passport into other accounts, until the cybercriminals who stalk the Internet, looking for easy victims, all but control your online life.

Why are more and more people being caught in this deadly trap? In part, because many of us fail to properly secure our vital data and systems, using the same, easily broken, passwords (daisy chaining) across email accounts and multiple sites that we visit, leaving behind a trail of personal details from which the hackers can build a picture of exactly who we are.

To criminals, business identity theft means the potential for even more easy money and goods. It involves the actual impersonation of the business itself. It can occur through the theft or misuse of key business identifiers and credentials, manipulation or falsification of business filings and records, and other related criminal activities intended to derive illicit gain to the detriment of the victimised business; and, to defraud creditors and suppliers, financial institutions, the business’ owners and officers, unsuspecting consumers, and even the government. Any type of business or organization of any size, or legal structure, is a target.

Right now, someone reading this white paper will almost certainly be being groomed as another victim of identity theft – the estimated worldwide cost of which has soared to around $5 billion a year, according to the latest Microsoft Consumer Safety Index survey.

5http://www.symantec.com/connect/blogs/malicious-links-spammers-change-malware-delivery-tactics

Identity theft estimated worldwide cost $5 BILLION A YEAR

Cybercrime – The ever-growing threat to your business

7

®

As for passwords, the ultimate problem is that it is all too often the hacker’s passport to all that’s most private and precious – a single point of failure that, once infiltrated, can open the floodgates, allowing them access to every aspect of your personal life. In the main, we are lazy and careless with our passwords, tending to daisy chain them or opt for the obvious, such as ‘password’ or ‘123456’. As for employing a short password, no matter how watertight you may think it is, modern processing speeds are able to rip through 10,000 passwords in just a few seconds. Best practice dictates that you change your passwords regularly, making them complex and strong.

Vulnerabilities & malware threatsWhile the levels of spam may be falling off slightly, the trend in the number of vulnerabilities leaving enterprises exposed to attacks is doing the exact opposite, continuing inexorably upwards. And although remedies, workarounds or patches are readily available for the majority of reported vulnerabilities, malware authors are only too aware that many people do not apply these updates – and so they are able to exploit well documented vulnerabilities.

In many cases, a specialist ‘dropper’ scans for a number of known vulnerabilities and uses any unpatched security weakness as a backdoor to install malware – the short form for ‘malicious software’; ie, any kind of unwanted software installed without your consent. Viruses, worms and Trojan horses are all examples of malware. This, of course, underlines the crucial importance of applying updates; this is how web exploit toolkits, such as Sakura and Blackhole, have made it easier for attackers to exploit an unpatched vulnerability published months or even years previously.

Several exploits may be created for each vulnerability, and a web attack toolkit will first perform a vulnerability scan on the browser to identify any potentially vulnerable plug-ins and the best attack that can be applied. Many toolkits won’t utilize the latest exploits for new vulnerabilities, if an old one will suffice; exploits against zero-day vulnerabilities are uncommon and highly sought after by the attackers, especially for use in ‘watering-hole’ attacks: ie, the targeted hijacking of legitimate websites to push malware.

With the majority of websites still accommodating vulnerabilities, it is clear that many website owners are not keeping on top of vulnerability scans. They may be paying more attention to malware scans that could potentially reveal malicious software – yet malware is often planted following the earlier exploitation of vulnerabilities.

Damage to your businessSo what is the likely impact of all these attacks on you and your organisation? Typically, aggressive attacks can cause prolonged disruption to internal and external business operations. Servers may be taken down completely, data wiped and digital intellectual property released on the Internet by attackers. Employees may not be able to fully function normally in the workplace for months afterwards. On top of that, such attacks may expose embarrassing internal data via social media channels — and could have a longer media cycle than a breach of credit card or personal data.

However, the impact of a cyberattack goes far beyond that. The loss or theft of sensitive customer data can also have a serious impact on the economic value of a company’s reputation. Anyone affected where data has been stolen or disclosed without their consent may react by publicising the matter in social media and/or inform journalists, as well as the regulator. This can lead to a wider distrust of the company, which, in turn, can result in the blacklisting of its website, lost business and/or a fall in the share price.

A company’s reputation is its greatest asset, making it imperative that business leaders take every possible step to protect themselves, customers, employees and intellectual property against data breaches and the potential fall-out from negative publicity this provokes.

Cybercrime – The ever-growing threat to your business

8

®

A strategy that protects youEvery business needs to have in place a comprehensive strategy to protect themselves against all of these points of entry – and also to detect whether they have already become unknowing victims of the growing tide of cybercrime. This is the time for organisations to take a holistic approach to the security procedures required to combat advanced threats, rather than look for a ‘silver bullet’ technology solution. A ‘hands-on’ approach by IT departments, in conjunction with external data specialists, can then help implement, review and enhance security procedures. Not acting now only opens the door wider to the likelihood of a successful attack that may well mean loss of revenue, of customer trust and the potential loss of critical data.

Most worryingly, such attacks could be initiated externally or internally. While the vast majority of employees are principled and loyal to the business, there need to be systems in place to guard against those who are not. At the same time, genuine human error is equally a fact of life and may prove just as costly where it leads to a breach of your defences. With the right controls and protections in place, with help from the right provider, the guessing game of who is ethical and who is not, or who is trying to exploit your IP – or indeed already have – becomes redundant and a thing of the past.

Fighting back with SSLWhile admittedly there is no silver bullet, a number of technologies can help protect you and your customers, and underpin business credibility. With many of the current phishing techniques relying on driving customers to spoofed websites to capture personal information, that is where technology such as Secure Sockets Layer (SSL) becomes critical in fighting phishing and the other forms of cybercrime described in this white paper – by encrypting sensitive information and authenticating your site. If you are not already using SSL, then look at it not as an option, but as a ‘must be deployed now’. The welfare of your business and its very reputation depend on it.

Ultimately, security best practices call for implementing the highest levels of encryption and authentication possible to protect against cyber fraud and build customer trust in the brand. SSL, the world standard for online security, is the technology used to encrypt and protect information transmitted over the web. SSL protects data in motion – which can be intercepted and tampered with, if sent unencrypted. Moreover, support for SSL is built into all major operating systems, web browsers, Internet applications and server hardware.

Choose Extended Validation (EV) SSL Certificates for the highest visible display of online trust. This is the gold standard in SSL certificates. EV verification guidelines, drawn up by the CA/ Browser Forum, require the CA to run a much more rigorous identity check on the organisation or individual applying for the certificate. Sites with an EV SSL certificate have a green browser address bar and a field appears with the name of the legitimate website owner and the name of the CA that issued the certificate.

Choose Extended Validation (EV) SSL Certificates for the highest visible display of online trust

Cybercrime – The ever-growing threat to your business

9

®

Take your security to the next level with an ‘Always-On’ approachBusinesses that are serious about protecting customers and their business reputations should implement ‘Always-On SSL’, with SSL certificates from a trusted Certificate Authority such as Thawte. Always-On SSL delivers the same high level of SSL protection throughout your site, securing the visitor’s entire session with SSL, not just on forms and checkout pages. Visitors will always feel secure with the reassuring ‘HTTPS’ at the beginning of the browser address bar throughout their entire stay on your website, making it safer to search, share and shop online. What’s more, Google now favours websites that implement ‘HTTPS everywhere’/Always-On SSL, rewarding owners with an SEO ranking boost.

ConclusionThe ever-increasing threat from data breaches, phishing, spam, identity theft, vulnerabilities and malware means that organisations like yours can no longer afford inaction. With the cost of cybercrime in the U.S. alone heading towards $16 million per year, security technologies that underpin online business credibility and customer trust are now more vital than ever. This is why SSL is now a must-have for any organisation interested in protecting its customers and its online reputation. It’s why Always-On SSL, which protects your customers during their entire user session, is now favoured by sites like Google and is fast becoming the new standard in website security. And it’s also why Thawte is here to provide you with all the expertise and website security technology you need.

Cybercrime – The ever-growing threat to your business

9

®

Green barIncrease your conversions and reduce fraud

with the Thawte Green Bar.

Not All SSL Is the SameThawte online security is trusted by millions of people around the world. Here are just a few reasons to switch to Thawte:

Strongest SSL EncryptionProtect your confidential data with 256-bit SSL

encryption and $1.5m USD Warranty.

Lightning Fast OCSP SpeedFaster Online Certificate Status Protocol (OCSP) response delivers an optimised

customer experience.

Thawte Certification CenterBuy, renew, and manage certificates

with a single, secure sign-in to Thawte® Certificate Center.

ScalabilityThawte grows with you. Our infrastructure

supports more revocation checking globally than all other Certificate Authorities combined.

Uncompromised InfrastructureThawte is the 1st International SSL

certificate provider and has never been breached or compromised. Delivering

100% planned uptime.

Industry Leading SupportEasy enrolment, installation help and

world class multi-lingual expert support help you get up and running fast.

Money-back GuaranteeWe provide a 30 day, no questions asked, money-back guarantee to ensure you are

satisfied with your purchase.

More Information If you have further questions,

or would like to speak with a Sales Advisor, please feel free to contact us:

Via phoneUS toll-free: +1 888 484 2983

UK: +44 203 450 5486South Africa: +27 21 819 2800Germany: +49 69 3807 89081

France: +33 1 57 32 42 68

Email sales@thawte.com

Visit our website at https://www.thawte.com/ssl

© 2015 Thawte, Inc. All rights reserved. Thawte, the Thawte logo, and other trademarks, service marks, and designs are registered or unregistered trademarks

of Thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are property of their respective owners.

Protect your business and translate trust to your customers with high-assurance digital certificates from Thawte, the world’s first international specialist in online security. Backed

by a 17-year track record of stability and reliability, a proven infrastructure, and world-class customer support, Thawte is the international partner of choice for businesses worldwide.

BUY TRY LEARN MORE