By Dan Ross, CEO, Promisec
Cyber criminals use a variety of techniques to invade an organization and breach confidential data. They seek to penetrate and remain undetected until they are ready to strike, deploying new methods to evade detection and stay one step ahead of anti-virus and anti-malware products that rely on known signatures to be effective.
In the recent attacks on Target, Neiman Marcus, and others, the attackers gained access and then uploaded malicious malware, Dump Memory Grabber, to Windows-based point of sale (POS) machines. This malware adds itself to the system registry so that it automatically runs whenever the system boots up. It then scans the memory of the POS systems, capturing credit card data from Tracks 1 and 2, which enables them to clone physical cards. It is important to note that when the malware was introduced to the POS system, it made changes to the services, processes, registry, and subsequent files to enable the malware to operate.
Companies that rely only on anti-virus/anti-malware detection cannot keep up with an ever-changing threat landscape and would not have detected these types of changes on end user computers or POS devices. It was only after it was discovered that the anti-virus and anti-malware products could be updated to provide the proper protection. To prevent against this type of breach, companies must be able to detect changes to services, processes, and registry files.
Breaches also occur in other ways, as attackers constantly seek vulnerabilities to exploit. To mention a few, companies who are not disciplined about patching their software and applying hot fixes are at risk as attackers exploit unpatched versions of software. The agents on anti-virus/anti-malware products can become disabled — unintentionally or otherwise — leaving endpoints at risk. In fact, there have been cases where the attackers disabled the agents to avoid detection. Agents on systems management tools such as Microsoft SCCM can also become disabled, rendering those machines unreachable and therefore invisible.
Also, users commonly download unauthorized software or visit sites such as music or file sharing sites that are targets. While enterprise help desk teams can benefit greatly from using remote-control software to take control of a user’s endpoint for support, hackers also target this software and use the already installed remote control software to take control of the endpoint, making their exploits more difficult to detect, trace, or investigate.
In addition, users are increasingly being targeted through social engineering with phishing emails encouraging them unknowingly to click on a link and other methods to trick users into revealing passwords or other sensitive information. They may also introduce unauthorized hardware (such as thumb drives) or software to the environment, which introduces risk. To teach a workforce to help prevent data breaches, a company should first establish a policy for end user computing devices. This should include a whitelist of everything that is allowed and should be running and up to date, and a blacklist of everything that should not be running. This policy should clearly be communicated with examples of how attackers seek to exploit. The policy should be enforced by frequently scanning the endpoints with an automated tool to check for any gaps in compliance and remediate any violations immediately when discovered.
Some verticals have additional regulatory requirements that they must demonstrate compliance with on a regular basis — HIPAA in healthcare, PCI DSS in retail, etc. — and often have implications for endpoint devices. For example, HIPAA requires that unauthorized software cannot be running on devices that contain patient data. Regardless, every organization has confidential data that they must protect and they should be vigilant about their own internal requirements and policies. Every business — large and small — is a target.
There is no silver bullet solution to prevent data breaches; companies must deploy multiple methodologies and tools to inspect, identify and remediate changes on their endpoints. As best practices, they should assure that the tools they use are up to date with the latest signatures, patches and hot fixes, that the agents are functioning properly at all times, and that any services allowing remote access have secure passwords. It’s not enough to just “set it and forget it” in a threat landscape of constant change. Endpoints should be inspected frequently to identify any problems for speedy remediation.
Companies should consider cyber liability insurance coverage, designed to protect IT businesses against liability and expenses from the theft or loss of data, as well as liability and expenses arising from a breach of data security or privacy, particularly when hosting client information. IT service providers are wise to protect themselves with their own coverage as well. Service providers should heed their own advice and make sure they are diligent in protecting their information and infrastructure in the same way, especially if they are connected to their clients’ networks or hosting their clients’ data.
In today’s threat environment, it takes a multi-layered approach to assure security and compliance. This means not only deploying the proper security tools, but making sure that every IT asset is configured properly, all agents are up to date and running, all software is patched properly, and passwords are secure.
Start by assuring that the client defines a baseline or gold image of the desired endpoint configuration (a whitelist of all approved software and a blacklist of all known threats) and communicates this as policy. Use an automated tool to frequently scan all endpoints to assure that installed anti-virus software is functioning properly and up to date, the latest service packs and hot fixes are installed and up to date, and no unauthorized software is running. Most importantly, to detect malicious activity, inspect daily to identify any changes that have occurred, and whether any added services, processes, files and registry entries are present that must be immediately addressed.
Through actionable endpoint intelligence, Promisec makes managing complex IT operations simpler and more efficient for millions of endpoints. For information on Promisec Endpoint Manager, click here.