sign in sign up
<<
Home , Poodle, Sony Pictures hack, Stagefright (bug)

TRENDS 2016 (IN) SECURITY EVERYWHERE INDEX

1 Index Page 6 Trends 2016: (In)security everywhere

2 Internet of Things: security as a whole Page 9 ▸ Wearables ▸ Interconnecting homes ▸ Interconnectivity of all things ▸ Ensure, then connect

3 : first files... Page 15 now complete devices ▸ Varieties of ransomware ▸ The increase in the number of variants ▸ Evolution of threats ▸ From the computer to the TV ▸ Conclusion: the same goal for another threat

4 Targeted attacks: implications, reasons and objectives Page 20 ▸ Kits for cyber espionage? ▸ Attacks on users and specific systems ▸ Are APTs considered to be the weapons of the future?

5 , and massive campaigns Page 25 around the world ▸ , zombies and global campaigns ▸ New families, new techniques, but the same goals ▸ Collaboration is the key to fighting ▸ Where are we going?

6 Haxposure: an emerging threat with important Page 30 implications ▸ Haxposed: Damaging company secrets and innocent customer ▸ The implications of haxposure ▸ Haxposure 2016? 7 Mobile devices: threats and vulnerabilities Page 35 ▸ An overview of ▸ 2015 milestones ▸ But what happened with ? ▸ What may we expect from this trend?

8 Windows 10: Page 47 Security features and user privacy ▸ Security features ▸ Privacy and user acceptance

9 Critical infrastructure: Page 51 it's time to make security a priority ▸ Critical systems at risk ▸ Information asset management as a key factor ▸ Common threats targeting industries indiscriminately ▸ Healthcare – among the most affected sectors ▸ Highly vulnerable medical devices ▸ Record theft: more than just exposed data ▸ Focusing on security to prevent intrusion

10 Laws and regulations Page 57 ▸ Meeting standards and better security practices ▸ Laws protecting personal information around the world ▸ Information Security: an effort shared between governments, companies and users

11 Threats to kids on the web Page 64 ▸ Privacy and sexting ▸ Grooming ▸ Cyberbullyng ▸ Law and social contract as prevention

12 2016: the security challenge Page 70 1 Trends 2016: (In)security everywhere 1 TRENDS 2016: (IN)SECURITY EVERYWHERE

Year after year, at ESET’s Research Laboratories, we review some of the most im- portant events of the year globally, and their impact on the worlds of both corpo- rate and home IT users. Taking into account discussion and examination of what has happened in technology, it is difficult to sum up everything in one phrase. New technologies, attack reports, new malware families, and security flaws with a global impact: the speed at which these follow one another makes security an increasingly important challenge for businesses, enterprises, governments and us- ers around the world.

In recent years, we have discussed how which are used as standalone appliances the web became one of the main chan- but with the additional ability to connect nels for the spread of malicious code; the to the Internet, of generating information growth and professionalization of crime- and sharing it with thousands of users, ware; the importance of botnets to the providers or companies. The informa- world of cybercrime; the spread of mal- tion shared belongs to the users, either ware targeting mobile devices. Each of through devices that people use and carry these trends has had an impact in recent with them all day (such as smartwatches), years, and in our document "Trends for or through electrical appliances, or even 2015: Targeting the corporate world" we not sensors that collect information in public only emphasized how different compa- places. This trend poses a new challenge, nies had become the targets of computer a need to ensure the safety of information attacks, but also broke the report down flowing to and from these new technol- into different topics. ogy devices. This challenge, added to all other areas that have already been ad- When distinguishing between trends, dressed by the IT department for years, there is a clear relationship between the significantly extends the level of protec- expanding number of devices, the growth tion and training needed. of technology, and the increasing chal- lenge of safeguarding information, what- 2015 was a year in which the corporate ever the scope of its implementation may sector was the target in various security be. In "Trends for 2013: Astounding growth incidents; in which the disclosure of vul- of mobile malware" we added a first sec- nerabilities affected millions of mobile tion for malware in new technologies, devices; in which there were continuing before there was talk about the Internet reports of directed attacks; and in which of Things (IoT), referring to Smart TV, and vulnerabilities emerged that affected other smart devices. Today, three years many IoT devices, from cars to precision after that document, IoT is more present rifles. In this report, we will review the than ever, and continues to grow not only most important recent events in security in the home but also in the context of in- and, based on the events that occurred, dustry, business and government. we will predict future trends and chal- lenges for maintaining the security of in- When we talk about IoT we are referring formation, both within the business envi- to devices we already know about and ronment and at home.

6 1 Tends 2016: (In)security everywhere

Throughout the various sections of this It is our pleasure to introduce this docu- paper, we will review the state of crime- ment from ESET Laboratories in which ware and its impact on companies and we try to tell you what will happen and users, and we will look at directed attacks what the challenges are for next year in and APT campaigns that have occurred terms of : "Trends 2016: in different parts of the world. Moreover, (In)security Everywhere". we will consider the risks faced by victims of ransomware when it comes to sal- vaging their information, and how they can protect themselves from this kind of extortion. Finally, we will review each of the most important topics in the security world, explaining why cybercriminals at- tack more and more platforms and tech- SECURITY IS NO LONGER nologies, and why, ultimately, security is JUST A PROBLEM FOR no longer just a problem for a few indi- A FEW INDIVIDUALS BUT viduals but rather a problem involving RATHER A PROBLEM more and more people, and why security INVOLVING MORE AND should occupy an important part in our lives. MORE PEOPLE

7 2 Internet of Things: security as a whole

▸ Wearables ▸ Interconnecting homes ▸ Interconnectivity of all things ▸ Ensure, then connect

Author Pablo Ramos 2 INTERNET OF THINGS: SECURITY AS A WHOLE

The Internet of Things (IoT, to use its to the Internet, and that number will keep English acronym) is a topic that became growing over the next 5 years, reaching popular some years ago and which, from up to 25 billion Internet-connected devic- its very beginning, has generated con- es by 2020. In brief, IoT is here to stay, and troversy and debate, mainly within the through the upcoming years the number information security community, since of devices that generate, store and ex- its emergence involved (and still involves, change data among users will continue more than ever) big and new challenges. to grow, with the aim of improving their experience and simplifying many of the Two years ago, more precisely in the re- tasks they perform. (Table 1) port Trends for 2013: Astounding growth of mobile malware, ESET’s Global Research In the forecast below, Gartner predicts Laboratories were already pointing out that the consumer segment will be the the threats faced by smart devices based fastest-growing over the next five years. on 2012 research, reports and detections. Whether by the emergence of new Today, three years later, the advance of wearables (devices used as body acces- technology keeps pushing boundaries sories) or by new household appliances, it and expanding the capabilities of this type is worth pointing out that they will need of device; there are increasing numbers protection to prevent potential security of devices connecting to the Internet and incidents. correspondingly easy access, causing an increase in the number of attacks against However, IoT is not just for consumers: them. This became evident in the form of companies and governments are invest- malicious campaigns which adversely af- ing and getting involved in this industry fected millions of users worldwide. One with the aim of improving people's lives of the most significant cases wasMoose, and their own standing. This process is a worm infecting thousands of routers all known as Industry 4.0; some even believe over the world. that it represent the "fourth stage of the industrial revolution", as it has been la- According to a report from Gartner, to- belled by the Federal Department of Educa- day there are 4.9 billion devices connected tion and Research of Germany.

Table 1 IoT units of equipment by category (in millions)

Category 2013 2014 2015 2020

Automobiles 96.0 189.6 372.3 3,511.1

Consumer 1,842.1 2,244.5 2.874.9 13,172.5

Generic Businesses 395.2 479.4 623.9 5,158.6

Services (Vertical Business) 698.7 836.5 1,009.4 3,164.4

Total 3,032.0 3,750.0 4,880.6 25,006.6

Source: Gartner (November 2014)

9 2 Internet of Things: security as a whole

The process entails the development of panies are concerned, and taking action smart products through smart processes. towards achieving IoT security. Securing Simply expressed, turning a current indus- these devices will be one of the biggest try into a smart industry implies basing it challenges in 2016 for information security mainly on IoT and services. Some of the suppliers. most important areas involved include (but are not limited to) energy providers, sustainable mobility and health care. ▸ Wearables

Regarding Industry 4.0, there are some In 2015, many reports were prepared con- barriers, due to which many companies cerning vulnerabilities in wearables, pre- are still reluctant to engage. As we can senting scenarios that would enable an see in the following graph, "data protec- attacker to steal information from the de- tion and security" constitute one of the vice itself. Among the attack vectors used, biggest obstacles that must be tackled in some failures have been found in appli- order to advance change and encourage cations and in the use of communication acceptance of new devices for goods and technologies such as Bluetooth and the services within this new industrial revolu- use of six-digit PIN codes. tion.(Graph 1) Bluetooth Smart is widely accepted in the Every time a new technology emerges, IoT industry and its security is , therefore researchers test it to understand how it a key factor in the interconnection of de- works and, in some cases, to find out how vices. From smart watches to wrist-worn its security can be violated. Throughout devices measuring sensory data dur- 2015, multiple reports have been seen of ing physical activities, this technology is vulnerabilities in IoT devices, from baby used to connect with other devices such monitors to cars remotely controlled via as . A security failure in the the Internet. Both consumers and com- protocol might enable attackers to read

Graph 1 Obstacles to implementation of Industry 4.0

Financing its implementation

Ensure data protection and security

Segmenting established structures and processes

Technology is still immature

Administering the resulting complexity

Unified semantics for communication between machines

Source: IDC 2014; n=154 – Only companies which are acquainted with the concept of "Industry 4.0".

10 2 Internet of Things: security as a whole

in plain text the information being ex- This research also comprised cases of dif- → changed among them. ferent household devices, and based on We should not be what has been reported in the last few afraid of technology; Some of these incidents have attracted years, it is possible to see this trend in IoT. on the contrary, it is the attention of users, particularly since important to become the market launch of the Apple Watch. In Along these lines, Smart TVs from various aware of and well- this respect, it was observed that soft- makers were considered by researchers informed about ware failures might offer the opportu- at the BlackHat 2013 conference, and its implications. nity for a cybercriminal to reset an Apple the same researchers are still continu- Watch and to reconnect it to another iP- ing to prepare reports on failures in this hone without any problem, regardless of type of devices. In recent reports, we can whether a security PIN had been set be- see how a fridge may become the gate- fore the attack. way for enabling cybercriminals to steal credentials. Moreover, a baby monitor can be controlled remotely to play ▸ Interconnecting homes music or even to access the network to which it is connected. IoT advances allow more devices to be interconnected through a single house- In view of the rapid evolution of technol- hold network. In this way, users can con- ogy, more security failures will be found in nect their smartphones and computers such devices – in which case their imple- to manage and communicate with other mentation within a household network networked household appliances, all of will not be the best option. However, we which improves technology experience should not be afraid of technology; on and equipment usability. In addition, in the contrary, it is important to become view of the higher-level of interconnec- aware of and well-informed about its tion, improved security should be taken implications. into account to maintain the privacy of data, protect communication protocols Today, many more devices are con- and ensure the integrity of application nected to household networks than was and updates. the case five or ten years ago. Therefore, all companies dedicated to information In September 2014, at the Virus Bulletin security understand the resulting chal- conference in Seattle, Jeong Wook Oh of lenges, especially with respect to helping HP presented comprehensive research on users find simple but effective protection various devices used in homes and the for their household network. As their de- feasibility of attacks on them. Today we vices get smarter, device owners should can find TV sets, thermostats, IP cameras be checking their security by using device and other devices in the home that have manuals, as well as tips and guides from Internet connections, and in the event of trusted advisors. a security failure, a family's personal in- formation or systems may become ex- posed.

11 2 Internet of Things: security as a whole

wards helping to develop good practices ▸ Interconnectivity of all in emerging smart critical infrastructures. things

For the future, the challenge for security ▸ Ensure, then connect in IoT is not restricted to the household. Technology keeps improving and time 2016 will be a year of security challenges, and time again we see how govern- with new devices being connected to ments, industries and markets in general the Internet or enabling different ways are turning towards interconnectivity of intercommunication - whether it's for all equipment, systems, and services. a car that can be controlled remotely, or From market research to traffic sys- security failures in drones, or the ways tems, all things are being interconnect- in which users protect their household ed through existing technologies but, in networks. Any connected device should certain cases, without the proper imple- be checked to ensure that it's protected mentation of security protocols. and properly set up to ensure the fu- ture privacy, security, and confidential- In the report “Trends for 2015: Targeting ity of users, companies and government the corporate world”, by ESET Latin Amer- agencies. ica's Research Laboratory, we mentioned that one of IoT's goals is to generate self- There will be differences between how governing environments that can provide users and companies protect their infor- information and services by interacting mation in all those devices onto which with technology. To achieve this objec- a security solution cannot be installed, tive, various companies have started to a scenario that turns protection of the implement reward programs for security network into a critical factor. In the case experts so that they report security fail- of a household network, one of the most ures, as a way to provide their customers important points to take into account with better security, privacy and usability is the router, the device which provides for their devices. access to Internet, and yet which is of- ten disregarded, not updated, and often IoT challenges were a major topic of doesn't even have its default password discussion throughout 2015; as a conse- changed. quence, according to various announce- ments, companies are now working on If the device providing 24/7 Internet ac- standards and regulations to integrate cess in a house is not safe, the net- the Internet of Things into industries, cit- work may become adversely affected: ies, and different areas with the purpose a prominent example was reported by of improving their residents' lifestyle. ESET's Laboratory concerning Linux/ Some examples of this are the invest- Moose, which was found to be changing ments proposed by the German Govern- the behavior of the affected networks. ment and the Industry 4.0 initiative men- tioned above, as well as the cooperation At the same time, the integration of new undertaken by the European Network and networked devices should be taken into Information Security Agency (ENISA) to- account by IT teams to guarantee that

12 2 Internet of Things: security as a whole

they do not become an entry point for non-authorized third parties that may bring about security incidents and loop- holes.

In the current state of affairs as regards security, we have discussed and present- FOR THE NEAR FUTURE, ed the highest-impact incidents world- IOT'S ROLE WILL wide, ranging from targeted attacks to BECOME INCREASINGLY cases of massive infection by malicious SIGNIFICANT FOR THOSE code. If we consider the recently-re- BUSINESSES THAT ported incidents and the security failures usually exploited by attackers, we can CONSIDER INFORMATION conclude that if a new range of smart SECURITY AS ONE OF devices is added to a corporate network, THE KEYS TO security will play an increasingly impor- MAINTAINING THEIR tant and significant role. Providing secu- BUSINESS OPERATIONS rity for any device connected to a corpo- rate environment is a most difficult task for security equipment, and for the near future, IoT's role will become increasingly significant for those businesses that con- sider information security as one of the keys to maintaining their business op- erations.

13 3 Ransomware: first files... now complete devices

▸ Varieties of ransomware ▸ The increase in the number of variants ▸ Evolution of threats ▸ From the computer to the TV ▸ Conclusion: the same goal for another threat

Author Camilo Gutiérrez Amaya 3 RANSOMWARE: FIRST FILES... NOW COMPLETE DEVICES → One of the main threats to computer the prominence of tools to create ransom- This type of malware, security is malicious code. In fact, over ware automatically, allowing criminals to although it is not new, the years it has become one of the main create this type of malware automati- has become causes of security incidents; from the first cally, regardless of their technical exper- increasingly viruses in 1986 to the most sophisticated tise. Similarly, with the recent news of the troublesome for both malware of today. And this type of mal- publication of , the first open businesses ware, although it is not new, has become source ransomware, a new window has and home users. increasingly troublesome for both busi- opened for the development of such mal- nesses and home users. ware and its variants, so we predict the creation of increasingly sophisticated and massively prevalent malware ▸ Varieties of ransomware

Over the past year, cases of ransomware ▸ The increase in the number have gained importance in the field of of variants computer security due to growth in the number of victims, which is in turn due to One of the highlights of ransomware the significant profits that cybercriminals evolution is the growth in the number of can obtain from this type of malicious variants seen in recent years, targeting campaign. various platforms and technologies. The following chart shows that, as you might This form of attack may seem innovative, expect, Windows-related families are the but it is not. In fact, the first widely-known ones that have been showing a year-on- case of ransomware goes back 25 years; year growth in terms of the number of the 'AIDS trojan' was malware that hid di- detections.(Graph 2) rectories and encrypted the names of all the files on the drive, thus making the But, in addition to Windows, variants have system unusable. The victims were then also been designed for other operating sys- requested to "renew their license" with tems. Such is the case with OS X since, dur- a payment of 189 U.S. dollars. Since then, ing 2015, variants of the families of Filecod- new programs seeking to extort money ers unique to these systems were detected. from users have been identified which, unlike PC Cyborg's symmetric encryption, Other technologies such as VBS, Python, used asymmetric encryption algorithms BAT and PowerShell are also used by cy- with larger keys. In 2005 GPCoder, and its bercriminals to compromise users’ sys- subsequent variants, after encrypting files tems for profit. with specific extensions, requested a pay- ment ranging from 100 to 200 U.S. dollars to recover the information. ▸ Evolution of threats

However, this type of malicious code goes Although until now operating systems further and, in fact, there are groups of for desktop computers or laptops have cybercriminals offering this kind of mal- been discussed, these are not the only ware as a service. Ransomware as a Ser- platforms that are exposed to this threat. vice (RaaS) has been discovered through Cases of ransomware were also found to

15 3 Ransomware: first files... now complete devices

Graph 2 the demand for ransom, in an infinite Title: Growth of variants for the Filecoder loop in the foreground. As this mecha- family (in the last 5 years) nism was not technically very complex, it was easily bypassed by users with a little knowledge, so cybercriminals stepped up BAT MSIL VBS their efforts and created new ransom- ware families intended to block access to the device. These new families, such as the one detected by ESET as LockerPIN, deprive users of an effective way to re- gain access to their devices without root privileges or an already-installed security management solution.

Graph 3

Title: Distribution of the amount of Simplocker’s variants detected in the last 2 years affect mobile devices, particularly those running Android, because that is the mo- bile operating system with the most users worldwide.

The first Android-targeting families in- cluded fake antivirus with the ability to lock the screens of the devices. In 2014 Simplocker, the first ransomware for An- droid activated in Tor that encrypts user files directly, was discovered by ESET. In fact, the number of malware families de- tected during 2015 is four percent higher compared to the number detected dur- ing 2014. A small percentage increase in malware families can represent a huge However, Android is not the only plat- increase in individual samples. (Graph 3) form on which ransomware has evolved. In 2013 CryptoLocker rose to prominence During 2015, ESET researchers discovered due to the number of infections gener- the first type of ransomware for Android to ated in various countries. Among its key lock the screen: this modifies the phone features is encryption using RSA 2048-bit unlock code to prevent the owner ac- public key algorithms, targeting only files cessing his own device. This is a signifi- with certain filename extensions, as well cant difference from the first Trojans to as communication with the Command lock Android screens, which constantly and Control (C&C) through the anony- put up windows, displaying mous network Tor.

16 3 Ransomware: first files... now complete devices

In 2015, a new wave of ransomware But IoT encompasses more than watches → was identified with the appearance of and televisions; products ranging from In the last months CTB-Locker, downloaded to the victim’s automobiles to refrigerators already have of 2015 there has computer using a TrojanDownloader, as the ability to connect to the Internet and been a significant witnessed in January 2015 with Win32/ all their operations are controlled by some growth in TrojanDownloader.Elenoocka. Among its form of CPU (Central Processing Unit). ransomware that various versions, there was one with In other words, they are computerized. focuses on and payment instructions While there are many devices for which equipment targeting Spanish-speaking countries. no threats have yet been found, their op- associated with eration involves a software or the Internet These developments lead us to believe component and an Internet connection. of Things (IoT). that ransomware has not yet found Attackers may therefore be attracted to a limit as to the number of victims that them and may be able to misuse them in could be reached and the complexity that order to obtain valuable information. its code and forms of attack it could at- tain. It seems that this type of malicious Proof-of-concept tests have already been code is here to stay and will surely con- performed where, for example, control tinue mutating in the coming years. of an automobile has been successfully affected totally remotely. For this rea- son, if the necessary precautions are not ▸ From the computer to the taken by manufacturers and users, there TV is nothing to prevent an attacker from seizing control of a device's functionality So far, the evolution of this threat is evi- and demanding money to return it. Per- dent by its large number of variants, with haps this is not a threat that we expect increasingly complex mechanisms that to see much of in the near future, but we make it almost impossible to retrieve shouldn't lose sight of it if we are to avoid the information unless payment is made serious problems later. to the attacker - a practice that fosters criminality. It’s even possible that the vic- tim might pay without receiving a recov- ▸ Conclusion: the same goal ery key - or that there is some kind of le- for another threat gitimate technical support that wouldn’t even be able to recover the files, as it is In recent years, the seizure of informa- not susceptible to a brute force attack. tion stored by users and companies on various platforms has become one of the The threat has also diversified in terms of most important trends. The impact it can approach and . In the last months have on users, by preventing them from of 2015 there has been a significant accessing all their information due to the growth in ransomware that focuses on action of malicious code, is of growing equipment associated with the Internet concern. It is one of the most important of Things (IoT). Various devices, such as types of security incidents, as it takes full watches or smart televisions, are likely to advantage of cases where a company's be affected by malicious software of this lack of an effective backup strategy and type, mainly those which operate on An- droid.

17 3 Ransomware: first files... now complete devices

ineffective security implementation ex- is not only to detect and block or re- → poses it to risk. move such attacks, but also to ensure During 2015, we the continuing availability of informa- have seen large Unfortunately, the success of this type of tion. In the near future, network secu- ransomware attack for cybercriminals has not only led rity, the prevention of exploits and the campaigns them to extend it beyond the Windows appropriate configuration of devices will in multiple languages. systems and mobile devices, but its in- take on greater importance to prevent creasing impact has made it one of the such attacks, so that users can enjoy the greatest current concerns of consumers technology: we are on our way towards and companies alike. During 2015, we a fivefold increase in the number of devices have seen large ransomware campaigns connected to Internet over the next five in multiple languages, as was the case years, thus reaching 25 billion online de- with CTB-Locker in January 2015, which vices, so the challenge is to protect them must not be seen as an isolated event. properly against this type of attack. Cybercriminals seek to convince users to accede to their threats by encrypting their files and seizing their information, and this is something that is likely to continue happening.

As technology has evolved, the protec- tion mechanisms to counter threats such THE CHALLENGE IS NOT as ransomware have improved based on ONLY TO DETECT AND experience, and they must be accom- BLOCK OR REMOVE SUCH panied by user management and edu- ATTACKS, BUT ALSO TO cation. However, not all devices can be ENSURE THE CONTINUING protected with a security solution, and this threatens to become a future risk AVAILABILITY OF for consumers and companies. Based on INFORMATION these points, by 2016, we expect to con- tinue seeing ransomware campaigns, trying to exploit new attack surfaces by prohibiting users from accessing their information or services. The increasing trend toward more and more devices be- ing supplied with an Internet connection provides cybercriminals with a greater variety of devices that might be attacked.

From the security side, the challenge

18 4 Targeted attacks: implications, reasons and objectives

▸ Kits for cyber espionage? ▸ Attacks on users and specific systems ▸ Are APTs considered to be the weapons of the future?

Author Pablo Ramos 4 TARGETED ATTACKS: IMPLICATIONS, REASONS AND OBJECTIVES

In the last few years a series of attacks been observed against companies, insti- categorized as APTs (Advanced Persis- tutions and governments. Seventy-three tent Threats) have been reported. When of these were observed during 2015, more this terminology is used, it means that than double the number seen in the same we are not talking about ordinary mal- period of the previous year, and a similar ware campaigns, which are intended to quantity to that seen in the second half of spread as widely as possible, but about 2014. (Graph 4) attacks with a more specific objective. In the report "Trends for 2015: Targeting the Beyond the growth in reports of targeted Corporate World" we discussed the impact attacks or APTs, 2015 witnessed specific APTs have on the security of companies attacks generating controversy on the and how they became one of the biggest basis of the information that was leaked. challenges an organization may face in One of the most important of such cases terms of information security. was the incident, when about 400GB of information was leaked In 2015 the trend continued, and reports from the Team's servers, thus causing of targeted attacks, APTs and "sponsored a great stir about the list of tools the malware" (that is, campaigns where there company marketed, and its customers. is a government or entity behind the at- In consequence, continued attention was tack) generated debate around the world. drawn to the incorporation of various APTNotes, a repository of GitHub created leaked Hacking Team exploits into and maintained by the security commu- malware by different cybercriminals, as nity, has collected published reports about was the case for the APT group Sednit, targeted attacks since 2008. Based on the who incorporated these exploits in their latest update, in August 2015, a cumula- arsenal within a very short time, as did the tive total of 291 targeted campaigns had Webky group.

Graph 4 APTs reports

Graph 4 - reports of APTs - source: ://github.com/kbandla/APTnotes

20 4 Targeted attacks: implications, reasons and objectives

In addition, the Ashley Madison leakage tinued to launch campaigns throughout → of data belonging to 37 million of its users 2015. The increase of Potao detections is These targeted also generated a huge impact on this related to the addition of USB drives as attacks have various service's clients. The strategy of Impact a threat vector, functionality that was objectives, which Team, which perpetrated this attack, was observed for the first time in October vary according to to force the company to stop providing 2013. the actors behind its services and, due to the initial lack On the topic of targeted threats or cam- each incident. of response to its demands, the team paigns, we should also mention the published Ashley Madison users’ details on group called Animal Farm, which was the web, by initiating a series of blackmail known to create malware families such campaigns and spreading threats against as Dino, Casper, Bunny and Babar. Each of victims. these families of malware was reported in the course of 2015 and identified in tar- These targeted attacks have various geted campaigns that date back to April objectives, which vary according to 2014, as reported by ESET researcher Joan the actors behind each incident. ESET Calvet. In some particular cases, such as Research Labs analyzed cases on a global Babar, reports date back to 2009, which scale, directed against certain countries, shows clearly how persistent this type of regions or organizations; among the attack and/or targeted campaign is. most important events of 2015, we noted Potao Express, Animal Farm, Terracotta The relationship between the four fami- VPN, Mumblehard and , among lies of malware was established based on others. the findings reported in April 2015 about similarities in the Babar and Bunny cod- ing which were then seen in Casper and ▸ Kits for cyber espionage? Dino, analysis by Communications Se- curity Establishment Canada suggests The first mentioned case was thePotao an operation whose targets might have Express Operation, a campaign of specif- been systems in Iran and Syria. ic malware using multiple tools for cyber espionage. It focused mainly on targets in the Ukraine, but also targeted other ▸ Attacks on users and specific countries of the Commonwealth of In- systems dependent States (CIS), including Russia, Georgia, and Belarus. Among its targets Another research topic that caused a big were various sectors of the Ukrainian stir was Operation Buhtrap, whose targets government, Ukrainian military insti- were various Russian banks. In this cam- tutions and even news agencies in the paign, which was discovered at the end country. of 2014, the attackers only installed their threats into systems set up to use Russian This family of malware, known as Win32/ as their default language. Potao, has a modular structure that al- lows the attackers to choose different In this case, attackers exploited a vul- tools according to the action they de- nerability in Word as an infec- cide to perform, based on their objective. tion vector for more than three years. Potao was first seen in 2011, but it had Based on the analysis of detections more of an impact during 2014 and con- of malware families associated with these

21 4 Targeted attacks: implications, reasons and objectives

campaigns, it seems that 88% of victims sented in this section were particularly are in Russia. Although this way of oper- oriented to Windows systems and aimed ating was in part similar to most global at stealing confidential information from malware campaigns, such as Operation users, spying on their activities or col- Liberpy, the objectives were specific to lecting information. However, this was Buhtrap. (Graph 5) not all that happened in 2015, since dif- ferent research initiatives have identified During the first few days of Novem- campaigns that have run for more than ber 2015, threat propagation campaigns five years, targeting Unix-based servers, were detected again as part of Operation in order to send spam. In this category, Buhtrap, spread by compromising a well- we found Linux/Mumblehard, malware known legitimate website. In this case, developed in Perl with two main com- the approach was broader but equally ponents: the first is a that pro- oriented towards Russian users, using vides attackers with remote access, while spear-phishing techniques. The first mal- the second is a daemon responsible for ware detected was the Lurk downloader, sending spam. When ESET researchers distributed on October 26. Then Core- estimated its size, they realized that they bot appeared on October 29, Buhtrap on were connected to the sinkhole from October 30, and finallyRanbyus and RAT 8,500 unique IP addresses, and that in Netwire on November 2. early April 2015, its size was approximately three thousand systems, mainly servers. Up to this point, all the campaigns pre-

Graph 5 Structure of a Buhtrap campaign

User receives spam message

User opens the Word file attached

The Word file downloads an additional module from an external server

Now, the attackers can spy and control remotely the victim’s computer

22 4 Targeted attacks: implications, reasons and objectives

Our Trends Report for 2015 previously and training of its teams are among the → addressed Operation Windigo, affecting actions that need to be taken to minimize It is very difficult more than 500,000 systems via propaga- exposure to the risk of a security . to predict when tion campaigns all over the world. or how a company Specific campaigns against web servers But, how should we protect companies will become the or other Internet services are intended by from an attack that is unknown until it target of a group cybercriminals to augment their attacks happens (and maybe for some time af- of cybercriminals. and, in many cases, to go unnoticed so as terwards)? Our report on trends for to keep their activities alive for the long- 2015 asserted that businesses are an in- est possible time. In addition to attacks creasingly tempting target for attack- described on these pages, there have ers, an expectation that was confirmed been many other reports of targeted at- throughout 2015 and strengthened with tacks, in which companies, institutions or the emergence of attacks such as those governments observed the exfiltration of mentioned above. their information. In order to combat this type of event, companies need to improve Protecting a company is not a project; their defenses and computer security it is a process. The technologies used to processes.. protect endpoints should be evaluated on an ongoing basis by a security team, ▸ Are APTs considered to be as should the protection of the perim- the weapons of the future? eter and servers. Encryption helps to protect confidential information, and it Whenever we refer to targeted attacks is not a very common defense measure or malware campaigns for a specific adopted by small or medium-sized com- purpose, there are always enquires from panies. In addition to protecting systems companies who want to know whether and networks, or relying on the encryp- they have been the targets and/or vic- tion of important, sensitive, and/or con- tims. It is very difficult to predict when fidential information, the management or how a company will become the tar- and education of users further helps get of a group of cybercriminals, so they protect the organization. In other words, must be always prepared and protected management is necessary to understand for that eventuality, given that the point the business and role of safety, in order of security installations and software is to to ensure its continuity, and thus decide protect companies from any type of at- to invest and use technological resources tack, directed or not. to protect the business. Additionally, us- ers should be included and trained to play The IT security of a company is, more and their part in information security pro- more, a key factor for its continued oper- cesses through awareness workshops, ation, as evidenced in this section by the internal courses or practices to assess impact that data leaks have had on some their security awareness when it comes companies. For this reason, the best ap- to protecting their company’s assets. proach that a company, institution or government can implement as regards IT security is to be proactive: assessment of its defenses, empowerment of its users,

23 5 Crimeware, malware and massive campaigns around the world

▸ Botnets, zombies and global campaigns ▸ New families, new techniques, but the same goals ▸ Collaboration is the key to fighting cybercrime ▸ Where are we going?

Author Pablo Ramos 5 CRIMEWARE, MALWARE AND MASSIVE CAMPAIGNS AROUND THE WORLD

Within the world of IT security, one of the in code and the volume of threats that → biggest concerns for companies and users affect companies are some of the chal- The cybercrime is malicious code that can compromise lenges that victims have to face. ecosystem has their systems and/or information net- different actors works. This concern is not at all unfound- The cybercrime ecosystem has different who cover a wide ed, as cases of malware, and crimeware actors who cover a wide framework of framework of incidents are reported daily and around criminal activity involving goods and ser- criminal activity. the world. Indeed, the number of reports, vices that provide infrastructural support detections and threats observed by the for malicious action. Such actions, involv- various antivirus laboratories grows con- ing banking Trojans and RATs (Remote stantly and daily, and shows increasing Access Tools) were the subject of sev- diversity. eral investigations on the part of security agencies. 2015 was no exception, and not only was the growth of cybercrime observed However, cyber criminals continue to find worldwide but we also saw a change in ways to reach users. Such is the case with its aggressiveness and in the types of at- regionalized malware campaigns like Op- tack (see the section of this report dedi- eration Liberpy, initially spread through cated to ransomware). email; Operation Buhtrap, infecting its vic- tims through compromised websites that IOCTA (Internet Organized Crime Threat served malware installers; Brolux, a Trojan Assessment) reported a shift in the way that attacked Japanese online banking attackers acted, focusing on confronta- sites; and cases with global impact such tion as one of the most important chang- as . es, ranging from the actions of computer networks that seek to infect It is important to stress that these cam- users’ systems with ransomware variants paigns affect not only home users, but so as to extort money from them, to cy- "small businesses, medium-sized com- bercriminals who used physical force to in- panies, and even large enterprises. Ac- timidate security companies into not expos- cording to the latest report by the Pone- ing their threats. mon Institute, the average cost of these incidents was USD 7.7 million for the first When speaking of malware campaigns, half of 2015. Some of the companies cited we do not mean directed attacks or APTs in the report lost up to USD 65 million as (Advanced Persistent Threats), but the a consequence of security incidents they mass propagation of malware commonly suffered. used to steal information from users and companies. 2015 presented different chal- lenges for identifying and blocking mass campaigns of spreading malware through channels such as email, mass storage de- vices or compromised websites that re- direct their visitors to different types of exploits. The increasingly rapid changes

25 5 Crimeware, malware and massive campaigns around the world

▸ Botnets, zombies and global Some campaigns are not directed at any campaigns particular country, but aim to spread to Zombie computer networks, also known as many systems as possible. One of the as botnets, have for several years been cases reported during 2015 was Waski, the most important infrastructural com- a global campaign that sought to install ponent in the world of cybercrime actors. banking Trojans worldwide to compro- Their role in the world of cybercrime is mise victims' systems with a variant of central, within a model where the pur- Win32/Battdil. The campaign started by chase and sale of services, information sending emails that attempted to trick theft or campaigns spreading ransomware users into opening a document that are facilitated by botnets. In other words, would do nothing but infect their system. hundreds or thousands of computers that (Graph 6) are part of such networks are used for sending spam, launching Denial of Service Email is one of the main vectors for attacks, and performing other malicious spreading malicious code and, as in 2014, actions. there were multiple reports in 2015 of massive mail campaigns related to bank- The threat impact of botnets has led to ing Trojans such as Dridex through Mi- the conducting of in-depth studies on crosoft Office documents infested with how to identify their behavior: that is, malicious macros, or the spread of ran- how to identify patterns that allow se- somware, such as the waves of CTB-lock- curity teams to detect and block connec- er in mid-January that reached so many tions within their networks. Moreover, users' Inboxes. there are security solutions such as those offered by ESET, which include function- alities capable of recognizing these com- munications, in order to block them and prevent information theft. Graph 6 As for botnets dedicated to informa- False e-mail that infects system with Waski tion theft, ESET Research Laboratories this year reported the actions of - tion Liberpy, a keystroke logger installed on more than 2,000 machines in Latin America – 96% in Venezuela – that stole credentials from its victims for more than eight months. This threat, detected as Python/Liberpy, initially spread through emails and then continued to spread via USB devices, taking advantage of Win- dows shortcut files to infect new systems. This latter propagation method is similar to that used by other families as Bondat, Dorkbot and Remtasu, all mainly active in Latin America.

26 5 Crimeware, malware and massive campaigns around the world

Although during 2015 we have seen many steal data from millions of credit cards. → joint operations between security agencies, Such incidents accelerated the need for Some of the businesses and governments to disrupt a reassessment of how PoS machines are companies or dismantle these criminal networks, protected and brought to light some curi- lost up to USD we expect to see botnets continue to be ous cases, such as that of certain manufac- 65 million as a threat and a risk for organizations and turers who used the same default password a consequence users around the world during 2016. for 26 years. of security incidents At other times, cybercriminals have abused they suffered. ▸ New families, new tech- flaws in websites or evenfake game pages, niques, but the same goals where they hosted copies of their malicious code. Through CMS (Content Manage- Throughout 2015, the emergence of new ment System) plugin flaws, the attack- families of malicious code or even the in- ers breached the security of thousands of corporation of new features into previ- websites so as to use them to host content ously known Trojans were reported, such harmful for users. as the case of CoreBot, which added to its capabilities the opportunity to steal bank- ing information from its victims. The evo- ▸ Collaboration is the key lution of families of malicious code to incor- to fighting cybercrime porate new modules or tools is constant, and part of the world of cybercrime. Enforcement agencies and businesses around the world collaborate to fight cy- Botnets were not the only area of innova- bercrime and make the Internet a safer tion where new families of malware code place. During 2015, in addition to announce- appeared. As noted in last year's trends ments by Europol on how threatening cy- document, Point Of Sale Malware was one bercrime has become, joint operations have of the types of malicious code where new been performed to disrupt or dismantle players appeared, as was the case with networks of zombie computers. PoSeidon. This code attacks retail outlets and attempts to compromise terminals Some of these operations, coordinated that take credit card payments and to and distributed around the world, suc- scan its memory so as to “scrape” card cessfully culminated in cases such as the data. Another instance of PoS malware dismantling of Dridex, Liberpy, Ramnit, and was Punkey, which appeared a month af- the arrest of the creator of the Gozi Trojan. ter PoSeidon and was reported at more In addition to this direct action against cer- than 75 different IP addresses, filtering in- tain families of malware, the security agen- formation from credit cards. cies also succeeded in arresting a number of cybercriminals associated with criminal Incidents involving this kind of threat – forums, such as the case of Darkode where including cases reported last year such 62 people in 18 countries were arrested for as Home Depot, UPS or Target – showed various computer crimes. that cybercriminals seek to access large retail chains to infect outlets and thus

27 5 Crimeware, malware and massive campaigns around the world

▸ Where are we going? 2016 will continue to reveal the further → development of families of malicious code, We can see To summarize the most important events either in new variants or in the incorpo- that the barrier of recent times in terms of more general- ration of features that they did not have separating purpose malware, we can see that the before. Cybercrime has become more general purpose barrier separating it from directed at- threatening, companies globally have in- malware from tacks is becoming more transparent. Cy- creased their investment in security by 4.7%, directed attacks bercriminals continue to employ different and security agencies are enhancing their is becoming more propagation techniques in order to infect efforts to take down botnets and to put transparent. as many systems as they possibly can, ei- cybercriminals behind the bars. In other ther by incorporating newly-discovered vul- words, 2016 will present new security chal- nerabilities into different Exploit Kits or by lenges, but also a more active and organ- using campaigns to spread malware. ized front in the fight against cybercrime.

In other words, the evolution of cyber- crime continues to threaten users, and malware-spreading campaigns have grown in scale and achieved different levels of effectiveness. To combat these actions, the collaboration of experts, se- curity agencies and other entities is key to disrupting cybercrime and helping us- ers to enjoy the Internet without undue anxiety.

2016 WILL PRESENT NEW SECURITY CHALLENGES, BUT ALSO A MORE ACTIVE AND ORGANIZED FRONT IN THE FIGHT AGAINST CYBERCRIME

28 6 Haxposure: an emerging threat with important implications

▸ Haxposed: Damaging company secrets and innocent customer ▸ The implications of haxposure ▸ Haxposure 2016?

Author Stephen Cobb 6 HAXPOSURE: AN EMERGING THREAT WITH IMPORTANT IMPLICATIONS

One 2015 cyber threat trend was not the HT the center of a large law → widespread, but deserves attention be- enforcement operation and the target of Haxposure is cause of a pair of high profile secu- a large reward. categorically rity breaches: Hacking Team and Ashley different from Madison. In both cases the perpetrators What the Hacking Team and Ashley data theft for of the breach not only stole confiden- Madison incidents have in common is resale. tial information, they published it to the that a security breach led to exposure world. This combination of criminal data of secrets that were damaging to the theft via hacking and public exposure of reputation and business model of the or- internal secrets represents an emerging ganization. In the case of Hacking Team, threat – which I have dubbed haxposure. the exposed data appeared to prove that I see haxposure as categorically differ- the company had been selling its digital ent from data theft for resale, a much surveillance tools to repressive regimes, more common type of hack. Data theft despite the company’s past claims to the is epitomized by the 2013 Target payment contrary. In the case of Ashley Madison, card and 2014-15 Blue Cross insurance the exposed data appeared to prove policyholder breaches. In this article we claims that the company did not remove discuss how haxposure differs from other customers from its , despite threats, why it may be on the rise, and charging them money to do so. The ex- what organizations should be doing to posed data also supported allegations protect against it.. that a lot of female participation was fabricated, seriously undermining the company’s credibility and its claim to fa- ▸ Haxposed: Damaging cilitate affairs. company secrets and innocent customer In both cases, it would appear that the people behind the attacks were unhappy In July of 2015, some 400 gigabytes of with the business models of the targeted information were stolen from Italian se- companies. This led me to draw some curity company Hacking Team and pub- parallels with the Pictures hack of lished. In an unconnected incident later 2014 in an August 2015 webinar that ad- that month, a group calling itself Impact dressed some of the enterprise security Team published a subset of account data implications. Whatever the true motives stolen from Canadian firmAvid Life Me- for the attack, there is no dia that operates the Ashley Madison doubt that it exposed some confidential website which promises to connect men information that did not reflect well on and women who want to have an af- the company and its executives. Given fair. The hackers demanded the website that there appeared to be a political/ be shut down. When that didn’t hap- moral motive to all three incidents, I was pen, they released gigabytes of internal tempted to see them as a new level data in August, causing embarrassment of . Early acts of hacktivism to some individuals, and providing evi- tended to be website defacements (for dence for lawsuits against the company. example, Kriegsman Fur in 1996: warn- The publication of the data also made ing adult language). The practice of dox-

30 6 Haxposure: an emerging threat with important implications

ing also emerged, the researching and ny and hackers steal your secret recipe for → broadcasting personally identifiable in- baked beans. If they sell it to one of your Genuine formation about an individual; however, competitors or publish it on the internet, hacktivism does unpleasant as doxing can be, it is quan- that is bad news, but it probably won’t not include titatively different from, and less damag- sink your company. Unless your secret ransom demands, ing than haxposure. recipe contains a harmful secret. Suppose which attackers one of your secret ingredients is a banned made in the case Hactivism became more aggressive carcinogen. Exposure of that kind of secret of Ashley Madison about 10 years ago. The 2008 Project can seriously damage reputation, revenue, and Sony. Chanology protests associated with and valuation. used distributed denial of service (DDoS) attacks, along with some Several factors have combined in recent exposure of internal communications of years to increase the risk of companies the targeted organization. keeping harmful secrets:

Of course, it is reasonable to argue that 1. Access to hacking: genuine hacktivism does not include anyone can hire a . Gone are the ransom demands, which attackers made days when only a few technically skilled in the case of Ashley Madison and Sony. persons were capable of performing acts When data thieves issue demands in re- of digital disruption, and when the only turn for not publishing internal company disgruntled employees capable of digi- information they compound thievery tal revenge were in the IT department. with extortion, going beyond the ethi- Nowadays, hacking attacks are an option cal pale as far as most activist creeds are for anyone who has a beef with your or- concerned. And when the threat involves ganization, regardless of their technical exposing personally identifiable informa- knowledge and hacking skills. tion belonging to employees or custom- ers of the organization you enter a whole 2. Access to open source intelligence: new level of irresponsibility. when you use the Internet to advertise your business you expose your busi- ness to the world. The full implications of ▸ The implications this reality continue to elude some busi- of haxposure ness folk. To be clear: You cannot use the World Wide Web to promote controver- Whether or not the Hacking Team and sial goods and services to a select group Ashley Madison attacks qualify as hacktiv- of people; that is not how the Web works. ism, the strategy of haxposure represents Whether you are selling furs or rhinoceros a potentially more damaging threat to an horn powder or surveillance tools that organization than data being looted and can be abused by repressive regimes, try- sold to people who secretly exploit them. ing to do so discreetly via the Web is not The damage potential is a function of the possible; history and logic clearly show sensitivity of the data you are trying to se- that when you try this, your business will cure, where secure = keep secret. Consider be discovered by critics, explored, and a scenario in which you are a food compa- possibly exposed.

31 6 Haxposure: an emerging threat with important implications

3. Publication tools abound: What are the implications of these fac- → sites like Wikileaks and Pastebin enable tors? First and foremost they underline What are the anonymous publication of stolen infor- the need to get the security basics right. implications mation, reducing risks for those who en- You are definitely going to need, at a min- of these factors? gage in haxposure. imum: First and foremost they underline 4. Appetite for anger: • Strong authentication, anti-malware, the need to get the global reach of social media, which and encryption (these could have limit- the security basics can act as an amplifier for outrage – ed damage for both Hacking Team and right. sometimes in the absence of support- Ashley Madison). ing data – can be an attractive platform for the crusading hacker, increasing the • Backup and disaster recovery plans and spread and impact of published secrets. capabilities.

5. Complexity is the enemy of security • An incident response plan (lack thereof and secrecy: was apparent at Sony Pictures and Avid it is clear that keeping secrets is hard Media). when they are kept in digital form. Com- plex systems typically contain multiple • Insider threat monitoring (one trusted unpatched vulnerabilities that are known party with privileged access can cause and can be exploited, plus some number way more trouble than thousands of of zero-day exploits that are not known, external attackers – see Snowden v. much less patched. Furthermore, digital NSA). secrets are much easier to exfiltrate, po- tentially a mere blip in outbound network Beyond these basic security techniques, traffic, or a tiny piece of physical media. there are strategic factors that need to be Remember when VW was accused of adjusted to address the threat of haxpo- stealing secrets from GM back in the 1990s? sure: The information allegedly stolen included 20 boxes exfiltrated by plane. While the • Risk assessment: Do your security poli- secret nature of the paper information cies and controls reflect awareness of was denied by the person at the center the haxposure threat? of the incident, that much data, in digi- tal form, could today fit on a flash drive • Operational awareness: Is the organi- smaller that a postage stamp, and much zation mindful of the potential to invite easier to exfiltrate. haxposure attacks in the way it con- ducts its operations?

• Organizational transparency: Is the or- ganization being unnecessarily secretive in its operations? And are decisions to keep secrets made with a full awareness of the potential for leaks and associated blowback?

32 6 Haxposure: an emerging threat with important implications

▸ Haxposure 2016? panies and best known brands putting at risk public health and safety with ac- Will we see more cases of haxposure in tions that were bound to backfire if they 2016? The answer depends upon several became known. Hackers who feel they factors, including the extent to which have right on their side and a right to act organizations educate themselves about as arbiters of justice may feel inclined to this threat and take appropriate counter- seek out further secrets and expose them, measures. If a few high profile compa- potentially damaging innocent victims in nies succeed in heading off such attacks the process. and work with law enforcement to bring perpetrators to justice that may act as a deterrent. Unfortunately, it is also pos- sible that haxposure will be encouraged by risky corporate secrecy. Consider the widespread cheating on diesel emissions tests by Volkswagen and the serious in- formation system security vulnerabilities in Chrysler-Jeep-Fiat vehicles. Here you have some of the world’s largest com-

IF A FEW HIGH PROFILE COMPANIES SUCCEED IN HEADING OFF SUCH ATTACKS AND WORK WITH LAW ENFORCEMENT TO BRING PERPETRATORS TO JUSTICE THAT MAY ACT AS A DETERRENT

33 7 Mobile devices: threats and vulnerabilities

▸ An overview of mobile security ▸ 2015 milestones ▸ But what happened with mobile malware? ▸ What may we expect from this trend?

Author Denise Giusto Bilic 7 MOBILE DEVICES: THREATS AND VULNERABILITIES

As smartphones and tablets increasingly out how it could be used to compromise → offer services that process sensitive infor- Facebook accounts. As smartphones and mation, such data are becoming a more tablets increasingly attractive target for cyber attackers. The As for malware, 2014 saw the onset of offer services that primary risk scenarios are still the same: new varieties of ransomware targeting process sensitive users who lose their devices or unwitting- Android devices as forecast in ESET Re- information, such ly install malicious applications. However, search Lab's Trends for 2014 Report, which data are becoming the consequences of an attack become led to the reappearance of the Police Vi- a more attractive more and more critical. rus, this time for Android. target for cyber attackers. For example, ESET analyzed the Android/ ▸ An overview of mobile Simplocker ransomware, which scans the security SD card of an Android device for certain file types, encrypts them, and demands To understand where society is headed a ransom in order to decrypt the files. in terms of using mobile technologies Simplocker was the first malware of the safely, a starting point is to evaluate to Filecoder family aimed at Google's op- what extent mobile devices are currently erating systems, and it sought to breach protected, which will provide us with an files with common extensions such as overview of mobile security milestones .JPEG, .JPG, .PNG, .GIF, .DOC, .AVI and so far. .MP4.

Ransomware continued to spread and • A look back a new malicious program was detected, known as Android/Locker, which dis- 2014 was an eventful year in the informa- guised itself as a fake antivirus applica- tion security realm. The discovery of criti- tion. Also, it asked to be assigned admin- cal vulnerabilities on various high-impact istrator rights to the user in order to take operating platforms – such as , control of the system, which made it dif- Shellshock or Poodle – illustrated the im- ficult to uninstall. portance of keeping operating systems and applications updated. Toward the end of 2014, a new type of ransomware appeared that used the Nor did mobile systems escape this trend: browser to show child pornography im- for instance, hackers found a way to de- ages and then lock the device, claiming activate iCloud, the cloud computing ser- to act on behalf of the FBI. Once installed, vice that blocks iPhones when they are “Porn Droid” requested users to provide stolen or lost. Basically, this flaw made it the system's administrator rights in order possible to unlock the phone remotely. to lock the device screen.

On Android, a vulnerability was exposed In addition, Trojans developed for the that allowed attackers to bypass the se- Android platform reached new levels of curity mechanism of the browser. This bug sophistication, and propagated through allowed hackers to access the sites that underground markets and social net- were open on the device and take con- works. This was the case with iBanking, trol of it. Specifically, researchers found a malicious application capable of spying

35 7 Mobile devices: threats and vulnerabilities

on users’ communications, in an attempt As a consequence of better-orchestrated → to bypass mobile two-factor authentica- attacks, malicious programs have started Ransomware, tion methods used by some financial in- sneaking, by the hundreds, onto official one of the most stitutions. distribution platforms that provide legiti- profitable activities mate apps. This poses new challenges in the cybercrime Turning to iOS, a noteworthy case is that for the future, as it increases the need world, dominates of WireLurker, a malicious program that for manufacturers of mobile operating mobile platform attacked Mac systems and iPhones; this systems to develop better methods for infections with was one of the first malware to be able detecting malicious activity. new device-locking to infect even non-jailbroken devices. techniques. According to the BBC, approximately Ransomware, one of the most profitable 400 apps were infected and downloaded activities in the cybercrime world, domi- more than 350,000 times. nates mobile platform infections with new device-locking techniques, showing a diversification of the techniques used • Old trends come back to compromise the various devices. with a vengeance Finally, attackers also leverage popular Come 2015, it became clear that these mobile platform apps such as WhatsApp trends, which gained momentum dur- or Facebook in order to extend the reach ing 2014, had taken hold in the mobile of cross-platform malware campaigns ecosystem and become the new rule. In by using traditional social engineering this sense, cybercriminals have stepped techniques. up their game in the diversification and sophistication of threats, so now we are witnessing more organized malware- • How do these incidents impact users? spreading campaigns that include new infection vectors and attempts to hinder There are two decisive factors that lead threat removal. cybercriminals to focus on a given plat- form: the size of its user population and Throughout the year, a large number of the number of vulnerabilities available for vulnerabilities have been detected, and exploitation. As computers and mobile their exploitation has become an in- devices are used more and more world- creasingly useful mechanism for attack- wide, the number of potential victims ers to gain control of devices. susceptible to a single malware campaign rises. There are no invulnerable operating This is putting further pressure on OS systems; the number of threats aimed at vendors to deliver platform updates a given platform is in direct proportion to faster, which is a problem on operating the number of users it has. systems such as Android, as the large number of device providers with varying With this in mind, a good way to iden- priorities can mean that critical updates tify the most exposed systems and to ex- take too long to be rolled out to end us- trapolate the likely impact of mobile threat ers' devices. proliferation to each existing platform is to

36 7 Mobile devices: threats and vulnerabilities

compare the market share each one holds. A large percentage of these families of According to Gartner, Android held an malicious code seek to breach iOS sys- 82.2% share of the market for the second tems through deception, using social quarter of 2015, compared to iOS's 14.6% engineering techniques that trick users and, lagging far behind, Windows Phone's into providing their information. Also, 2.5% and BlackBerry's 0.3% share. Android the large number of vulnerabilities re- – in spite of having slipped down com- cently detected in these systems leaves pared with the same period a year ear- users unprotected if they fail to catch lier – continues to lead the market, while up with newly available updates to their Apple's share has grown gradually. This operating systems and apps. means that with every new Android se- curity vulnerability exploited, millions of Similarly, jailbroken devices – or rooted users worldwide become unprotected. devices, in the case of Android – can end up hosting malware such as Tro- Meanwhile, a new question arises: Are jans, worms and backdoors, among oth- there more threats to iPhones and iPads ers. This is because jailbreaking makes nowadays? The answer is yes. With re- it easier for malicious code to execute spect to iOS, if we compare the number commands requiring administrator- of new threats detected by ESET products level privileges without the user having since the beginning of 2015 to the number knowingly given authorization. Besides, of new threats detected during the same jailbreaking breaks the update deploy- period in 2014, the figures have doubled. ment mechanism normally afforded to (Graph 7)

Graph 7 New malware variants for iOS

Note: figures for the fourth quarter of 2015 only include statistics up to November, so the estimated final percentage for this quarter will be even higher once the year ends.

37 7 Mobile devices: threats and vulnerabilities

Graph 8 New iOS malware variants

users of the platform, thus preventing which could allow a Man-In-The-Middle the user from getting the latest system attacker to send malicious files to the de- versions or security patches, and leaving vice. About 600 million Samsung Galaxy the device vulnerable to attacks.. smartphones could have been exposed.

To be sure, the standout flaw on the An- ▸ 2015 milestones droid platform was the one known as , which allowed hackers to • Vulnerabilities galore steal information from devices by simply sending a text message designed for this The detection of vulnerabilities in appli- purpose. With 950 million Android users cations used by millions always causes potentially affected and the serious pos- a great stir, especially if they affect priva- sible consequences of its exploit, certain- cy or render devices unresponsive. Ear- ly this vulnerability was by far the most lier this year, a vulnerability in Android's serious to be discovered this year so far. email management app had a serious impact as it made the devices become In turn, iOS devices were also exposed unresponsive simply by sending a mes- to risks due to various flaws. Halfway sage specially designed for this purpose. through the year, an academic paper re- vealed a series of flaws that, if combined, Other vulnerabilities in 2015 have affected might exploit malicious apps to gain un- Android systems, such as the one known authorized access to the data stored on as CVE-2015-3860, allegedly exploited by different applications (iCloud passwords, attackers to bypass the lock screen on authentication token or web credentials Android and take control of the smart- stored on ). phone. Although the attack proved to be possible, the flaw was promptly fixed. Another iOS vulnerability allowed at- tackers to use the Airdrop feature to in- Meanwhile, Samsung also discovered an stall malicious apps covertly masquerad- important security flaw on their devices: ing as genuine apps. Airdrop is a feature the SwiftKey keyboard installed on their added in iOS 7 that enables users of sup- smartphones failed to validate updates, ported devices to share files with any

38 7 Mobile devices: threats and vulnerabilities

other device in the local vicinity. The vul- ESET Labs have detected more than → nerability allowed attackers to send files 50 Trojan porn clicker apps available for What was most even if they were rejected by the user. download. Four of them had more than striking to users 10,000 installs and one of them had more was the revelation In 2015 Apple also introduced changes to than 50,000 installs. that hundreds the data privacy mechanisms for their of malicious applications: they designed a new pri- In addition, among the samples found apps were being vacy update for iPhone to prevent iOS in the Store was Android/ distributed through apps from viewing which apps have Mapin: this is a backdoor Trojan that official stores. been downloaded to the device. In this takes control of the device and makes way, advertisers will not have access to it part of a . In some variants of those apps' data. this infiltration, at least three days must elapse before the malware achieves full Trojan functionality. It’s probably this ▸ But what happened with delay that enabled the code to get past mobile malware? Google’s malware prevention system for such a long time. According to MIXRANK, 2015 has seen a significant rise in the one variants, masquerading as the well- number of malware variants for mobile known game Plants vs. Zombies 2, was platforms. Moreover, what was most downloaded over 10,000 times before it striking to users was the revelation that was pulled from the Google Play Store. hundreds of malicious apps were being distributed through official stores. Ransomware continued to spread in Android systems. In this category, ESET This highlights the importance of raising discovered an aggressive threat to Android awareness among users and teaching capable of changing the device's PIN and them how to discern which developers rendering it useless. This is the first code they should trust and what permissions of its kind for this operating system and should be granted to each application. was dubbed Android/Lockerpin.

In the case of Android, over 30 This Trojan obtains device administrator applications available for download from rights by pretending to be an 'Update the official Google Play store have been installation.' Not long after, the discovered. These malicious applications, user will be prompted to pay a 500 which pretended to be cheats for the USD ransom for allegedly viewing and popular Minecraft game, have been harboring forbidden pornographic installed by more than 600,000 Android material. Neither the owner nor the users. attacker can unlock the device, because the PIN is generated randomly and is not Also, over 500,000 Android users sent to the attacker. The only way to were targeted by fake phishing apps unlock the device is to reset it to factory on Google Play which, if installed, defaults. harvested their Facebook credentials. As for iOS, Apple has had to remove over ESET has identified these Trojans as 300 iOS apps infected with malware Android/Spy.Feabme.A. from the App Store, after a security

39 7 Mobile devices: threats and vulnerabilities

problem was confirmed. This attack, • Cross-platform scams → known as XCodeGhost, was carried out How did these apps by ingenious, effective malware that has This year has also seen large scale fraud make their way into managed to pass off dozens of infected campaigns spreading through mobile apps the official store? apps as if they were tested and found to and the compromising of a variety of Cybercriminals be secure. popular store brands such as Zara, Star- opted to infect the bucks and McDonald’s, among others, XCode compiler How did these apps make their way into with the object of stealing the victims' used to create the official store? Cybercriminals opted personal information. applications on iOS. to infect the XCode compiler used to create applications on iOS. In this way, Social engineering – in computer se- developers included malicious code in curity, sometimes defined as the art of their apps without even knowing it manipulating people for the malicious and, because they use the legitimate purposes of the manipulator – is one of developer's signature, they were uploaded the pillars of this type of fraud. This type to the App Store without any fuss. of scam shows why education is the first layer of protection; in that sense, there is For Apple, this incident marked a need to warn users about these new a watershed moment: from now on, trends that use old techniques through the company must do a better job of channels such as WhatsApp. optimizing malicious code verification systems in applications before they are It is also notable that these malicious submitted to the online store. servers used geolocation techniques to achieve high propagation rates by turn- Soon after this, researchers found ing a target user not only into a victim, another 256 apps that violate Apple's but also at the same time into an accom- App Store privacy policy, which forbids plice in the spread of this type of scam. the gathering of email addresses, Thus, servers redirected traffic to the var- installed apps, serial numbers, and other ious rogue pages, according to the coun- personal identification information that try and the type of device that received can be used to track users. These apps the message. This heralds the beginning represent an invasion of the privacy of of a new era of cross-platform threats, the one million people estimated to have with campaigns designed to compromise downloaded them. users by targeting their various devices.

Also noteworthy is YiSpecter, a new malware program that abuses private in the iOS system to deploy malicious functionalities. Its alarming aspect is that it attacks both jailbroken and non-jailbroken iPhone devices. This malware can download, install and launch arbitrary iOS apps, and even replace existing apps with those it downloads.

40 7 Mobile devices: threats and vulnerabilities

▸ What may we expect from questing platform) or as regards execution → this trend? techniques (the use of platforms and lan- It is imperative to So far, some organizations and individuals guages to generate executable software implement security have downplayed the importance of mo- supporting multiple environments). strategies that bile device security, yet this is a mistake, include personal and a new type of response is needed. As the search for better protection mech- mobile devices It is essential to understand that mobile anisms intensifies, mobile platform mal- as potential computing does not exist in a void – on ware writers will develop new ways to compromise the contrary, it actually impacts the vari- make analysis of their code more difficult. vectors. ous security components contained in the It is inevitable that, over time, these mali- systems we use every day. In this sense, it cious samples will be increasingly difficult is imperative to implement security strat- to analyze. egies that include personal mobile devices as potential compromise vectors. Throughout 2015, ESET Research Labs have seen the threat creation rate re- In addition, it is necessary to consider main relatively steady within the Android the relationship between the Internet of ecosystem, with an average of 200 new Things and mobile operating systems, as malware samples per month. Almost all the latter will be the platforms supporting of these are malicious programs of the the data structure of upcoming intercon- Trojan type, as shown in the following di- nected gadgets. is an inter- agram. Consequently, we are likely to see esting example of this upcoming trend. greater sophistication in the compromise Today, ransomware hijacks desktops, lap- techniques used by these programs in the tops, tablets and smartphones, but soon following year.(Graph 9) it might hijack vehicle ignition systems, as discussed in other sections of this report. Of the new threats that have emerged this year, some have increased more than As for these programs that hijack devices' others, as shown in the diagram below. information or operation, we expect an As can be observed, the volume of SMS increase in the number of attacks, as cy- Trojans has already increased consider- bercriminals discover the gems stored on ably this year.(Graph 10) mobile devices. As is the case with any highly lucrative business, its growth over Similarly, we discovered lots of new mo- time seems inevitable. As the cloud is used bile that seeks to steal banking for storing user profiles available across and credit credentials, and capture pri- various platforms, the use of these devices vate data on the device, such as mes- as an attack vector to deny access to data sages and contacts. could have great impact, expanding the range of potential attacks against person- There was also a significant rise in mali- al information. cious mobile programs that try to pre- vent their victims from using their own New cross-platform malware campaigns devices and then, in general, go on to might also crop up, either regarding dis- demand ransoms. In particular, the com- tribution techniques (malicious servers bined growth of the Android/Locker and that deliver specialized content for the re- Android/LockScreen families increased

41 7 Mobile devices: threats and vulnerabilities

by nearly 600% compared to last year in growth this year. Together with a larger terms of the number of new variants. This amount of malware for iOS, new varie- figure does not include new samples such ties of spyware are expected to emerge as Android/Lockerpin, mentioned before. targeting smartphones, even when the manufacturer's protections remain intact, These trends could become more pro- i.e. phones that have not been jailbroken. nounced during 2016, which means we (Graph 12) could face more diversity in types of ran- somware and more sophisticated Re- Finally, secure development focused on mote Access Trojans that will try to gain preventing vulnerabilities will be essen- control of devices so as to steal the users' tial in order to create robust applications. sensitive information. Security cannot be an afterthought in the design process, but rather it should Although the volume of malware de- be central from the very beginning. Like- tected for iOS is still noticeably lower wise, implementing procedures to per- than that for Android, as shown in the form static and dynamic system testing diagram below, this new surge of mali- will be necessary for the early detection cious mobile code is bound to target iOS. of potential vulnerabilities. An analysis of the rise in the number of malicious families for this platform dur- ing 2015 shows a significant growth to- ▸ Defense strategies wards the end of this year.(Graph 11) Mobile malware is a real threat, so it is Within this new threat category, the important to be on the lookout for in- variants within the families shown in the fection attempts. It is time to reflect on diagram below have had the greatest what users can do in the face of this wide range of mobile threats.

Graph 9 Android Trojans in 2015

January

November February

October March

Trojans

New samples September April

August May

June July

42 7 Mobile devices: threats and vulnerabilities

Graph 10 Android malware families with biggest growth during 2015

r r t r t s p r n s y e w t Io licke Kole Qysl Agen C Exploi Fobu Locker Obfu FakeApp RiskwarSMFor Spy.Agen TrojanSMS LockScree Spy.BankerSpy.SmsSpy TrojanDroppe TrojanDownloade

• Home users When surfing the net, it is important to ignore sites that encourage users In addition to installing a mobile secu- to download APK files from suspicious rity solution, users must be extremely pages. Moreover, users should not trust careful when downloading applications text messages with dubious links, even if from unofficial stores. In fact, the best they appear to have been sent by one of practice would be to refrain from install- the user's known and trusted contacts. ing this kind of app, avoid installing apps from unknown sources and learn how to We have seen that malware spread recognize legitimate applications. Here through official platforms continues to are some pointers. increase, both on Android and iOS. In

Graph 11 New malware variants in 2015

Android

iOS

h l y July Apri Ma June anuary Marc ctober J August O February eptember ovember S N

43 7 Mobile devices: threats and vulnerabilities

the light of the high potential for new Particularly on Android, due to the wide cases to emerge, make it a habit to be variety of device models available, users cautious on these sites too: users should have little control over the time manu- find out who the developer is, what oth- facturers take to roll out updates to their er apps they have created and whether devices. As there is no hard and fast solu- they have been accused of fraud. Also, tion to this problem, it is recommended companies must strengthen the app re- that you consider roll-out times as a de- view processes in their repositories fur- termining factor when it comes to choos- ther to minimize the number of cases ing a device to purchase. Google devices of malicious apps finding their way into – the range – will always legitimate repositories. lead the pack in this regard, as they re- duce the vulnerability exposure time. or jailbreaking a device breaks the security mechanisms that operating sys- To protect the data confidentiality of tems aim to provide, making them more a lost or stolen device, it is advisable to susceptible to threats. This is why we rec- encrypt the device and install a security ommend that you avoid this practice. solution with remote management ca- pabilities to lock and/or track the device. As has been stated throughout this sec- Because mobile ransomware is ram- tion, there are numerous vulnerabilities pant, it is extremely important for users that can be exploited to execute mali- to back up their critical information to cious code. Thus, it is important to keep other trusted media – in that way they operating systems and applications up- can avoid having to pay a ransom to re- dated, and always install the latest secu- cover it. rity patches.

Graph 12 iOS malware families with biggest growth during 2015

YiSpecter

XcodeGhost

XAgent

TrojanDropper.Morcut

Spy.Morcut

Spy.KeyRaider

Shellcode

Krysaxer

Belesak

Percentage from total new samples in iOS

44 7 Mobile devices: threats and vulnerabilities

Finally, analyzing the charges made to These measures must be accompanied → mobile bills is a useful measure to iden- by the strengthening of Data Loss Pre- Rooting or tify early any infection that might have vention (DLP) and Content Monitoring jailbreaking a device bypassed the precautions mentioned and Filtering (CMF) systems, and the breaks the security above. creation of policies to guide mobile ap- mechanisms that plication management and secure plat- operating systems form configuration. aim to provide. • What about corporate environments? Measures commonly used in security pol- icies for desktop computers are equally To be sure, malware trends that affect valid, such as defining secure passwords personal users will have to be addressed with mandatory requirements for length, at the corporate level too. After all, eve- duration and expiration date. rything from a massive SMS Trojan infec- tion that incurs charges on the phone Such policies should also establish which bills of corporate accounts, to informa- platforms, versions and vendors are al- tion leaks caused by spyware, to data lowed and which are not. Handling appli- loss resulting from mobile ransomware, cations only if they are duly signed must will all hit an organization hard where it be obligatory, as must the disallowing of hurts - in its profit margins. unapproved procedures intended to ob- tain administrator rights to the system. It is vital to understand that corporate Along with these technology-based so- users' mobile devices can be used to im- lutions, security training programs must plement attacks against the organiza- be created to warn end users against the tion's networks. The first pillar of a good growing variety of malicious code they defense is acknowledgment of the risk will be exposed to over the coming year. posed by these devices in the era of cross-platform interconnection.

One mitigation might be to invest in de- MEASURES COMMONLY vices exclusively for corporate use, fea- USED IN SECURITY turing tools that support remote man- agement. They should be duly encrypted POLICIES FOR DESKTOP and connected to the organization's in- COMPUTERS ARE tranet over a VPN. Also, separating mo- EQUALLY VALID bile traffic on enterprise transactional networks and using security solutions on devices are essential measures in devel- oping a preventative approach.

45 8 Windows 10: Security features and user privacy

▸ Security features ▸ Privacy and user acceptance

Author Aryeh Goretsky 8 WINDOWS 10: SECURITY FEATURES AND USER PRIVACY

Microsoft Windows 10 arrived in mid 2015, challenging, and Microsoft’s solution for marking the first release of Windows this is Conditional Access, which replaces under its new CEO Satya Nadella. With Microsoft’s older Network Access Con- Windows 10, Microsoft is beginning to trol (NAC) technology with a more scal- fulfill its vision of reinventing itself, transi- able and cloud-aware solution not just to tioning from a software company to one prove the health of PCs connecting to the focusing on devices and services, and has network, but to sense the integrity of the set an ambitious goal of having one bil- system as well, a facility that was unavail- lion devices running its new version of able with the older technology. Windows in three years. For this to oc- cur, though, Windows 10 has to be more Also new for Windows 10 is Device Guard, secure and also be trusted by consumers a combination of operating system, man- and businesses alike. agement and hardware features that al- low system administrators to lock down computers securely. While similar in con- ▸ Security features cept to – and partly based on – AppLock- er, Device Guard is enforced through Se- With Windows 10, Microsoft has invest- cure Boot and is not meant for use on ed heavily in security. These enhance- general-use PCs. The use of Secure Boot ments include several improvements to also means that computers must have Windows Defender, such as the detec- UEFI firmware and a TPM chip in order tion of file-less malware in memory and to use Device Guard. In its current itera- adjusting the sensitivity of scanning files tion, Device Guard is intended for tight- depending upon where they are located ly-managed single-use systems, such as or downloaded from – a feat that can ATMs, kiosks, point-of-sale (POS) termi- improve detection of new malware, but nals, and other embedded systems where can also increase false positive alarms. In only a standard-use account is logged in, addition, improvements to manageabil- if a user account is used at all. ity and offline scanning should make the software easier to use by system admin- Security improvements have been made istrators. to the internals of the Windows 10 oper- ating system as well. Virtualization Based With the increasing trend towards BYOD Security (called Virtual Secure Mode in (Bring Your Own Device) and remote Windows 10 until recently) moves the working, keeping compromised comput- core part of the operating system, its ker- ers off corporate networks becomes more nel, into a hypervisor, along with other

WITH THE INCREASING TREND TOWARDS BYOD AND REMOTE WORKING, KEEPING COMPROMISED COMPUTERS OFF CORPORATE NETWORKS BECOMES MORE CHALLENGING

47 8 Windows 10: Security features and user privacy

heavily-targeted Windows services, such ing systems from companies such as Ap- → as the Local Security Authority Subsystem ple and Google, and Microsoft is merely It does not matter Service (LSASS), which is the service that playing catch-up in this regard. It is, if Microsoft has manages the operating system’s security. however, a first for the Windows desktop made Windows and some users and privacy advocates more secure, if Microsoft Edge is Windows new web are understandably concerned about Mi- users don’t trust browser. Written from the ground up as crosoft’s intentions. it. a replacement for , it is meant to provide a modern and secure Another area of concern is Microsoft’s web browsing experience. Its simplified new update procedures for Windows 10. code base means fewer vulnerabilities Updates to Windows 10 Home, the ver- for attackers to exploit. And although it sion of Windows 10 supplied on most is a desktop application, Edge is imple- consumers' computers, will not only be mented in a similar way to a universal installed automatically, but will be man- app, which means that it runs in a sand- datory. Windows 10 Pro has an option box-like container. These techniques, to defer these upgrades, but that is only combined with the dropping of support temporary, and doesn’t include security- for binary extensions like ActiveX and im- related updates. Businesses will have provements to SmartScreen, make Edge some additional level of control over a more secure than its pre- whether and when to accept updates, decessor, Internet Explorer. Internet Ex- but will still have to apply them to most plorer is still present in Windows 10 for computers running Windows 10 except sites that require it, but Microsoft strongly for certain licenses and use cases of Win- recommends using Edge. dows 10 Enterprise.

This marks a major shift where system ▸ Privacy and user acceptance administrators and home users have had granular controls over which updates to It does not matter if Microsoft has made apply and which to defer, and, coupled Windows more secure, if users don’t trust with Microsoft’s decision no longer to it. Windows 10 marks a change in the type share details about what it is that the up- and volume of information that Micro- dates actually fix has left some folks anx- soft collects about its customers, which ious about what bugs are getting fixed has left many people with concerns over and how those fixes might affect their upgrading to the latest flagship desktop computers. operating system. Microsoft’s data and telemetry collection is not actually new, There is no question that Windows 10 has though: the company initially began col- made great strides in security, but con- lecting crash reports and telemetry dur- cerns about privacy and transparency are ing the Windows XP era, and this is just also mounting, and Microsoft will need a continuation of those efforts. While the to address these if it is going to reach its scope of collection may be new to Mi- goal of a billion devices running Windows crosoft, this level of collection has been 10 in three years. the norm now for some time in operat-

48 8 Windows 10: funcionalidades de seguridad y privacidad del usuario

For further information about Windows THERE IS NO QUESTION 10, see the following two blog posts on THAT WINDOWS 10 We Live Security: HAS MADE GREAT Will Windows 10 leave enterprises vulner- STRIDES IN SECURITY, able to zero-days? BUT CONCERNS

Windows 10, Privacy 0? ESET deep dives ABOUT PRIVACY AND into the privacy of Microsoft’s new OS TRANSPARENCY ARE ALSO MOUNTING Also, look out for ESET’s white paper on Windows 10 security and privacy.

49 9 Critical infrastructure: it's time to make security a priority

▸ Critical systems at risk ▸ Information asset management as a key factor ▸ Common threats targeting industries indiscriminately ▸ Healthcare – among the most affected sectors ▸ Highly vulnerable medical devices ▸ Record theft: more than just exposed data ▸ Focusing on security to prevent intrusion

Author Camilo Gutiérrez Amaya 9 CRITICAL INFRASTRUCTURE: IT'S TIME TO MAKE SECURITY A PRIORITY

The security of industrial systems has breaches that leave the door open to po- → been a matter of analysis and debate for tential attacks. Organizations are years, especially after the onset of threats managing critical against them such as the worm in infrastructure using 2010, and the recognition of the vulnera- ▸ Information asset manage- operating systems bility of these systems to external attacks. ment as a key factor that are obsolete, vulnerable and yet Five years after Stuxnet and in the wake In addition to the fact that many industries connected to the of other threats that followed, such as still have obsolete operating systems in Internet, increasing or , IT security teams face nu- place, what is also striking is that, because the likelihood of merous challenges in the quest to safe- of the functions they have been designed a security incident. guard critical data against threats which to perform, control devices tend to have no longer differentiate among different a public-facing connection to the Inter- types of industries. net in order to carry out maintenance and management tasks. This presents a ma- Thus, one question becomes clear: are all jor security risk, as access is available at these businesses and industries prepared all times, so unless proper management to face future challenges? actions are taken, unauthorized individu- als might be able to access the systems. Thus, a good management policy should ▸ Critical systems at risk consider granting access only for techni- cal support purposes, or implementing The importance of ensuring informa- a secure connection such as a VPN to tion security on critical infrastructure has send and receive data. been recognized for years, yet there are still cases that illustrate the need for im- In addition, it is necessary to consider provement. the functionality of control and protec- tion mechanisms such as firewalls. Many To a large extent, one of the major sourc- organizations base the configuration of es of security deficiencies is the fact that these devices on predetermined and ge- a large number of the manufacturers of neric rulesets that control in what cir- these platforms do not allow the intro- cumstances two computers can establish duction of changes or updates to the a communication over a certain network. hardware-controlling systems. However, there is no analysis of the traffic that may be unique to that connection, In summary, organizations are manag- as each control system has specific pro- ing critical infrastructure using operating tocols in place, and these are unknown systems that are obsolete, vulnerable and to firewalls designed for more generic yet connected to the Internet, increas- environments. This means we are deal- ing the likelihood of a security incident. ing with easy-to-interpret communica- Thus, there is a need for manufacturers tion protocols, so analysis tasks should be and industries to join forces to update performed there when setting up exist- their infrastructure and mitigate security ing firewalls, so as to enhance the control

51 9 Critical infrastructure: it's time to make security a priority

capacity and the identification of propri- could lead to their failure or even to unau- → etary protocols used in industrial systems. thorized access by an attacker. Basically, The saying 'if Although there are now industrial the fact that something works right now something works, developers that are starting to implement doesn't mean that you shouldn't protect it don't touch it,' devices with these capacities, the evolu- against future risks. It's a good thing to fix sometimes means tion of such hardware in the industrial the roof before it starts to rain. that the security sector is very slow and there is still much teams fail to to be done. do the appropriate ▸ Common threats targeting maintenance work. In addition to all of this, a big problem industries indiscriminately closely connected to business manage- ment is that management and security When it comes to cybercriminals target- tend to be handled as two separate mat- ing industries such as energy, oil, mining ters. This has a very negative impact on and various industrial systems, attacks are communication, and can lead to consid- not restricted to sophisticated, complex erable security problems within an or- threats such as Stuxnet, Duqu or Flame. ganization: if the business management During 2015, several cases were reported people consider security to be an 'obsta- of energy companies being attacked by cle' rather than an integrated, essential malware dubbed Laziok, used to collect growth driver for the company, this in- data on compromised systems, includ- creases the likelihood of security incidents ing machine name, CPU details, RAM size, occurring, ultimately creating problems hard disk size and what for organizations. The availability of cer- was installed. tain critical industrial services, in both public and corporate sector infrastruc- With this information, cybercriminals can ture, usually ranks above the proper con- determine if the computers are viable figuration of security systems, potentially targets for future attacks. What is curious enabling remote attacks on industrial sys- about these cases is that it was an attack tems exposed to the Internet. Even when based on emails containing an attach- the concept of availability is very impor- ment that exploited a tant in this particular case, the confiden- vulnerability. Even more problematic was tiality and integrity of data must be con- that although a patch for this vulnerability sidered as well. was created in April 2012, many industries had not applied it yet. Finally, in some cases, with the aim of achieving business goals, a prevailing ap- proach – and one that is very question- ▸ Healthcare – among the able in terms of security – is the saying most affected sectors 'if something works, don't touch it,' which means that on occasion, for fear of tinker- In addition to the industrial sector, the ing with something that allegedly works healthcare industry has been an impor- just fine, the security teams fail to do the tant component of the security debate appropriate maintenance work. This over the past year. During 2015 and as part poses several security problems, since of Verizon's Investigations Re- outdated, unpatched operating systems port, analysts identified approximately

52 9 Critical infrastructure: it's time to make security a priority

▸ Highly vulnerable medical 80,000 security incidents, of which 234 → were healthcare-related, and 2,100 data- devices The healthcare sector loss breaches, with 141 occurring in the In addition to the security management should be more healthcare industry. issues mentioned above, new medical aggressive in its equipment also brings with it significant defense planning, and A large number of security issues have risks. Improved capabilities in these de- should adopt a faster become more evident, including primar- vices include the fact that they feature pace in assessing risks. ily insider abuse or bad practices, which an Internet connection, but this can be caused 15 percent of security incidents in a mixed blessing. For instance, in the case the healthcare industry in 2014, compared of implantable medical devices (IMDs), to 20% in 2015, according to Verizon's re- which are intended to treat a variety of port. conditions, security concerns are often underestimated and even overlooked. Also, healthcare organizations have be- come more vulnerable to web application The threat posed by this medical gear is attacks and distributed denial-of-service very real, and numerous types of device (DDoS) attacks, as this industry suffers have been infected by malware, in most four percent more of this type of attack cases inadvertently. In fact, during 2014 than all other industries combined. over 300 different surgical devices report- edly suffered a vulnerability that might Add to this the findings of thePonemon allow attackers to alter their configura- Institute report, which revealed that the tions. root cause of security breaches in health- care organizations has shifted from ac- As is the case with industrial security, cidental to intentional. Criminal attacks connectivity is a critical aspect. In this are up 125 percent compared to five years sense, it can be argued that the security ago, and lost laptops are no longer the level of wireless connections is often very most common data breach threat. low, and that the medical equipment in- dustry continues to put off the inclusion In addition, a 2015 study called Fifth An- of security mechanisms on their devices. nual Benchmark Study on Privacy and Se- For these reasons, medical devices are curity of Healthcare Data found that most considered an easy target, as they feature organizations are unprepared to respond outdated applications with insufficient to new cyber threats and lack the proper security. The large majority of networked resources to protect patient data. 45 per- biomedical devices do not enable modi- cent of healthcare organizations said the fications and do not support third-par- root cause of data breaches were cyber- ty-vendor authentication agents, mak- attacks, compared to 40 percent in 2013. ing them vulnerable to access via web browsers.

53 9 Critical infrastructure: it's time to make security a priority

In 2015, security researchers found vulner- Regardless of where the information is → abilities in critical medical systems which obtained – whether it is openly-available Medical devices put them at risk of being exploited by data that was published online or very are considered an attackers. In the report detailing their re- specific information stolen from medical easy target, as they search, they say they were able to access records – if criminals manage to harvests feature outdated Internet-connected devices, and that a large amount of information, they can applications with they accessed the network of a United sell it and even steal victims' identities insufficient security. States health provider and found up to to commit various crimes such as creat- 68,000 medical systems and equipment ing false IDs, opening bank accounts and with vulnerabilities that were exposed to applying for credit cards, committing tax attacks. fraud, and even using the data to reply to security questions in order to access on- This is why the healthcare sector should line accounts, thus taking the threat to be more aggressive in its defense plan- new digital horizons. ning, and should adopt a faster pace in assessing risks, to guarantee that funds Clearly, the benefits of the Internet and are well invested and that resources and wireless networks are very appealing to assets are well protected. Ideally, risk as- the healthcare industry. Above all, they sessments should be carried out continu- provide the user with immediate access ously rather than periodically. This helps to a treasure trove of information about to guarantee that new assets, as well as patients' medical records from any loca- physical and digital strategies and de- tion with an Internet connection. How- fenses, are promptly included in business ever, these are very sensitive data, and it is plans and incident response plans. essential not only to have smart protec- tion systems on the devices that hold or access them, but also to add further bar- ▸ Record theft: riers such as encryption and multi-factor more than just exposed data authentication, as well as sound network segmentation and reliable incident recov- Successful attacks exploiting the flaws ery strategies. discussed so far allow cybercriminals to gather a wealth of information, especially from the healthcare industry, such as pa- ▸ Focusing on security tients' names, health insurance numbers, to prevent intrusion telephone numbers, home addresses, email addresses and other personal data. Analysis of these cases makes it clear that However, even more critical data can be there is still much to do to raise aware- breached, such as medical records con- ness and provide education on informa- taining diagnoses and medication de- tion security in private and public sector tails. This information is very valuable to organizations. Attackers are always look- attackers, and if stolen, it can be sold for ing for ways to access a system through profit, along with the personal data men- any kind of gate that is left open, and once tioned above, on a much more specialized they have managed to trespass the lim- black market. its, they can not only steal information, or

54 9 Critical infrastructure: it's time to make security a priority

compromise equipment so as to upload Although some changes that improve se- → data to a malicious network and misuse curity have been introduced in many of The systems handle it at will, but they can also alter the func- these industries, there is still a long way to truly sensitive tioning of industrial equipment for im- go in the various sectors. The number of information, which proper purposes. attacks against this kind of infrastructure explains the criticality will rise by 2016 unless protection actions of the associated risks In an effort that illustrates the focus on continue to be taken at a fast pace, and and the great impact the protection of critical infrastructure, that is why all activities related to infor- in case of vulnerability the National Science Foundation in the mation security in these sectors will con- or failure. United States awarded Texas Chris- tinue to gain prominence as a key man- tian University (TCU) approximately USD agement factor. 250,000 in funding to help it come up with effective measures that will protect medi- cal devices from . Similarly, the European Union Agency for Network and Information Security (ENISA) has re- vealed that it will be looking to focus on developing good practices when it comes to 'emerging smart critical infrastructure' in 2016.

The industries that use these systems with major security flaws are ones that provide essential services to the popula- tion. Their infrastructures include water treatment, electric power generation and distribution, natural gas distribution plants, and even medical record database facilities. Their systems handle truly sensi- tive information, which explains the criti- cality of the associated risks and the great impact in case of vulnerability or failure.

55 10 Laws and regulations:

▸ Meeting standards and better security practices ▸ Laws protecting personal information around the world ▸ Information Security: an effort shared between governments, companies and users

Author Miguel Ángel Mendoza 10 LAWS AND REGULATIONS

Compliance is considered essential for the according to the value of the information. → achievement of goals in the management Among these requirements, the most rel- Organizations can of security information. It can be defined evant issues in recent years are related adopt regulations as conformity with previously established to the laws that protect information and either as a personal requirements that are applicable to the adopt and mandate security standards. initiative in the companies, according to their functions interests of data and characteristics, which is why it is vital protection or to satisfy these requirements. Among the ▸ Meeting standards and in order to fulfil set of conditions that organizations are better security practices a contractual looking to cover, we can list specifications or regulatory imposed in the areas of politics, standards, Organizations can adopt regulations ei- requirement. laws or regulations. ther as a personal initiative in the inter- ests of data protection or in order to fulfil In information security it is mandatory a contractual or regulatory requirement. to comply with some requirements: for In the same way, there are reference example, legislation focused on protect- frameworks or standards that support ing the personal information of users or and certify the security measures adopted companies’ clients. In the same way, or- and adapted in companies. ganizations commit to the protection of their own information and also, with third One reference in security issues still is parties, comply with security regulations ISO/IEC 27001, a standard used interna- that have been adopted voluntarily. tionally to provide a model for establishing and maintaining an Information Security So, it does not matter if it is a public or Management System (ISMS). It repre- a private organization, a big or a small sents the experience of experts in security one, for-profit or not: the sensitive in- standards. Since it is an open document, formation that they process, archive or everyone can read the documentation; its transmit requires protection measures implementation must be done according that can be established by their own ini- to the characteristics, necessities and con- tiative or by any interested party: suppli- ditions of each organization, no matter ers, partners, clients or the government. what their activities are.

Lack of data protection has played a large The structure of the standard is reduced to part in the big information leakage stories two basic issues: the requirement clauses of the past year, such as those concerning for an organization to work in alignment Sony, Ashley Madison or Target. The per- with an ISMS, a system for managing sonal information of users and the com- information security, and a set of objec- promising of the companies' systems are tives to control the security, which con- very important issues and will continue to siders different approaches for protection. be in the future. Based on that, companies can manage the risks associated with the information. The requirements codifying the rules In accordance with this principle, organi- must be fulfilled in order to satisfy basic zations have aligned themselves with the security necessities, which are established guidelines and good practices defined in

57 10 Laws and regulations

ISO/IEC 27001. Since the publication of the tween the countries. 2005 version, and with its update in 2013, the number of certificates granted has The following map shows the quantity grown every year. (Graph 13) of certificates obtained by each country. (Graph 14) According to a study by the International Organization of Standardization (ISO), in Although a certificate by itself doesn't 2014 there were 23,972 ISO/IEC 27001certifi- guarantee that an organization is im- cates granted around the world, represent- mune to threats, certification is proof ing an increase of seven percent compared that actions related to the protection to the previous year. Compared with the of information are being undertaken. preceding years, ISO/IEC 27001 experi- It shows that the management of risks enced a slight slowdown in growth. and security is being considered at a high level within the organization, ful- Japan heads the list of countries in the in- filling three very important aspects: cor- formation security sector with 7,181 certifi- porate governance, risk management, cates, although the UK also occupies an and compliance (GRC). important place and had the most signifi- cant growth in absolute terms, with 2,261 certificates obtained in 2014; in the third ▸ Laws protecting personal place was India, with 2,170. information around the world On the basis of these results, it is obvi- ous that there is a trend towards increas- Another compliance issue is related to the ing certification around the world in re- laws pertaining to protection of personal cent years, but it is also true that there is information. Privacy has acquired more a need for more effort, considering that, relevance and visibility over the years, for example, there are serious gaps be- since the appearance of the right to pri-

Graph 13 ISO/IEC 27001 certificates around the world

Source: ISO

58 10 Laws and regulations

Graph 14 ISO/IEC 27001 certificates around the world

source: http://www.iso.org/iso/home/standards/certification/iso-survey.htm vacy as part of the Declaration of Human Each individual owns his or her personal Rights, which affirms says inArticle 12: 'No information and decides to share it or not, one shall be subjected to arbitrary inter- as well as the way in which it should be ference with his privacy, family, home or treated by the entities that have access to correspondence, nor to attacks upon his it. honour and reputation. Everyone has the right to the protection of the law against Among personal information we include such interference or attacks.' data that identifies the person (Personally Identifiable Information) or allows com- With the growth of new information munication with the principal: information technologies, more and more informa- related to employment, physical charac- tion is in digital format, which represents teristics such as appearance, anatomy or more challenges that demand a balance traits of the person. It is also considered between the right to privacy of the indi- to include information related to training viduals and the manipulation of the infor- and professional activities, their property mation by third parties, as a result of the and their biometric information. use of technology. In addition, other information could be This refers to any type of information that important, such as the information that is concerned and associated with a per- involves the individual's personal value son and that allows the identification, system. Its misuse could lead to a negative characterization and determination of impact, such as discrimination. This type the individual's activities, private or public. of information includes aspects like ethnic

59 10 Laws and regulations

origin, health, religious beliefs, sexual pref- trol their personal information. erences, affiliations and political opinions. Another driving force behind laws relat- This is the reason why international or- ing to the protection of information is ganizations urge countries to legislate on business. Privacy has become a neces- these aspects. According to a study con- sary condition for trade between coun- ducted at the end of 2014, more than 100 tries. Non-compliance with the rules countries had adopted laws governing could mean the loss of business oppor- privacy and the protection of information tunities. International trade agreements in the possession of governments and pri- that consider the protection of personal vate companies. The map below shows information urge countries that sign up the countries that have this kind of law to them to legislate in this area. and the ones that have pending initia- tives for the adoption of such legislation.. One example is the principles of safe har- (Graph 15) bor privacy, established in 2000, which affirmed a framework for the recompila- Different protection initiatives have tend- tion, use and retention of personal infor- ed to incorporate the protection of per- mation transferred from European Un- sonal information rights afforded by the ion member states to the USA as being laws and rules developed in different parts in compliance with the European Union's of the world, as such protection is consid- Data Protection Directive. This directive ered – in theory, at any rate – a universal forms much of the basis for data pro- right that offers people the power to con- tection legislation in the EU, and this af-

Graph 15 ISO/IEC 27001 certificates around the world

Comprehensive national law enacted National regulation enacted

Current or recent initiative to enact law

Source: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1951416

60 10 Laws and regulations

firmation was the basis for exchange of It is possible to forecast that the adop- → data between the US and the EU. tion of information protection measures It is possible to as a way of self-regulation will remain in forecast that However, last October 6th, the agree- force, especially if we consider that the the adoption ments of safe harbor were declared no constant development of threats and of information longer valid by a European court, since the continuous identification of vulner- protection the European Court of Justice considered abilities determine the dynamic nature measures as a way that it has flaws because it had allowed of the risks associated with information of self-regulation the authorities of the US government to storage and processing. These last fac- will remain in have access to the information of Eu- tors, which could be considered “exter- force, especially ropean citizens exceeding the scope of nal” to the interests of organizations, are if we consider the Data Protection Directive and other the ones that could weigh in favor of the the constant regulations still under discussion at time decision to adopt and comply with the development of writing. rules, given the importance that personal of threats. information has nowadays. The court's declaration includes the statement that "legislation permitting In addition, privacy will continue to be the public authorities to have access crucial to conducting business in the on a generalized basis to the content of coming years if we consider that the electronic communications must be re- exfiltration of information we have seen garded as compromising the essence of in recent years. The information of citi- the fundamental right to respect for pri- zens and of the world in general, con- vate life." tinues to reverberate in the sphere of international relationships. Here we find ▸ Information Security: an another factor that could continue to effort shared between push public and private organizations governments, companies and toward the adoption and fulfillment of users privacy protection rules and legislation: the pressure that could be exerted by in- Compliance with rules and regulations is dividuals towards the protection of their necessary if organizations are to achieve personal information. their objectives, and remain aligned with requirements made voluntarily or by an The importance now afforded to laws interested party. or standards shows us the relevance that information security continues to acquire, if it is associated with the pro- COMPLIANCE tection of information and its privacy. WITH RULES AND To achieve those objectives requires the REGULATIONS participation of governments that are IS NECESSARY IF interested in legislating security-driven issues and promoting the creation of in- ORGANIZATIONS ARE stitutions entrusted with the making and TO ACHIEVE THEIR fulfilment of laws enforcing those objec- OBJECTIVES tives.

61 10 Laws and regulations

On the other hand, it is also necessary that companies process user information THE IMPORTANCE NOW within the framework of regulations, AFFORDED TO LAWS OR standards, legislation and rules; that us- STANDARDS SHOWS US ers participate by acting in accordance THE RELEVANCE THAT with the application of good security INFORMATION SECURITY practices; and, finally, that companies and organizations regard as one of their CONTINUES TO ACQUIRE, IF principal aims the preservation of the IT IS ASSOCIATED WITH THE confidentiality, integrity and availability PROTECTION of such information.

62 11 Threats to kids on the web

▸ Privacy and sexting ▸ Grooming ▸ Cyberbullyng ▸ Law and social contract as prevention

Author Sebastián Bortnik 11 THREATS TO KIDS ON THE WEB

The relationship between minors and In this context, cyber attacks against mi- → computers has in recent years become nors on the Internet are confirmed as How prepared are a full-time and, in some cases, depend- a significantly growing trend, and attacks adults to handle ent one. Whereas just a few years ago on the Internet privacy of minors emerge this situation? "being online" represented specific seg- as a risk based on three pillars: personal The digital gap ments of time scattered throughout a life data, financial data, and sexuality.. between parents lived mostly offline, children today almost and children "live online". In the digital world, its young has increased in inhabitants use computing devices from ▸ Privacy and sexting recent years. a very early age; smartphones, tablets and computers are used daily, allowing young Privacy on the Internet can be defined as people to not only stay connected, but the power exercised by users to control to "live" on the Internet. Their social life is access to their information by limiting the split between what is done in the physical extent of that access according to what world and their intense life in the digital they authorize, and to whom. This in- world. 95% of adolescents use the Internet cludes personal information, photos, files, through social networks, where they share and so on. When it comes to minors, ef- dialogue and information, generally inter- fective control requires skills that children act with their friends and also, perhaps, do not yet possess, such as social aware- with their not-quite-friends. ness of the risks associated with sharing certain information; that awareness de- In addition to social networks, tools such velops (in the best cases) during adoles- as WhatsApp, online games and other cence or adulthood. portals enhance the use of the Internet for communication, and the type of data Both social networks and games with so- consumed and shared. In the same way, cial features (chats, interaction, friendships the number of portals and communities and so on) that are targeted towards child for minors has grown and many of these audiences are environments in which the have paid features and services, so there malevolent can deceive minors, and thus is a financial risk associated with the use access their data or information through of credit cards in connection with children social engineering manipulation. and teenagers. On the other hand, children often share How prepared are adults to handle this their own information with others with- situation? The digital gap between parents out being aware of the wide range of and children has increased in recent years. people it might reach. A clear example of Surveys show that 50% of parents do not the latter is sexting, a term that means know what their children do on the In- voluntarily sending sexually explicit con- ternet, and one in every ten children says tent through digital channels. It is a com- that their parents do not know about the mon practice among young people and is technologies they use. observed among large groups of adoles-

64 11 Threats to kids on the web

cents. The surveys quoted above suggest tinue complying with the requirements that at least 25% of children interviewed of the “groomer”. have at some time sent or published nude or semi-nude photos electronically. This type of problem, although not new Moreover, more than half of young peo- in offline crime, has begun to emerge ple claim to have seen private images that also in the digital world, where it's easy were not intended for them. for the attackers to exploit their own an- onymity, steal the identity of the victim, Often these materials, which originally and work on many potential victims at were explicit content shared between the same time. In the majority of cases, two people, are passed on to a less limited communication starts on social net- group of people, without thought being works and then extends in some cases given to the potential for them going vi- to the physical world; thus leading in ex- ral. The mainstream platforms involved in treme cases to situations linked to pedo- this behavior are applications for smart- philia or child rape. phones such as WhatsApp, Kik, or . The groomers can be men or women of any age and any economic or social stratum. The process often starts online ▸ Grooming and on many occasions, the attacker in- vests considerable time during this cycle: Grooming is one of the crimes whose building trust with the minors; repeat- impact on children has grown on the edly changing identities, giving gifts, or web in recent years. It is the deliberate simply spending time with them in a vir- manipulation of a minor by an adult via tual community or online gaming envi- the Internet aimed at culminating in ac- ronment. tions of a sexual nature, such as sending explicit photographs or performing sex- ual actions in front of a web camera. In ▸ Cyberbullyng other cases, this action is a precursor to initiating a physical encounter with the The same lack of control that minors minor. exhibit on the Internet may extend to The adult usually pretends to be of difficulties in identifying a reasonable a similar age when they make online criterion when publishing content, not contact with the minor, in order to earn only around privacy, but also around the friendship of the victim, thus creating aggressive or violent content. an emotional connection. That is, they create enough empathy in order to re- Harassment is referred to as cyberbully- duce the child's inhibitions. ing through computer-borne traffic such as social networks, chat, email, or web In many cases, once certain material has sites. It consists of annoying, threaten- been obtained, the criminal may attempt ing, humiliating or harassing a person to blackmail the minor by threatening to using such means. The most common share the explicit content among their forms are the spread of false rumors, friends and relatives if they do not con- humiliating videos or photos, and the

65 11 Threats to kids on the web

creation of profiles or sites promoting tion. Additionally, attacks may remain physical or psychological assault against in cyberspace for a long time, so they the victim. It may also happen that the affect those who suffer them over the aggressors impersonate other people in long term. order to say nasty things or to threat- en the victims with publication of their According to the results of a survey personal information. Generally, those conducted by ESET Latin America, so- affected are vulnerable people who are cial networks are the most likely place seen as "different" by those who victim- to find this kind of incident, with instant ize them. Cyberbullying expands virally messaging in second place, especially on the web and is difficult to stop. For via mobile devices. (Graph 16) this reason, it is particularly invasive and harmful. According to this survey, 42% of the peo- ple surveyed know someone who has Many years ago, harassment was only encountered this type of threat over the conducted in person at school or in Internet, and 80% of those affected were clubs, but since the emergence of cy- in the age range of 11 to 18 years, which is berbullying, this harassment is more already curious since Facebook, for exam- constant and traumatic for children be- ple, only allows people older than 14 years cause it can be kept going and spread old to create accounts. (Graph 17) even further over the Internet and social networks throughout the day. Without being specifically a computer threat, cyberbullying is already becoming Although it is not a practice unique to one of the main risks to minors on the minors, cyberbullying is more difficult to Internet and this trend will deepen in the control in this segment of the popula- next few years.

Graph 16 Places where cyberbullying actions were seen

Social networks SMS e-mail Online games IM Forums Skype Don’t know – No answer Chat rooms Other

Source: ESET Latinoamérica

66 11 Threats to kids on the web

▸ Law and social contract as prevention ments) are becoming an indispensable tool for adults, due to the increasing use The big challenge that adults now face of technology by children. is how to become aware of these types of incident when they occur among chil- Unfortunately, the trend tends to be to- dren; it is therefore advisable for spe- wards an increase in the problems al- cialists to pay attention to changes in ready mentioned. According to 75% of those surveyed by ESET in Latin America, this type of problem occurs frequently; Graph 17 nevertheless, a sizeable proportion of the Age range of cyberbullying victims population is unaware of laws punishing these types of acts.

In this context, it is essential not only to continue creating laws to give support and protection to minors affected by such incidents in the online world, but also to promote and raise awareness of these laws.

Such legislation must be accompanied by "home rules"; that is, social stand- ards. Fathers and mothers at home, and teachers and principals at educational

6 years old or less; 1.5% Between 7 and 10 years old; 18.5% Graph 18 Between 11 and 15 years old; 43.1% Do you know any law in your country that Between 16 and 18 years old inclusive; 36.9% penalizes these acts? Source: ESET Latinoamérica children's behavior or mood. If a child exhibits sudden sadness, a decline in school performance or desire for solitude, it is necessary to talk in confidence to un- derstand what it is happening, since he/ No Yes she could be a victim of any of the situ- ations described above. In this context, addressing the child's digital social life in these dialogues is essential for a correct understanding of any such issues that might be emerging in their lives. Yes Moreover, parental control applications No (for both desktop and mobile environ- Source: ESET Latinoamérica

67 11 Threats to kids on the web

institutions should promote awareness deal with the notion of anonymity and of such standards by encouraging the false identity on the web, by explaining use of the Internet in an orderly fashion, how easy it is to generate a profile with with clear rules and guidelines. false data.

For example, the non-profit organiza- Ultimately, awareness between adults tion Securing Our eCity proposes the use of and minors will be essential to better ad- an Internet Contract, so that parents talk dress these issues as these disquieting with their children about these issues and trends continue to grow. make basic agreements about the use of computers, mobile phones, the Internet, and technology in general.

One of the biggest concerns among adults about this topic is how they can monitor minors in social networks and online games. Communication and awareness form the first barrier of de- fense for dealing with this kind of abuse, and so it is of vital importance to encour- age discussion periodically between chil- dren and adults, with the aim of narrow- ing the generation gap and so that at the first hint of doubt or suspicion, minors can alert their parents. It is essential to

ULTIMATELY, AWARENESS BETWEEN ADULTS AND MINORS WILL BE ESSENTIAL TO BETTER ADDRESS THESE ISSUES AS THESE DISQUIETING TRENDS CONTINUE TO GROW

68 12 2016: the security challenge 12 2016: THE SECURITY CHALLENGE

Throughout the preceding sections of this Trends Report by the ESET Research Laboratories, we have reviewed and discussed the problems, events and challenges that information security will have to face in 2016 and the years to come. In an in- creasingly dynamic and challenging situations, individuals and businesses will need to undergo regular training in order to protect their information properly.

It is a fact that attacks are growing more mize the exposure to cases of informa- sophisticated. Protecting a company's tion leakage and data hijacking, to reduce information and data seems to be an the exposure gap and the response time arduous and complicated task, and find- of each incident – all these factors need ing trained personnel willing to combat to be considered. continuing attacks gets more difficult all the time. However, though it seems to be Employees’ ability to detect possible an uphill struggle, at ESET Research Labo- attacks, which occur mainly through ratories we believe that it is possible to emails, helps to reduce the time need- protect individuals and businesses, and ed for the identification of such attacks. that technology, management and edu- This ability is not possible, though, with- cation, combined together, are key fac- out education and training in informa- tors for security. tion security. However, this will not be developed if the organization does not As we have stated, technological ad- see user involvement in security as an vances bring new possibilities for indi- important aspect of its business. In oth- viduals and for businesses. And cyber- er words, if the company does not care criminals are well aware of this fact. about the education of its employees Given that technology affects so many and the correct implementation of pro- aspects of everyday life, insecurity could tection technologies, it will be a lot more be "everywhere". Consequently, at ESET, vulnerable to . we believe instead that security should be everywhere, and insecurity banished. Based on what we expect to see in the And therein lie the challenges for busi- future, it is important to stress that infor- nesses, governments and individuals. mation security does not wholly depend on advances in cybercriminals' attack The challenges for the future are not im- methodology, but also on the measures possible to accept: the fact that in 5 years taken by individuals, governments and there will be 25 billion devices connected companies to defend their information, to the Internet, according to Gartner, does systems and infrastructure. Indeed, each not mean that users must become para- group has to accept the challenge and noid about their privacy and information assume responsibility for improving and security. As well as needing to continue maintaining information security. investing in security, companies will have to assess the technologies they use to There are different challenges for the detect and eliminate the threats from their years to come: from users' demands for networks. The implementation of layers of higher levels of security and privacy, the protection, or technologies able to detect importance of keeping children safe on an attack in its various stages, to mini- the Internet, and the actions that secu-

70 12 2016: the security challenge

rity agencies should take to combat cy- new technologies, defining standards → bercrime, to the implementation of mil- and rules that promote respect for users' 2016 will be a most lions of new devices that interconnect privacy, and ensuring that services and challenging year. the lives of individuals, businesses and infrastructure continue to serve to facili- We must face it governments. Security software com- tate countries’ development. In addition, with a proactive panies, protection technologies and the investment in research and development attitude of security education of consumers and end-users into new technologies must be accompa- awareness. will play major roles in the understand- nied by a security plan that assesses and ing, analysis and protection of the most describes the security measures to follow. diverse technologies. Therefore, with a larger potential attack The role of the user is becoming more surface and new vulnerabilities emerging important and this is a trend that will in widely-used technologies, the great- continue to grow. For some years now, est challenge for 2016 will be to focus on users have been demanding that com- protecting networks, Internet access and panies provide more and better security the way in which devices are intercon- to protect their data and information. nected. From the router that provides But beyond these demands, it is more access to the Internet in the home to important to educate individuals about the infrastructure of the most modern and how to be protect- cities, the best security practices should ed. In other words, users can no longer be applied to protect data, information be indifferent towards their information, and privacy. This is collaborative work since most of it is stored in different digi- that requires more active participation tal formats and in many different places from users, companies with a critical un- far beyond the borders of their own sys- derstanding of information protection tems. In 2016 and the years to follow, us- and a proactive role in security strat- ers will have to play a more active role egy, and governments promoting eco- regarding their own security, by continu- nomic development while ensuring the ally learning to protect their data as well establishment of (and compliance with) as relying on the protection afforded by standards, so that both companies and software security companies and the individuals will be protected in the event services they use. of a cyber incident.

Companies will have to base their strat- 2016 will be a most challenging year. We egies on three pillars: technology, man- must face it with a proactive attitude of agement and education of employees. security awareness. We must take ac- That said, the roles of the state and the count of all the aspects of security pre- security agencies should be stressed as sented in this report; we must focus on well, in terms of passing laws that serve all the new devices that will come onto to encourage the secure evolution of the scene in the near future.

71 About ESET

Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.