The recent surge in zero-day attacks (which exploit security weaknesses in software that are unknown to the vendor) and other threats (such as the Heartbleed, Shellshock and POODLE vulnerabilities) has made organisations pay renewed attention to cyber security. Increasingly, individuals and organisations that discover zero-day attacks are selling them to anyone willing to pay, and who may in turn take advantage of them, thereby increasing the risk and prevalence of cyber attacks.
Malware has been affecting companies since 1986, when the Pakistani Brain virus was discovered, and has been evolving rapidly through the years. More recently, in 2013, the Hesperbot advanced Trojan was used by cyber criminals targeting online users with phishing campaigns and, in 2014, Windigo seized control of over 25,000 Unix servers that sent millions of spam emails. ESET has created an interesting infographic to visualise the evolution of malware.
Be aware of increased cyber attacks in November and December
Events such as Black Friday, Cyber Monday and the Christmas holidays are often marked by a surge in phishing, (D)DoS attacks, fraud and credit card theft. A lot of phishing emails – especially the targeted ones (spear phishing, whaling) – are not easy to spot. Organisations need to be aware that they are potential targets of such attacks and they need to ensure that they are vigilant against them.
An interesting fact that may not be well known is that retail giant Target received a report of the malware in their system – before it suffered a massive data breach – but decided not to act. The hackers worked at unprecedented speed, carrying out their operation during the peak of the Christmas sales season (according to a Reuters report).
Keeping up with evolving attacks
Violet Blue, an investigative tech reporter, wrote in an article for ZDNet that the problem is that ‘attacks evolve faster than requirements’. So, if you have implemented an information security management system (ISMS) in conformance with ISO 27001, or are PCI DSS-complaint, you still need to be alert to new attacks. The only way to really keep up with evolving attacks and, more importantly, to test your defences is through consultant-driven penetration testing.
In her article, Ms Blue writes: “Modern penetration testing is more than a scan, and definitely more than a tick-the-boxes compliance requirement.”
She also advises that pen testing ‘demands hiring a team of the best attackers your money and research can get, and asking them to not just attack, but also to exploit your defenses.’
Yet too many organisations only conduct a pen test after they’ve been scorched, and it costs them dearly. Don’t be one of them!
To help organisations prepare for the increased cyber threat during the Christmas period, IT Governance is offering a Combined Infrastructure and Web Application Penetration Test – Level 1. Book this service in November 2014 and you will receive a free email phishing campaign to test staff awareness.