It’s our pleasure to introduce Emma, an F-Secure Marketing Specialist who works in Global Marketing. She specializes in corporate protection that keeps businesses thriving. With the launch of our new Software Updater solution for business, we’re going to be focusing more on corporate security in the future so we thought we’d start by introducing Emma and giving you her thoughts on the challenges our corporate customers face.
We started off by asking Emma what it is she likes most about her job.
“It’s quite difficult to pinpoint one single thing that I most enjoy at work,” she told us, “since one of my favorite things about my job is the variety of tasks. However, one of the best parts of my job is definitely creating content. Telling stories is fun, and I hope that we also succeed in communicating in ways and about topics that are relevant and of interest to our target audience.”
That audience is made up of F-Secure partners —some of the best and brightest business minds around the globe.
Like many of us at F-Secure, Emma enjoys the unique opportunity to work with and around some of the world’s foremost experts in digital threats.
“During my time at F-Secure, I have had the chance to learn not only a whole lot of new things about marketing, but also about the industry and the threat landscape,” she said.
Her job also puts her in touch with the current challenges that exist in securing the workplace.
“There’s no single threat that most affects businesses,” she told us. “Rather, organizations of all sizes are affected by cyber crime in all it’s different forms and variations, but one clear purpose: to steal money and confidential data. Even small businesses are increasingly becoming the target of these attacks, as many of them lack the resources and expertise to protect their irreplaceable assets.”
The threat landscape is always evolving but one aspect that is increasingly scary to businesses is software vulnerabilities.
“Recently, we’ve seen an increasing amount of attempts to gain access to a computer through vulnerability exploitation – the art of finding a security hole in any software and using that as a way to infect the machine. Vulnerabilities in Java and Internet Explorer have been all over the news, and criminals haven’t left these opportunities unused.”
That’s where F-Secure comes in, of course.
Emma explains: “Our portfolio covers a whole range of customer needs, from organizations willing to manage their solution on their own to a fully outsourced solution where IT security is managed by a trusted partner. We protect all layers of the organization from desktop PCs, laptops and mobile phones to file servers and email servers. In addition, our advanced management tools make it possible to monitor and manage a network.”
F-Secure was the first security company in the world to offer security as a service. Many businesses find that by relying on us for the best protection in the world doesn’t just save them time and money. It frees them up to concentrate on what matters most.
“Security as a Service has proven to be a success and it is increasingly popular among businesses. Outsourcing security to a partner means worry-free and reliable protection that is always backed up by F-Secure’s world class technology,” Emma told us. “When professionals take care of security, you can focus on your core business. Security as a Service is a great solution especially for those businesses, large and small, that don’t have the necessary expertise.”
How can F-Secure affect your workplace?
“Ensuring high-quality protection ensures uninterrupted work and keeps an organization running. Actually, the challenge with security is that it is only noticed when something negative happens,” she said.
But for Emma, security that works best is security that you don’t notice.
“Security is paramount for business but it should not come at the cost of usability. Our objective is to offer our customers the best protection without unnecessary impact on performance or distraction.”
When this happens everyone performs better.
“At best, IT security can improve productivity,” she said. “Think about email, for example. Email is a vital business tool for companies, but spam email traffic can reduce employee productivity and burden the IT infrastructure. Effective and accurate virus and spam filtering saves internal network bandwidth and increases productivity.”
Most businesses have had email security in mind for years but forward-thinking businesses are thinking ahead. Optimal software performance prevents online crime and keeps businesses functioning optimally when it matters most.
“Another example could be updating software. Keeping software up-to-date fixes holes in security,” Emma told us, “but can also keep software and applications running smoothly and reliably during critical times.”
For business, those critical times are the last moments when you want to think about security. And that’s why Emma and F-Secure are here, so you don’t have to.
The Sony hack of late 2014 sent shock waves through Hollywood that rippled out into the rest of the world for months. The ironic hack of the dubious surveillance software company Hacking Team last summer showed no one is immune to a data breach - not even a company that specializes in breaking into systems. After a big hack, some of the first questions asked are how the attacker got in, and whether it could have been prevented. But today we're asking a different question: whether, once the attacker was already in the network, the breach could have been detected. And stopped. Here's why: Advanced attacks like the ones that hit Sony and Hacking Team are carried out by highly skilled attackers who specifically target a certain organization. Preventive measures block the great majority of threats out there, but advanced attackers know how to get around a company's defenses. The better preventive security a company has in place, the harder it will be to get in…but the most highly skilled, highly motivated attackers will still find a way in somehow. That's where detection comes in. Thinking like an attacker If an attacker does get through a company's defensive walls, it's critical to be able detect their presence as early as possible, to limit the damage they can do. There has been no official confirmation of when Sony's actual breach first took place, but some reports say the company had been breached for a year before the attackers froze up Sony's systems and began leaking volumes of juicy info about the studio's inner workings. That's a long time for someone to be roaming around in a network, harvesting data. So how does one detect an attacker inside a network? By thinking like an attacker. And thinking like an attacker requires having a thorough knowledge of how attackers work, to be able to spot their telltale traces and distinguish them from legitimate users. Advanced or APT (Advanced Persistent Threat) attacks differ depending on the situation and the goals of the attacker, but in general their attacks tend to follow a pattern. Once they've chosen a target company and performed reconnaissance to find out more about the company and how to best compromise it, their attacks generally cover the following phases: 1. Gain a foothold. The first step is to infect a machine within the organization. This is typically done by exploiting software vulnerabilities on servers or endpoints, or by using social engineering tactics such as phishing, spear-phishing, watering holes, or man-in-the-middle attacks. 2. Achieve persistence. The initial step must also perform some action that lets the attacker access the system later at will. This means a persistent component that creates a backdoor the attacker can re-enter through later. 3. Perform network reconnaissance. Gather information about the initial compromised system and the whole network to figure out where and how to advance in the network. 4. Lateral movement. Gain access to further systems as needed, depending on what the goal of the attack is. Steps 2-4 are then repeated as needed to gain access to the target data or system. 5. Collect target data. Identify and collect files, credentials, emails, and other forms of intercepted communications. 6. Exfiltrate target data. Copy data to the attackers via network. Steps 5 and 6 can also happen in small increments over time. In some cases these steps are augmented with sabotaging data or systems. 7. Cover tracks. Evidence of what was done and how it was done is easily erased by deleting and modifying logs and file access times. This can happen throughout the attack, not just at the end. For each phase, there are various tactics, techniques and procedures attackers use to accomplish the task as covertly as possible. Combined with an awareness and visibility of what is happening throughout the network, knowledge of these tools and techniques is what will enable companies to detect attackers in their networks and stop them in their tracks. Following the signs Sony may have been breached for a year, but signs of the attack were there all along. Perhaps these signs just weren't being watched for - or perhaps they were missed. The attackers tried to cover their tracks (step 7) with two specific tools that forged logs and file access and creation times - tools that could have been detected as being suspicious. These tools were used throughout the attack, not just at the end, so detection would have happened well before all the damage was done, saving Sony and its executives much embarrassment, difficult PR, lost productivity, and untold millions of dollars. In the case of Hacking Team, the hacker known as Phineas Fisher used a network scanner called nmap, a common network scanning tool, to gather information about the organization’s internal network and figure out how to advance the attack (step 3). Nmap activity on a company internal network should be flagged as a suspicious activity. For moving inside the network, step 4, he used methods based on the built-in Windows management framework, PowerShell, and the well-known tool psexec from SysInternals. These techniques could also potentially have been picked up on from the way they were used that would differ from a legitimate user. These are just a few examples of how a knowledge of how attackers work can be used to detect and stop them. In practice, F-Secure does this with a new service we've just launched called Rapid Detection Service. The service uses a combination of human and machine intelligence to monitor what's going on inside a company network and detect suspicious behavior. Our promise is that once we've detected a breach, we'll alert the company within 30 minutes. They'll find out about it first from us, not from the headlines. One F-Secure analyst sums it up nicely: "The goal is to make it impossible for an attacker to wiggle his way from an initial breach to his eventual goal." After all, breaches do happen. The next step, then, is to be prepared. Photo: Getty Images
Yet another big vulnerability in the headlines. The Metaphor hack was discovered by Israel-based NorthBit and can be used to take control over almost any Android device. The vulnerability can be exploited from video files that people encounter when surfing the web. It affects all versions of Android except version 6, which is the latest major version also known as Marshmallow. But why is this such a big deal? Severe vulnerabilities are found all the time and we receive updates and patches to fix them. A fast update process is as a matter of fact a cyber security cornerstone. What makes this issue severe is that it affects Android, which to a large extent lack this cornerstone. Android devices are usually not upgraded to new major versions. Google is patching vulnerabilities, but these patches’ path to the devices is long and winding. Different vendors’ practices for patching varies a lot, and many devices will never receive any. This is really a big issue as Android’s smartphone market share is about 85% and growing! How is this possible? This underlines one of the fundamental differences between the Android and iOS ecosystems. Apple’s products are planned more like the computers we are used to. They are investments and will be maintained after purchase. iOS devices receive updates, and even major system upgrades, automatically and free of charge. And most users do install them. Great for the security. Android is a different cup of tea. These devices are mostly aimed at a cheaper market segment. They are built as consumables that will be replaced quite frequently. This is no doubt a reasonable and cost-saving strategy for the vendors. They can focus on making software work on the currently shipping devices and forget about legacy models. It helps keeping the price-point down. This leads to a situation where only 2,3% of the Android users are running Marshmallow, even half a year after release. The contrast against iOS is huge. iOS 9 has been on the market about the same time and already covers 79% of the user base. Apple reported a 50% coverage just five days after release! The Android strategy backfires when bugs like Metaphor are discovered. A swift and compete patch roll-out is the only viable response, but this is not available to all. This leaves many users with two bad options, to replace the phone or to take a risk and keep using the old one. Not good. One could think that this model is disappearing as we all grow more and more aware of the cyber threats. Nope, development actually goes in the opposite direction. Small connected devices, IoT-devices, are slowly creeping into our homes and lives. And the maintenance model for these is pretty much the same as for Android. They are cheap. They are not expected to last long, and the technology is developing so fast that you would be likely to replace them anyway even if they were built to last. And on top of that, their vendors are usually more experienced in developing hardware than software. All that together makes the IoT-revolution pretty scary. Even if IoT-hacking isn’t one of the ordinary citizen’s main concerns yet. So let’s once again repeat the tree fundamental commands for being secure on-line. Use common sense, keep your device patched and use a suitable security product. If you have a system that provides regular patches and updates, keep in mind that it is a valuable service that helps keeping you safe. But it is also worth pointing out that nothing as black and white. There are unfortunately also problematic update scenarios. Safe surfing, Micke Photo by etnyk under CC
We who write stuff in the security industry are used to dashing off sentences like, “Online attacks are becoming more and more advanced” or “Malware is continually evolving in sophistication.” But in the past year we experienced a surprising throwback to one type of malware from an earlier era. Malware that uses a rather old technique, but it’s causing plenty of trouble nonetheless. It kinda feels like we've gone back in time. I’m talking about macro malware. It’s something we hadn’t seen prominently since the early 2000’s. And now, as touched on in our just released Threat Report covering the 2015 threat landscape, it has reared its head again. What is macro malware? Macro malware takes advantage of the macro feature in Office documents to execute commands. And macros are simply shortcuts the user can create for repeated tasks. For example, let’s say you are creating a document in Word and you find yourself repeatedly editing text to be red with a yellow highlight, 16 point, italic and right aligned. To save time, you can create a macro of your commands and then whenever you need that kind of style, simply run the macro. A little history Macro malware was common back in the 1990’s and early 2000’s. The first macro malware, Concept, was discovered in 1995, although it was basically harmless, simply displaying a dialogue box. In 1999, one of the most notorious macro malware, Melissa, was discovered. Melissa emailed itself to 50 addresses in the user’s address book, spreading to 20% of the world’s computers. But macro malware wouldn’t last long. When Microsoft released Word 2003, the default security settings were changed to stop macros from automatically running when a document opened. This made it more difficult to infect a computer through macros and attackers mostly dropped them to focus on other methods. So what happened? Why is it back again? The re-emergence, according to Sean Sullivan, Security Advisor in F-Secure Labs, may be correlated with the decline of exploitable vulnerabilities due to security improvements in today’s common software applications like Microsoft Office. Exploits have been one of the most common ways to infect machines in recent years, but with fewer software holes to exploit, malware authors seem to be reverting to other tricks. How it’s successful Today’s macro malware attempts to get around Microsoft’s default settings with a simple trick. When a document is opened, the information inside doesn’t appear properly to the viewer – for example, sometimes the document looks like scrambled gobbledygook. Text in the document claims that macros, or content, must be enabled for proper viewing. Here’s one example: Curiosity? Just plain unaware? Whatever the reason, as Sean says, the malware’s reappearance has been successful because “People click.” Once macros have been enabled, the malicious macro code is executed – which then downloads the payload. Macro malware is used by crypto-ransomware families like Cryptowall and the newest threat Locky. These families encrypt the data on a computer and then demand payment to unencrypt it. Although we don’t know for sure, it’s possible it was macro malware that was used in the holding of a Hollywood hospital for ransom last month. The banking Trojan Dridex, which allows attackers to steal banking credentials and other personal info from infected machines, also uses the technique. How to avoid it Fortunately, if you use security from F-Secure, you’re protected from these threats. But aside from that, the old advice still holds: Be wary of email attachments from senders you don’t know. And take care not to enable macros on documents you’ve received from sources you’re not 100% sure of. "Back to the Future" banner image courtesy of Garry Knight, flickr.com