Do you have your door open for malware attacks?

The number of exploit attacks against known vulnerabilities continues to increase. The target is to install malware into the targeted system and to gain benefits for the criminals behind the attack.

According to F-Secure Threat Report H1/2013, the majority of Top 10 detections from the last six months involved exploits. Java is the most popular entry point and therefore, disallowing Java plug-ins might make sense.  Java vulnerabilities have allowed attackers to use even classic forms of attack, known for about ten years already.

Image

The table clearly shows that the users do not seem to understand the importance of security patches since exploits can target vulnerabilities that have had a patch for over 5 years!

On the other hand, exploit kits find their way to the market unbelievably fast – the F-Secure Threat report tells: “Java vulnerability CVE-2013-2423; a Metasploit module targeting this was first published on April 20th, and a day later we noticed in-the-wild attacks against it had already gotten underway by the CrimeBoss exploit kit”.

Why is it so hard to keep pace with the critical security updates then?

First, the number of patches releases is huge. For example, Microsoft alone recently published 13 patches against 47 bugs in its Patch Tuesday security update. Add to that the Java updates, Adobe updates, and all the rest of the products, and the number of necessary updates in a business environment can be devastating. Second – would the IT administrator always know which software is installed on which machine?

F-Secure Software Updater, an automated patch management tool integrated in the security clients, can help manage the huge task of keeping on top of the critical security updates. It follows the philosophy: find it, fix it, and forget it.

Cheers, Eija

More posts from this topic

Sony Pictures

5 obvious things your business needs to know about the Sony hack

Since news of the now infamous "Sony hack" broke, some experts have been skeptical that the government of Kim Jong Un was directly behind what appears to be the "worst hack any company has ever publicly suffered." Before the hackers dumped emails designed to humiliate the company then posted a note on Pastebin threatening the release of the "The Interview" with the ominous line “Remember the 11th of September", our Security Advisor Sean Sullivan posited a theory. He suggested that "the attack was an attempted shakedown and extortion scheme." Few companies are as vulnerable to public acts of humiliation -- thus as vulnerable to extortion -- as a global media company. But nearly every company risks potential massive financial damage from the exposure of confidential data. So what does that mean for you and your business. Here are five simple takeaways that may seem obvious to you but may not have seemed so clear to Sony: 1. If your business' network is going to be breached, it's probably going  start with an employee clicking on an email attachment. "It’s interesting that, while the array of tools is diverse, the basic methods of gaining access to a victim’s environment are not," Verizon noted in its most recent Data Breach Investigations Report. "The most prolific is the old faithful: spear phishing. We (and others) have covered this ad nauseam in prior reports, but for both of you who have somehow missed it, here goes: A well-crafted and personally/professionally-relevant email is sent to a targeted user(s), prompting them to open an attachment or click a link within the message. Inevitably, they take the bait, at which point malware installs on the system, a backdoor or command channel opens, and the attacker begins a chain of actions moving toward their objective." With the wealth of information available about executives online, targeting an infected email attachment to a specific user remains the most reliable method of penetrating a network. Most of us have been using email long enough to know that a message with a file included that reeks of unprofessionalism may be dangerous. But if the email seems crafted and personal, we still may be fooled. Security education will never cure the plague human error, which is why your IT department is working overtime to break the "delivery-installation-exploitation chain". Still the basic caveat applies: Never open an attachment you weren't expecting. 2. Don't store your passwords in a folder called "Passwords". Seems obvious. But it appears Sony may have done just that. Verizon reports that credentials are the number one hacker target. With 62 percent hacks not discovered until months after a network has been hacked, the intruders will have plenty of time to poke around. Don't make it easy. 3. Plug the holes. Keep all of your system, application and security software patched and protected -- especially browsers. Don't use Java plugins. Or get protection like F-Secure Software Updater that keeps you patched seamlessly. 4. Links in email can be as dangerous as attachments. It turns out that years of indoctrination have has some effect. Users are more skeptical of attachments than of links in emails that can lead to "drive-by" web attacks and/or phishing scams -- but not skeptical enough. About 8 percent will click on an email attachment while "18 percent of users will visit a link in a phishing email. Users unfamiliar with drive-by malware might think that simply visiting a link won’t result in a compromise." 5. Remember that email is forever. Dance like no one is watching; email like it may one day be read aloud in a deposition. — Olivia Nuzzi (@Olivianuzzi) December 13, 2014 Cheers, Sandra

Dec 30, 2014
GAMEOVER ZEUS botnet
Aug 28, 2014
BY 
Password joke

How much are your passwords costing you?

You come back after a nice vacation, rested, tanned and ready to catch up on a few weeks of email.  The only problem? You've forgotten your password. This may seem like a trivial problem, until you realize that it's not just you -- it's the guy at the next desk and the next desk and the next desk. And it isn't just one account. A new report finds that lost or forgotten passwords cost the city of Espoo, a city of about 249,000 in Finland, about 18€ per worker for a total cost of 200, 000€ -- every year. And that doesn't include the cost of the workers' lost time. The fact is people have better things to think about than strings of often nonsensical numbers and letters that include a special character. The need for strong, unique passwords for all of our important accounts is overwhelming, with most people needing to remember at least 20 different passwords. Users have been forced to chose between using memorable terrible passwords or forgettable good passwords. At F-Secure, we believe technology should free your mind to deal with important work, not passwords. That's why we created Key, our password manager that offers you one password to rule them all. It stores all your passwords, log-ins, e-mails, PIN codes and other credentials securely. You don't need to think of crazy unguessable passwords because it generates them for you and fill them in as you use the web. And our encryption protects all your data. It's free to use on one device and as cheap as $1.84 a month if you want a premium account that covers all your devices. Give it a try, before you forget. Cheers, Sandra Image courtesy of Lulu Hoeller, flickr.com

Jul 23, 2014