PwC Weekly

Security Report

This is a weekly digest of security news and events from around the world. News

items are summarised and web links are provided for further information.

Cyber insurance: Security tool or hype?

A few months back, I was a passive observer to an interesting email thread. People on the thread were discussing a breach that was big news at the time. Suggestions were made as to why the breach occurred, how it may have occurred, how the response could have been better executed, among many other points. At one point in the discussion, one individual decided to interject the concept of cyber insurance in a mocking and condescending tone. In other words, the individual did not feel that cyber insurance was a valid topic worthy of serious discussion.

In the past, I’ve written about the challenges that the security community has with mocking and condescending, and the tremendous disservice it does us in terms of improving the state of security. I don’t wish to further discuss that subject in this piece, though this incident does raise another interesting discussion. Is cyber insurance a valid tool in the security professional’s tool belt, or is it merely hype?

Although mocking and condescending is never justified in my opinion, it is possible to

understand those who would respond to extreme hype in that manner.

Cyber Risk and Insurance In order to answer the question of whether or not cyber insurance is a valid tool in the security professional’s tool belt, we need to take a step back. Let’s think about security in the broader context of managing, mitigating, and minimizing risk.

More specifically, let’s think about risk from the perspective of an executive or board.

For our purposes, at an executive or board level, the risk from a security issue (sometimes referred to as a cyber event) can be rolled up into two main categories at a strategic level:

Source: Source:

http://www.securityweek.com/cy ber-insurance-security-tool-or- hype

http://www.symantec.com/connec

● Near-term costs incurred because of incident response, liabilities, notification requirements, fines, penalties, legal fees, and other such expenses

● Long-term costs incurred because of damage to the business, damage to the brand reputation, loss of customer confidence, loss of business partners, and other such losses

Dridex leads banking Trojan attack trends

2015 saw an up and down pattern in the amount of attacks using banking trojans, with Dridex taking on a dominant position.

G DATA has released its H2 2015 Malware Report, which found that attacks by banking trojans mainly targeted English-speaking countries, with 80% of all target sites located in the Anglophone region.

“In the beginning of the second half of 2015, it initially appeared that attacks by banking trojans had been significantly reduced,” said Tim Berghoff, security evangelist, G DATA. “In fact, Swatbanker, a previously dominant trojan, almost completely disappeared from the picture. However, in December, our

researchers found that Dridex was responsible for a huge wave of attacks through phishing emails, showing that banking trojans are clearly still a major concern.”

In all, there were 5,143,784 new malware variants in 2015—just under the amount for 2014. Following a rapid increase in the second half of 2014 and the first half of 2015, the outbreaks appeared to have abated. In the second half of the year, G DATA’s security researchers recorded a total of 2,098,062 new signature variants, which is 31% less than the first half.

At the beginning of the half-year, no Trojan held a dominant position. In July, 25% fewer Trojan attacks were recorded than in the previous month, and this figure halved again in August. However, as the second half of the year unfolded, there was a resurgence in the level of attacks, and in October the level of infection reached that of July again.

In November, a major Russian cybercrime ring was broken up. A connection with the Dyreza Trojan was suspected, the activities of which were virtually eliminated after the group was taken down. In addition, Tinba and also ZeuS, together with all its variants, were subsequently recorded much more rarely, with the result that the level of attack for November was only slightly above that of August again.

Source: :http://www.infosecurity- magazine.com/news/dridex-leads- banking-trojan-attack/

In December, the already well-known banking Trojan Dridex built up a significant lead. The criminals behind Dridex used spam email containing fictitious invoices or supposed tax refunds to lure recipients into their trap.

Overall the level of infection ended up back at that for July.

The emergence of identity as an enterprise attack surface

In spite of heroic efforts, many companies today offer attackers no shortage of vulnerable points for entry into their networks. Whether it’s cloud services unknown to the corporate security team, or a web server that is 10 patch revisions behind, or an application that never underwent proper security or code review – the options are plentiful.

Once an attacker gets in, they have to achieve their objectives. They need to move around, understand your organization’s layout and find exploitable weaknesses to accomplish their mission. Or they could completely bypass all that by assuming the identity of one of your administrators and (likely) have free reign of everything. Complicating this further, attackers don’t just come at you from the ‘outside.’

Sometimes, they’re existing employees seeking to exploit your organization’s weaknesses to steal information without anyone noticing and leave for a competitor.

Enterprise Identity Management This is the stuff of nightmares for security leaders, and fact is, it’s all too real.

As more and more companies start to take security seriously-board-level seriously—the obvious opportunities for attackers diminish.

The result is attackers looking for more creative ways to gain entry and foothold without having to potentially set off alarms and get caught.

That strategy has them more and more exploiting identities.

The reason for this change is quite simple – for a long time companies have struggled with managing identities and access. Local administrator rights are rampant. Shared administrator accounts are still fairly common, and the definition of roles in any given

organization still leaves something to be desired. So the result is that the identity has become part of the attack surface. Identities are something attackers go after, attempt to exploit and misuse for their nefarious means.

If you doubt the danger that identities pose to your organization, you should conduct a simple test. Pick any given user in your organization—

an administrator or generic user—and

investigate the power their identity has on your network, systems and applications. In most companies, when a new user is on-boarded they are given rights to the network, systems and applications they need to do the job they’re assigned. Over time, that scope creeps and spins out of control.

Over the course of a few months to a few years many of these identities never lose the old access requirements they had when they were hired. They move from role to role and acquire new access requirements. Before you know it, individuals have got access to servers, shared folders, applications and loads of other things to which they don’t need access. Processes for clean-up and audit are becoming more pervasive, but still not commonplace, even as identity stores grow over time. It’s an effort that requires deliberate focus and attention.

Source: Source:

http://www.securityweek.com/

emergence-identity-enterprise- attack-surface

29% of Android devices can’t be patched by Google

Google on Tuesday released the second annual security report on its “toxic hellstew of

vulnerabilities,” or what the rest of us know as Android.

You might recall that ZDNet’s Adrian Kingsley- Hughes bestowed this memorable and burbly description on Google’s mobile operating system two years ago, when Android device vendors were lagging in patching vulnerabilities such as Heartbleed on their devices.

Apple CEO Tim Cook loved that description. He put it on screen at Apple’s WWDC developers conference. He also put up a slide of a pie chart showing that 99% of mobile malware was on Android.

They say it got a big laugh. Oh, baby. Neither love nor money can buy you better verbiage for your company slideshow.

Jump forward a year to 2015 and Google’s first- ever Android security report.

Google must have been muttering “Who’s laughing now?” the whole time it was pulling together the review of Android security in 2014, given that it would claim, more or less, to have demolished malware.

Fewer than 1% of Android devices had any malware, Google said in the 2014 report, thanks to scanning done by a product named Verify Apps that sniffs out viruses,

ransomware, or other Potentially Harmful Applications (PHAs).

Well, that’s a nifty trick, Naked Security’s Paul Ducklin noted: Google went and “solved” the malware problem by defining it out of existence.

Source::https://nakedsecurity.sophos.c om/2016/04/21/29-of-android-devices- cant-be-patched-by-google/

Why fuss with all those scary-sounding

subcategories – spyware, backdoor, call_fraud, sms_fraud, phishing, DDoS , ransomware, and even generic_malware - when you can just roll them all up into the much milder-sounding uber category of “potentially” harmful apps?

A security lesson from down under: Australia’s banking app malware theft

With the Australian banking system reeling from its recent malware attacks, it seems news stories about the theft of personal data are popping up with depressing regularity.

In case you missed the latest story, it bears investigation due to the warning shot it fired across the U.S. commercial banking sector, and the implications for how safe your financial data is right now. And when I say financial data, let’s be clear, I mean your actual money.

The sophisticated Android attack on the banking apps of Australia’s biggest banks has targeted millions of customers. That’s ANZ Bank, Commonwealth Bank, National Australia Bank, Westpac and a host of others. Hiding in infected phones, using fake log in screens for the banking apps themselves, but also Whatsapp, Skype, PayPal, eBay and Google services, the malware leaps into action when a legitimate banking app is used, replacing it with a fake cover in order to intercept log-in details.

In fact, it also serves to steal SMS two-factor authentication codes, meaning the bank’s security measures are bypassed, and the thieves can then transfer funds at will.

Terrifying, yes, and unfortunately not an isolated event. Just a few short months ago, German users were targeted by criminals using mobile banking malware disguised as a fake PayPal app. The cyber-criminal’s dictionary is ever expanding, with phishing (malicious emails) now joined by smshing (malicious SMS) and vishing (voice over telephone scamming).

But it’s not just the lexicon that’s growing, it’s access. Right now any one of us can go online and make a free spoof call from our phone, using simple, consumer focused websites. Sure it’s being marketed as a way of playing

“hilarious” jokes on friends and family, or of protecting your own caller ID and privacy, but let’s not be overly naïve. Privacy is a right, protected by law; anonymity, however,

particularly online, rarely brings out the best in people.

Source:

http://www.infosecisland.com/blo gview/24748-A-Security-Lesson- from-Down-Under-Australias- Banking-App-Malware-Theft.html Perhaps your response is that while Germany and Australia are having their problems, it’s all a long way from our shores. Unfortunately, it’s not a view shared by the Washington Legislature, who are so concerned with malicious online activity that a new cybercrime bill has just sailed through the House and Senate. Focusing on prison sentences and fines for spoofing, electronic data tampering, theft and service interference, the bill is an explicit indication that the lawmakers identify these threats as a clear and present danger.

Three steps to stop a threat before it becomes an incident

A few weeks ago, my son brought home a science assignment called Jeremy the Germ, which described how germs propagate. Jeremy is a crafty germ who travels from a student’s sneeze to a pencil that is then shared with a classmate, who chews on it. (I know, gross.) But this provides an easy entry for Jeremy into the girl’s immune system, where he waits and slowly turns into an infection. That leads to a cold, missed school and a not-so-good time for the young girl and her family.

When a security threat becomes a major incident

Not unlike Jeremy the Germ, security threats today are sophisticated, persistent squatters in the security world. They use endpoints such as laptops, desktops, mobile devices and servers to gain access to data and the corporate environment. These hidden threats lie in wait

— sometimes it can take almost six months before an organization discovers the threat.

Their goals can range from targeting specific data and gathering information to using legitimate tools and processes to move through the corporate network. Historically,

organizations approached these security problems piecemeal, using network and other perimeter controls and then bolstering

endpoints with signature-based or sandboxing protection.

But in this era of cloud, mobility and a rapidly proliferating cybercrime industry, building a larger wall, a deeper moat or a stronger

defense-in-depth security is insufficient. Cloud, bring-your-own-device (BYOD) and the general consumerization of IT are outpacing the

strategies organizations scramble to put in place.

Source: :

https://securityintelligence.com/t hree-steps-to-stop-a-threat- before-it-becomes-an-incident/

No controls can guarantee complete security and protection. Instead, organizations need an approach that balances a certain level of acceptable risk with smarter detection and response to true threats. With so many technologies and processes out there, it can be overwhelming for organizations to determine the right path to protection. Here is one three-pronged approach that can stop a threat from turning into an incident.

Step One: Smarter protection To start, identify areas of risk in your organization and assign levels and criteria of acceptable risk. Foundational protection and prevention technologies that offer endpoint- and network-level controls are key to tuning a security dial toward that level of

manageable risk.

About PwC

At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 157 countries with more than 2,08,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com

In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in

PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details.

©2016 PwC. All rights reserved

pwc.in

Data Classification: DC0

This document does not constitute professional advice. The information in this document has been obtained or derived from sources believed by PricewaterhouseCoopers Private Limited (PwCPL) to be reliable but PwCPL does not represent that this information is accurate or complete. Any opinions or estimates contained in this document represent the judgment of PwCPL at this time and are subject to change without notice. Readers of this publication are advised to seek their own professional advice before taking any course of action or decision, for which they are entirely responsible, based on the contents of this publication. PwCPL neither accepts or assumes any responsibility or liability to any reader of this publication in respect of the information contained within it or for any decisions readers may take or decide not to or fail to take.

© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.

AG 6077

For any queries, please contact:

Sivarama Krishnan

sivarama.krishnan@in.pwc.com Amol Bhat

amol.bhat@in.pwc.com