When Malware Threatens Access: Mitigating Risk in a World of Open Doors

When even software giant Oracle confirms that its Micros POS systems have been infected with malware, it’s time to admit the obvious — no organization or software is invulnerable to data theft. With pervasive web-based platforms, file sharing, and collaboration-enabling software, the attack surface for most organizations has simply grown too wide, including everything from POS terminals, to business software, to user workstations, and even seemingly innocuous hardware components such as USB drives. This is why some IT managers are choosing to simply shut down or restrict employee end-points. However, collaborative teams are the heart and soul of successful business models. What happens to company culture when data is locked down and everyone closed out? What about collaboration and the free flow of information? And in the era of BYOD, is this even possible?

The Human Factor: Date Security Asset or Liability?

Assuming patches and updates are current across all business systems (which is rarely the case), and strict security measures are in place, CSOs still have to deal with the human factor. Organizations consist of people who use and manage the business systems. What are the chances that someone, somewhere along the line, will click on a seemingly legitimate CMS site, based on Wordpress, Droopal, or Joomla, and be compromised through an infected plug-in? Or that an employee will unthinkingly use his or her child’s school USB at work in order to print that almost-late school report? (Let us all take a moment to remember Stuxnet, the worm that disabled Iranian nuclear centrifuges and was installed through, that’s right, a USB.) Malicious code only needs one entry point in a connected environment to work its way through networked users. File sharing and collaboration platforms are veritable highways for the spreading of infected code. These are major considerations when evaluating collaboration-enabling systems and software from a security standpoint. Then again, so is the potential for falling team productivity after adopting a sweeping “least privilege” approach. What to do? The pathway to improving security lies in better understanding the enemy’s tactics and what data types are at risk.

Cybercriminals Are Crafty

The reality is that malware and ransomware are evolving threats, targeting countless (and growing) number of possible entry points. Hackers and the creators of malware are making millions for a reason— they spend all of their time looking for new ways to outsmart security teams, detection software, and employees. Attacks are sleeker, trickier, and harder to detect. They might look like a normal part of the everyday work landscape, from infected emails from the CEO complete with your own company logos, to exploitations of completely above-board activities, to zero-day vulnerabilities.

According to the 2016 Verizon Data Breach Investigations Report, attackers are hitting their targets at far greater rates than IT teams can fix vulnerabilities. Basically, the good guys are losing ground, and fast. Doubtless, malicious code is already lurking in your systems, sitting dormant for months or years, waiting for the right chance to strike when that tragic combination of vulnerabilities unleashes their nasty capabilities. Malware can also have less obvious functions, such as disabling reports or other alerts in your expensive security software while the real attack takes place— as was the case in the $81,000,000 heist in Bangladesh a few months ago. Then, before you know it, your sensitive customer and company data (PCI, PII, PHI) is stolen, sold, or ransomed to the highest black market bidder—or back to you. 

Cybercriminals Want Your Sensitive Data

As for what valuable data you may be holding and why criminals want it, you have to consider the current black market. Financial data is a given. Credit card accounts are still marketable despite all the policies and regulations intended to guard them. So what do criminals want with personal data? Simply put, the payoffs are greater. Social security numbers now fetch $200+ each (and that number is rising). PII such as birth dates, addresses, emails, and other personal information can help criminals skirt authentication measures. Stolen PII also enables identity exploitation, such as opening fraudulent accounts, siphoning health benefits, or the all-encompassing creation of synthetic identities. (See our recent blog on protecting PII.)

Layered Data Security Policies Work

So what can you do to mitigate risk and secure your company’s and customers’ sensitive data? As advised by most, if not all, Information Security Professionals, employing a layered approach to data security is paramount in avoiding breaches and the resulting data theft. What most policies leave out of the equation, however, is the importance of educating and empowering the employee population to be part of the security solution. The people and process components must work together as one, and this is something no single technology can provide. Employees are the first line of defense, and at the end of the day, the ability to detect and avoid phishing scams is the best way to secure a number of possible routes to data compromise.

Three Steps to Avoid Damage from Malware

So first, provide training for your people on avoiding phishing attacks and understanding social engineering.  Second, use trusted detection programs. However, be aware that even though malware detection programs from a variety of security vendors are widely deployed, they are definitely not failsafe. While they do a great job of detecting known, predictable strings of malicious code, they will likely miss newer, more evolved hybrid breeds of malware such as GozNym, a strand of malicious code that was created by combining two known malware types, Nymam and Gozi. Whereas a detection protocol may have identified those individually, it would probably miss the new strand until the infection has spread. Third, and most importantly, secure sensitive data. Period. At some point, malware and ransomware are going to find a way into your environment. Your systems are a target as long as they have something worth stealing. By completely removing the theft target data, while keeping your business systems functioning normally, there is nothing for hackers to steal. Tokenization and cloud data vaulting are key to making an organization’s IT systems unattractive to hackers and cyber-spies.

Cloud Tokenization Removes Sensitive Data Sets

Tokenization and encryption, combined with secure data vaulting, removes the toxic data from your business environment, leaving in its place tokens that are usable to you for business processes and analytics, but which are useless to thieves. The result: No data. No theft. Take measures today to protect your customers’ information, business operations, and reputation. Email sales@tokenex.com for more information on how to secure your organization’s sensitive data. Follow us on LinkedIn and Twitter.

Topic(s): data security , tokenization

Keep Up With Our PCI & Privacy Blog