Cybercriminals are evolving. In just the last few years, malicious attackers have continually discovered more sophisticated methods of information gathering. From leveraging social media accounts to developing next generation malware, the modern cybercriminal is able to collect data virtually undetected.
There have been numerous high-profile data breaches in the last few years: government agencies, healthcare providers, e-commerce portals, and global technology firms.
Many of these data breaches compromised millions of records and ultimately led to billions of dollars in damage. So how can you protect yourself or your business from this constantly evolving threat?
► Social Media And The Modern “Phishing”
Phishing has been historically relegated to the domains of email and instant messaging. Today, however, a significant amount of phishing is occurring either directly through social media platforms or with data gleaned from those social media accounts.
Users are sharing more information than ever over the Internet, and cybercriminals are able to take advantage of this fact. A common phishing technique is to use social media to find employees who work at a large or international company.
From there, the cybercriminal can then send a seemingly legitimate email to those employees that looks like an official correspondence from their employer, asking them to verify personal information such as social security numbers, their individual login information and credentials — or convince employees to reveal confidential or privileged information.
Phishing attacks account for nearly half of the cybersecurity concerns of modern businesses. A phishing attack can significantly compromise a system. Phishing attacks requires a significant amount of user education and preys upon the user’s inability to identify them for what they are.
Only 21% of organizations feel that their protection against phishing has improved within the past year, and 33% feel as though it has gotten worse. The ultimate goal for enterprises is to remove phishing attempts before users ever see them.
► Protecting Yourself Against Phishing
♦ Never send personal or confidential information through email. Business should always be conducted over protected communications streams such as merchant accounts and e-commerce portals. There should never be a reason to send social security numbers or banking information through an email account.
♦ Log into websites directly if an email requests that you do so. A phishing email may tell you that your “email account” has been compromised and enclose a link to for you to log in. Rather than click on this link, you should open your browser window and type in “your email link” The link that is in your email could actually lead anywhere.
♦ For organizations, heuristic technology can be used to filter out phishing attempts before they are ever received. While training and education can help, humans do make mistakes, and phishing attempts are becoming far more clever.
Organizations report extremely low confidence for phishing defenses that are primarily user-focused; employees appear to have a propensity towards opening attachments and clicking on links within emails even with the appropriate education.
► Robust And Technologically Advanced Malware Threats
As stated above, most malware will infiltrate a system either as an email attachment or as a download while web surfing. Though malicious programs can be introduced through alternative means — such as tainted USB drives — these threats are far less common.
Malware infiltration can have a variety of negative consequences. Modern malware can go undetected by changing its behaviors and identifiable features. Conventional security solutions generally look for malware that has already been identified, searching a database of virus and malware definitions for common exploits.
Consequently, malware that has not been seen before, or has been substantially altered, may be able to fly under the radar undetected. Malware today has a variety of methods that it can use to camouflage itself. Advanced technology has made it possible for malware to attempt strategies that were previously unfeasible.
► Protecting Yourself From Next Generation Malware
♦ Reduce the amount of tools used to transfer and store data. Organizations should restrict their data management to only the tools that are essential and necessary; otherwise malicious programs could be downloaded from instant messaging solutions, FTP accounts, servers, and a variety of online email accounts.
♦ Create layered, robust security solutions. Next generation firewalls come with a variety of methods to reduce the impact of malware. Sandbox environments force potentially untrustworthy programs to work within a small, quarantined area of the system, while behavioral identification focuses on detecting new threats based on activity and traffic rather than known exploits.
♦ Avoid “self service” IT solutions. Self service IT can occur when an employee takes it upon themselves to find a solution to a problem — such as a file transfer issue. This can expose both the employee and the organization to the risk of malware, by introducing untested and possibly illegitimate programs to the network.
► The Cloud As A Potential Security Resource
Cloud-based security solutions, otherwise known as, Security-as-a-Service, has become a popular answer to the problems of phishing and next generation malware. Cloud-based solutions are believed to have some major advantages over more traditional on-premise IT infrastructures.
Cloud security can leverage a significant amount of resources, consolidate the network under a single security system, and provide constant monitoring and maintenance.
With traditional on-premise security solutions, lag and latency can become a significant issue. Network monitoring solutions have to analyze all network activity and traffic in order to identify threats. In an on-premise solution, there may not be the technology necessary to keep up with this type of operational overhead.
Software-as-a-Service can provision resources as needed to ensure consistent security throughout a company’s operations. A significant amount of data-mining can go on behind the scenes in a Software-as-a-Service system, providing for better analysis and more reliable results.
Cloud-based security and hybrid cloud security are both projected to grow significantly in the future. In addition to being efficient, cloud security measures are able to provide a complete, integrated, and consolidated security solution that extends over the entirety of a company’s network.
Advanced technology is being developed for the analysis of network activity, so that attacks such as phishing attempts and malware are never seen by end users.
Both business owners and individuals have to be aware of the risks that phishing and malware represent. The increased efforts of cybercriminals are not entirely due to the new technology available to them, but also because there are better, easier targets available today.
Cybercrime has become far more lucrative in recent years, as the majority of business-related data and financial data has shifted to a primarily web-based platform.
Business owners and individuals who want to protect themselves will need to both bolster their security and educate themselves thoroughly regarding new exploits, vulnerabilities, and trends.
Investing in newer types of next generation security is essential for those who want to protect their IT infrastructure from these steadily increasing threats.
Stronghold AntiMalware is a program, developed specially to protect your computer against malicious programs that can do harm to your computer or steal personal information. These programs include trojans, spyware, adware, trackware, dialers, keyloggers, adware browser extensions and other viruses. Stronghold AntiMalware scans your hard disks, registry and processes and removes all malicious software found. It also removes malicious BHOs and tracking cookies.
- Anti-Phishing Working Group
- Center for Identity Management and Information Protection—Utica College
- Plugging the “phishing” hole: legislation versus technology—Duke Law & Technology Review
- Know Your Enemy: Phishing—Honeynet project case study
- A Profitless Endeavor: Phishing as Tragedy of the Commons—Microsoft Corporation
- Reporting, Classification & Data Sharing of information on phishing sites reported by the public—PhishKiller
- Database for information on phishing sites reported by the public—PhishTank
- The Impact of Incentives on Notice and Take-down − Computer Laboratory, University of Cambridge (PDF, 344 kB)
- Information On and Archive of Phishing Emails—Scamdex.com
- Phishing Strategies—vpnanswers.com
- Phishing attack education game
- A collection of phishing and scam emails and letters
Cloud Storage Solutions:
Anti-Virus / Anti-Malware Solutions: