March 1, 2016 by Greg Meckbach, Associate Editor
Computer programs designed to snoop through retailers’ point-of-sale (POS) systems for sensitive customer information — or to encrypt files so that criminals can extort money — are among the cyber threats Canadian businesses face. But a major hurdle to overcoming such threats, suggest information technology security experts, is a lack of awareness among non-technical employees.
While very few threat reports “focus on or cover Canada,” the data available indicates that the most prominent IT security threat here is the OpenCandy toolbar, Natasha Hellenberg, senior threat researcher for Tokyo-based vendor Trend Micro Incorporated, suggests in a blog post. “Users are tricked into installing this onto their machine, which is then used to also download malware onto it,” says Ottawa-based Hellenberg.
OpenCandy is “typically targeted at consumers, although employees may also download this type of malware,” Michael Bruemmer, vice president of data breach resolution for Experian PLC in Dublin, notes in an email to Canadian Underwriter.
NUISANCE OR THREAT?
Adware includes “threats that cause advertisement pop-ups and unwanted information,” IT security vendor Symantec Corporation points out in its 2015 Internet Security Threat Report.
For adware, “the biggest impact to an organization would be help desk calls — people complaining about their computers running a little bit slower, or that their computers are behaving in ways that they feel they shouldn’t be,” explains Bruce Snell, cyber security and privacy director for Intel Security.
“Those help desk calls start adding up really quickly, in terms of costs. How much time are your help desk people spending on pulling adware out of somebody’s web browser versus actually trying to stop a malicious threat from going around on your network?” Snell asks.
Adware that does not contain malware is “more of a productivity impact than anything,” says James McCloskey, senior director of security risk and compliance at Info-Tech Research Group of London, Ontario.
That said, “the reality is that very little adware is simply adware itself,” McCloskey cautions. “Often [adware is] the visible portion of the iceberg and what’s below the surface is something that is much more malicious and will have not simply a productivity impact, but, unfortunately, either an availability or a confidentiality impact of some kind,” he says.
The threat of a breach of confidential information is the “primary issue” caused by malware, including adware, attacks on retail POS systems and ransomware, says McCloskey.
With ransomware, Symantac reports, attackers “use malware to encrypt the data on victims’ hard drives.” An attacker then demands a payment to unlock the files, the company adds.
Overall, Snell says Intel Corporation’s McAfee Labs reports it detects five new IT security threats every second. With respect to ransom, the number of individual incidents in 2015 was 155% greater than in 2014, he reports.
“When ransomware first started, we were able to create a stinger, which is kind of a self-contained executable, which will go in and remove a particular virus or a particular piece of malware,” Snell explains. “So, for a lot of the initial families of ransomware, you could create a stinger that had the decryption key included and it could just go in and
unencrypt it for you,” he points out.
However, over the past six to nine months, there has been “an increase in dynamically generated decryption keys that are generated based on the device, so you can’t actually use a generic key to unencrypt these pieces of malware and decrypt these systems that are infected,” Snell says. As a result, he suggests that more ransomware victims are having to pay to decrypt their systems.
When hit with ransomware, small business owners “are typically more inclined to pay, because they have a lot invested in that system,” Snell says. “They maybe have only one or two systems that they are using to run their entire business, so for them, it’s not really an option to pay or not.”
The cost to a business “can go from a few hundred dollars… or your entire business being at risk in terms of being a target of ransomware or advanced (distributed denial of service) attacks,” notes Deepak Patel, director of security strategy at Imperva Inc., a California-based manufacturer of computer security products. Malware designed to be installed on retail POS systems is “getting extremely sophisticated,” Patel says, citing as an example Target Corporation, hit hard by a data breach in late 2013.
That breach “compromised approximately 110 million credit and debit cards and personal information of Target customers, including addresses, phone numbers and email,” reports law firm Zimmerman Reed LLP, which is representing plaintiffs in a class action lawsuit filed in the United States. “Banks and financial institutions have incurred substantial losses in addressing and remediating this breach on behalf of their banking customers,” the firm reports.
Five banks filed a class action claim against Target, with a settlement, valued at US$39 million, “preliminarily approved” by a U.S. court in December.
“Target and Home Depot are the two existing examples in recent history that give you the range of costs, depending upon the size of business,” says Patel.
In the Home Depot breach, which occurred between April and September 2014, “hackers stole the personal and financial information of approximately 56 million Home Depot customers,” reports LexisNexis. The retailer faces a class action lawsuit filed by financial institutions claiming that they incurred more than US$150 million “in reissuance costs, and possibly billions of dollars in total fraud losses” due to the breach, adds the legal information provider.
The Target breach “started with the compromise of a trusted service provider” working on the retailer’s heating, ventilation and air-conditioning system, says McCloskey. “The expectation for more and more organizations is that any of the partners that they’re working with are going to be held to an increasingly high security standard as well, and, essentially, being brought by association into that higher threat landscape mindset.”
One threat that targets POS systems, Cherry Picker, is designed to evade security controls, IT security vendor Trustwave notes in a recent blog post.
Snell explains that Cherry Picker uses “advanced obfuscation techniques” to avoid detection by anti-virus products.
To counter such threats, Intel Security advises that retailers use “application white listing” on their POS systems.
Essentially, the “white list” is a complete list of applications that can be loaded on to a machine, so the software will block any computer program not on that white list from accessing the computer’s memory, Snell explains.
“It’s really a good way for systems that you actually shouldn’t be doing a lot of installing and uninstalling of applications on,” he says. “If it’s a single-purpose point of sale device, odds are you are not doing a lot. You are not running a web browser or reading email on it, so locking it down via white-listing is a really good way to go.”
Of course, retail is not the only sector at risk. Companies that are “highly intellectual property-driven” are also at risk of having sensitive internal information being breached, says McCloskey, adding “advanced persistent threats” tend to target healthcare organizations, which have large pools of identity data, and financial services. “Why would you attack a bank or financial institution electronically? Because their product is money and there’s a good opportunity there.”
Surveys by market research firm IDC Research Inc. show the “top three roadblocks” to improving IT security are budget, lack of knowledge among non-IT staff, and “an increase in speed and types of attacks,” says Kevin Lonergan, IDC Canada’s senior analyst for infrastructure solutions. “Despite admitting that a lack of employee security knowledge is the number two roadblock to improving security, the majority of organizations provide no training to their staff on a yearly basis,” Lonergan notes.
“I think a lot of security teams have a good understanding of what’s happening, but there are far more non-security people in the business world than there are security people,” Snell says. “Maybe do educational training on the types of things to look out for in a suspicious email or when you should or should not click a link,” he suggests.
One hurdle to gathering Canadian statistics for malware attacks on businesses, McCloskey advises, is the fact that it is “tough to get people to come clean on their level of incidents.” The federal government recently “made some announcements with respect to facilitating some judgment-free sharing of incident information across industries.”
For example, the Canadian Cyber Incident Response Centre (CCIRC) “shares technical information on threats, vulnerabilities, risks and incidents with its partners to enhance collective understanding of cyber threats and incidents, and help ensure organizations have the information required to make informed decisions,” Public Safety Canada reports on its website. Organizations “can report cyber incidents to the [federal government] through CCIRC,” adds a spokesperson for the federal department.
In December, several firms noted that, this year, they will launch the Canadian Cyber Threat Exchange (CCTX), which will work to share information about cyber threats and vulnerabilities among businesses, government and research institutions. CCTX’s nine founding members are Air Canada, Bell Canada, Canadian National Railway, Hydro One, Manulife, the Royal Bank of Canada, TELUS, Toronto Dominion Bank and TransCanada Corporation.
“You can’t expect others to share their information if you’re not willing to share, but it’s understandable why no one wants to go first,” McCloskey says. “I think the conditions are being put in place where there may actually be some progress on that in the near future.”