'Most critical security threats' jump by 125% globally: ISTR

Symantec's director for solution product management in Asia Pacific & Japan Tarun Kaura speaks about the biggest cyber threats looming over the nation.

What are the most important findings from the Symantec Internet Security Threat Report this year?

A: As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Symantec's Internet Security Threat Report globally reveals an explosion of Zero-Day vulnerabilities with 2015 numbers more than doubled to a record-breaking 54, a 125 percent increase from the year before, reaffirming the critical role they play in lucrative targeted attacks. Meanwhile, malware increased at a staggering rate with 430 million new malware variants discovered in 2015. The sheer volume of malware proves that professional cybercriminals are leveraging their vast resources in an attempt to overwhelm defenses and enter corporate networks. 2015 witnessed the largest data breach ever publicly reported with 191 million records compromised in a single incident. There was also a record-setting total of nine reported mega-breaches. While 429 million identities were exposed, the number of companies that chose not to report the number of records lost, jumped by 85 percent. A conservative estimate by Symantec of those unreported breaches pushes the real number of records lost to more than half a billion.

Globally, there were over one million web attacks against people each and every day in 2015. Many people believe that keeping to well-known, legitimate websites will keep them safe from online crime. This is not true. Cybercriminals continue to take advantage of vulnerabilities in legitimate websites to infect users because website administrators continue to fail to secure their websites. Nearly 75 percent of all legitimate websites have unpatched vulnerabilities.

The India findings from the report reveal that the country continues to be a top source as well as the destination of cyber attacks. India continues to rank 3rd globally as a source of overall malicious activity which takes spam and other threats like malware, phishing hosts, bots into consideration. The report shows that Indian enterprises need to plan for repeated targeted attacks. Indian organizations were the 6th most targeted in Asia, with targeted organizations on the receiving end of two attacks on an average. Moreover, the last five years have seen a steady increase in attacks targeting businesses with less than 250 employees. In 2015, over one in two attacks (52%) were aimed at small businesses in India, proving that companies of all sizes are at risk. In terms of techniques, Ransomware rose by 114% last year in India, of which 10% was crypto ransomware- posing a threat to consumers and enterprises alike.

What techniques are cyber criminals using nowadays?

A: In 2015, Symantec noticed an organizational shift by cyber criminals. They are adopting corporate best practices and establishing professional businesses in order to increase the efficiency of their attacks against enterprises and consumers. This new class of professional cyber criminal spans the entire ecosystem of attackers, extending the reach of enterprise and consumer threats and fueling the growth of online crime. For instance, as the professionalization of attackers expanded to cyber criminals, zero-days also exploded. In 2015, the number of zero-day vulnerabilities discovered more than doubled to 54, a 125 percent increase from the year before. The explosion in zero-day discoveries reaffirms the critical role they play in lucrative targeted attacks. Last year, cyber criminals also revisited fake technical support scams where they now make you call them to hand over your cash. Such scams saw a 200 percent increase globally. With close to 5,00,000 attacks last year, India ranked 11 amongst countries targeted the most by tech support scams. The difference now is that scammers send fake warning messages to devices like smartphones to prompt people to call attackers directly in order to dupe them into buying useless services or even install malware.

How do businesses in India fare when it comes to targeted attacks?

A: As attacks against businesses hit the headlines with much regularity, it is no more a question of, if or when you will be attacked- but how often. In 2015, India ranked 6th in Asia in targeted attacks. Small businesses saw a steady increase in targeted attacks with one in two attacks aimed at them, only 30 percent of targeted attacks were on large enterprises (down from 60 percent in 2014). That said, large businesses were six times more likely to be targeted at least once a year compared to small businesses.
Further, organizations in the public utilities and financial sector that were targeted once were most likely to be targeted again at least two times more throughout the year. Mining was the highest risk prone sector, where one out of two companies was attacked at least once last year. BFSI businesses were also attacked at least once, leading to 40 percent of businesses in this sector being faced with such attacks.

What are the biggest threats to end-users?

A: While email remains a significant attack vector for cyber criminals, they continue to experiment with new attack methods across mobile devices and social networks to reach more people, with less effort. India witnessed a 156 percent increase in the percentage of such scams. Every sixth social media scam impacted an Indian making it the second most targeted country in the world and India's burgeoning social media population being a favored target of scammers. They seek to leverage the trust people have in their own social circles to spread scams, fake links, and phishing. A whopping 94 percent of these scams were spread through manual sharing.

As people conduct more of their lives online, attackers are increasingly focused on using the intersection of the physical and digital world to their advantage. An extremely profitable type of attack, ransomware also continued to evolve in 2015, with the most damaging style being crypto-ransomware attacks. As a part of ransomware attacks, encryption was used as a cyber criminal weapon to hold companies' and individuals' critical data hostage. India is the second most favored destination for Ransomware in Asia with an average of 15 attacks per hour.

Any particular breach that stood out in 2015?

A: 2015 witnessed the largest data breach ever publicly reported last year with 191 million records compromised in a single incident. There was also a record-setting total of nine reported mega-breaches. While 429 million identities were exposed, the number of companies that chose not to report the number of records lost jumped by 85 percent.

On February 4, 2015, Anthem, Inc. disclosed that criminal hackers had broken into its servers and potentially stolen over 37.5 million records that contain personally identifiable information from its servers. On February 24, 2015, Anthem raised the number to 78.8 million people whose personal information was affected.
According to media reports about 80 million company records were hacked, and there is fear that the stolen data will be used for identity theft. The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses and employment information, including income data.

How relevant are passwords today with the use of 2FA becoming a commonplace? How much can we rely on 2FA?

A: In last three years India has gradually moved up the rankings to move to rank #3 in 2015 (after rank #7 – 2013; #5– 2014) for most financial trojan infections globally as highlighted in Symantec's Financial Threats Report 2015. Using financial Trojans to defraud customers of online banking services is still a popular method among cybercriminals looking to make a profit. Users should exercise caution when receiving unsolicited, unexpected, or suspicious emails or phone calls. While keep security software and operating systems up to date is the first step, maintain and refreshing strong password is equally important. In addition, they may need to consider two-factor authentication to ensure customer confidence and reduce the cost of phishing fraud.

The key to gaining unauthorized access to data is the theft of user credentials—such as passwords—using them to access accounts, and then hack into servers or databases, or deploy malware to steal sensitive information. When people have strong and unique passwords for each and every service, the need for two-factor authentication is lessened. However, determining and remembering strong and unique passwords for multiple accounts can be difficult, so many users abandon safety for convenience. 2FA is used so that the failure of one factor does not grant access to attackers. Two-factor authentication (2FA) adds an extra step to the basic log-in procedure, giving would-be hackers two levels of protection to crack. Overall, this greatly decreases the chance for a successful attack. Reducing the dependency on passwords improves the user experience and ultimately decreases vulnerability throughout the network. Therefore, if a password is one factor, then the second factor can protect you if the password turns out to be weak.

How can companies and consumers protect themselves

As attackers evolve, there are many steps businesses and consumers can take to protect themselves. As a starting point, Symantec recommends the following best practices:

For Businesses:

Don't get caught flat-footed: Use advanced threat and adversary intelligence solutions to help you find indicators of compromise and respond faster to incidents.

Employ a strong security posture: Implement multi-layered endpoint security, network security, encryption, strong authentication and reputation-based technologies. Partner with a managed security service provider to extend your IT team.

Prepare for the worst: Incident management ensures your security framework is optimized, measurable and repeatable, and that lessons learned improve your security posture. Consider adding a retainer with a third-party expert to help manage crises.

Provide ongoing education and training: Establish simulation-based training for all employees as well guidelines and procedures for protecting sensitive data on personal and corporate devices. Regularly assess internal investigation teams—and run practice drills—to ensure you have the skills necessary to effectively combat cyber threats.

For Consumers:

Use strong passwords: Use strong and unique passwords for your accounts. Change your passwords every three months and never reuse your passwords. Additionally, consider using a password manager to further protect your information.

Think before you click: Opening the wrong attachment can introduce malware to your system. Never view, open, or copy email attachments unless you are expecting the email and trust the sender.

Protect yourself: An ounce of protection is worth a pound of cure. Use an internet security solution that includes antivirus, firewalls, browser protection and proven protection from online threats.

Be wary of scareware tactics: Versions of software that claim to be free, cracked or pirated can expose you to malware. Social engineering and ransomware attacks will attempt to trick you into thinking your computer is infected and get you to buy useless software or pay money directly to have it removed.

Safeguard your personal data: The information you share online puts you at risk for socially engineered attacks. Limit the amount of personal information you share on social networks and online, including login information, birth dates and pet names.