As organizations of all sizes and verticals prepare for whatever malicious cyber criminals have in store for them in the upcoming fiscal quarters, we wanted to focus on three need-to-know terms that all security professionals should be aware of, and familiar with, in 2017.
Today, organizations need to increase the speed and quantity of their releases, thus leading to an industry shift from waterfall to agile software development. Out of this shift in methodology, DevOps was born.
To match the speed of DevOps, while continuing to produce secure code, comes the need to shift left with security earlier in the development stage rather than retrofitting it on at the end of development.
Ransomware – it’s everywhere right now. Though this bunch of malware has been around since 2005, its’ recent rise in popularity is so big that, in fact, it ranks as the most popular hacking technique of 2016. Today, it is estimated that cyber criminals are able to infect millions of devices per day. So, what is ransomware? Here’s what you need to know.
The Adoption of DevOps will Change the Way Organizations Secure their Software
With organizations needing to increase the speed and quantity of their releases, there has been an industry shift from waterfall to agile software development. Out of this shift in methodology, DevOps, the practice of creating more efficient development and operations, was born.
With this shift in methodology arrives the need to redefine security’s role in the software development lifecycle (SDLC), a “shift left” to implementing security early in the software development stages instead of at the end close to production.
For traditional application security testing (AST) solutions such as (DAST, pen-testing, WAF, etc.) “shift left” presents problems as these solutions address security in the later stages and cannot be pushed to the development stages as required by organizations implementing DevOps and Continuous Integration/Continuous Delivery.
Along with the continued adoption of DevOps, comes the need to redefine security’s role in the SDLC, shifting security “to the left,” earlier in the development stage instead of close to production at the end. Shifting security left saves time, money and company resources as the mitigation efforts, and number of people needed to remediate, are exponentially smaller the earlier vulnerabilities are discovered during the software development lifecycle.
Sam Guckenheimer, product owner for Visual Studio Cloud Services at Microsoft, illustrated the difficulties faced by ASTs in DevOps environments in a recent interview with the SD Times:
“Part of the problem is that most security tools are too slow to work in a Continuous Integration model,” said Guckenheimer. “Checkmarx [static application security testing] is probably the tool that’s cracked that first. Ideally, you want to be able to have your code scanned as part of the pull request in the Continuous Integration flow, and that’s just not practical with most tools that exist.”
While Guckenheimer praises CxSAST, a static application security testing solution, not all SAST products are able to “shift security left,” a requirement presented by the rapid release cycles in DevOps. As such, SAST products which were not designed for DevOps from the ground up, will find it hard to adjust to the stringent DevOps requirements.
For a solution to fit DevOps requirements, it must meet a zero-friction, quick-turnaround policy.
For SAST solutions designed specifically for DevOps, these requirements translate into incremental scanning, partial-code scanning, compiler-free capabilities and tight integration with developer tool.
Ransomware is a cluster of malware that can encrypt your data and/or lock your computer, keyboard, server or device to prevent you from accessing your data – until you pay a ransom. The encryption is solid, and simply removing the malware won’t solve your problem.
Similar to spear phishing, ransomware is most commonly delivered via malicious email. This is backed by a statistic released in early 2016 revealing that 93% of all phishing emails contained ransomware. This method involves a large amount of spam emails that carry malicious attachments or links, that by downloading or clicking on will allow the malware to crawl into and infect your device.
But in recent years, ransomware hackers have also embraced malvertising as another highly effective and successful method. Malvertising is the method of compromising networks by the spreading of malware through online advertising. As the recent year proved, websites infected with malverts may often be trusted websites, as seen recently with the BBC and New York Times. A quick fix for blocking malicious ads is by using a trusted ad blocker.
The malware itself is getting more and more sophisticated with the skyrocketing amount of ransomware attacks, and it’s safe to say that it is going to get worse. Cyber criminals realize that this cyber attack form is easy, as they can now buy off-the-rack ransomware software, ransomware attacking is simplified for anyone with basic computer skills.
Traditionally, individual devices are most at risk because the average device tends to be less secure. However, corporate systems which may not be properly secured have become open to attacks. 2016 saw banks, hospitals, universities, police stations, and more faced with paying ransom to regain the access to their information.
San Francisco’s Transport System was hit during the busy Thanksgiving weekend. The attack was issued by hackers who forced PC ransomware onto the Transport System’s computers; this let the hackers gain full control over the system and open all fare-gates. The hackers reportedly requested 100 Bitcoin (worth about $70,000) in order for the Municipal Transportation Agency to regain control.
The FBI is on the case. In early 2016, they issued an alert warning about the rise of ransomware. Though the financial damage caused by ransomware in 2016 is still being calculated, but the FBI predicts that the number will hit a billion dollars. And to put it into perspective, this compared to the $24M of ransom paid in 2015.
According to a report by Symantec, the average ransom demanded through ransomware in 2016 was $679 – more than double what it was in 2015. However, the attacks to businesses and organizations are typically in the 4-5 digit range.
And by now it should be clear – everyone who goes online (whether at home, on a device, as an organization or a regular user), is at risk and should be prepared for a ransomware attack. It is of the utmost importance that all of your personal data should be secured, no matter where it’s stored.
With the threat expected to grow in 2017, it is important to keep a few tips in mind – tips which could save you from falling victim to an attack which can cost you some big money.
With the heaping amounts of ransomware delivered via phishing emails, be sure to double check before you click any link or download any attachment from any email received from an unknown sender. And bare in mind that the email will be designed with the goal of getting you to click. Known phishing emails may be masked as a special offer from an attractive brand, information about a package delivery, or an invoice for a common service. The key here is – if you’re not expecting the email, don’t open it.
Update and Patch
When you receive one of those automatic software updates – take it seriously and update all relevant devices, operating systems and apps. Once the update is complete, your software will run faster and, most importantly, should be more secure. Additionally, don’t forget to patch. When you apply security patches, the cyber criminals have fewer options for infecting you with ransomware.
Backing up your files is a task which may be tedious at times but it is essential nonetheless. This can protect you from more than just ransomware. Heaps of cloud services exist to make file backup easier, and you have plenty of options to choose from. While this may not assure that you’ll be kept safe from ransomware demands, having your files and crucial information stored elsewhere may save you a lot of hassle and stress in the face on an attack.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.