Malware will not go away, and it is actually likely to increase, just like it has year after year for the last ten years. Whether it is the slow running of a computer, or a call to the helpdesk reporting a strange message being displayed, users will continue to suffer malware attacks on their PCs, smartphones, and tablets.
In this chapter, I will explore how malware infects PCs and networks, their specific entry points, and payloads. I will discuss how you can protect against infection and minimize the impact of a malware attack.
You will have to understand the symptoms and likely effects of malware, so that you can troubleshoot and identify when a device has been targeted.
How Malware Infects PCs
It is well known that compared to other computing devices, PCs are attacked the most. This is because PCs, and Windows PCs in particular, are generally open systems that have many vulnerabilities. There are several reasons why Windows PCs have become appealing for viruses, these include
Maintenance of backwards software compatibility
Home users with administrative privileges
Open networking stack
Volume of user base
Apart from the positive effect following the introduction of User Account Control (UAC) , mentioned in Chapter 3, it is unlikely that malware infection rates will decrease for Windows PCs going forward.
The symptoms that result from a virus infection can include any or a combination of the following:
Computer performs tasks very slowly
Unexplained disk and network activity
Files don’t open with the default application
Custom pop-up messages, or background images, appear
Unexpected command prompt window opens then closes
PC crashes or hangs or will not boot
Strange computer behavior
Too many pop-up windows
Internet access is very slow compared to normal
Let’s consider how malware can infect Windows PCs, then we will consider how you can identify attacks once they have taken place.
There are generally three types of viruses that can infect your PC. These are file-infector viruses, boot sector viruses, and macro viruses, as listed in Table 4-1.
Table 4-1. Common Types of Viruses
Virus Type | File Infector | Rootkits and Boot Sector | Macro |
|---|---|---|---|
Entry mechanism | Within application files | Install in a hard drive’s boot sector | Burrow into Microsoft Word and Excel documents |
File type | .EXE files | Boot sector memory | .DOCM or .XLSM |
Payload | Memory or executable files infection | Copy/infect/delete files | Infected Office templates |
Effectiveness | Very effective | Very effective | Generally, affects Office files |
Detectability | Virus signature may be known, file size has been changed | Difficult if loaded before Windows. USB/HDD can be detected using signature based virus scanner. | Office blocks macros by default. User must approve each virus. |
Removability | Find, delete, and replace original file, usual in Safe Mode | Not easy. Rootkits can prevent the remover software from loading. | Virus scanners can quarantine infected files. |
Infector-Type Viruses
Some users may have experienced file-infector type viruses, either directly through an attack or by attending computer security training. This type of attack is the most common and has been around for many years. Because infector-type viruses attach themselves to, or bury inside, another file, they are often detected by a routine antivirus scanner, which can locate the virus, owing to its known virus signature.
A virus signature is a known, characteristic pattern that a virus scanner detects when a virus has been hidden embedded within a program file. Although new viruses are created on a regular basis, antivirus software knows what to look for and has to be updated regularly to keep abreast of the most recent virus signatures.
If a virus is not detected, it can infect system memory and executable files and reside on the device for months and even years.
One classic (and particularly nasty) virus from a few years ago infected systems and behaved as a rogue security program that attempts to scare, threaten, cajole, hector, harangue, pester, aggravate, intimidate, badger, harass, and generally nag the user into paying the hacker to clean his or her system by using the fake security software. The virus, called “Win32/FakeScanti” presented the user with various warnings and a credible-looking security tool named Windows Antivirus Pro, as shown in Figure 4-1.
Figure 4-1. Win32/FakeScanti virus screenshot
The virus would try to convince users that their systems were unreliable and infected, by periodically rebooting the system and preventing other executables from running, by associating the .exe extension with desot.exe, one of the files installed by Win32/FakeScanti.
Whenever the user tried to run an application, such as an antivirus tool, or even Microsoft Paint, the file name was passed to desot.exe, which then decided to run the application or display a message box with a virus warning.
Thankfully, the Malicious Software Removal Tool (MSRT) , which I will discuss in Chapter 5, successfully removes the Win32/FakeScanti virus and its variants.
Rootkits and Boot Sector Viruses
A boot sector virus normally resides in the special area of a hard drive, USB, CD, or DVD and aims to infect a system before Windows or any antivirus software can detect its presence.
Any boot virus that can load and hide inside areas of system memory can potentially remain undetected by Windows indefinitely. You saw in the first two chapters how rootkits and boot sector viruses have become very effective at bypassing traditional anti-malware software detection. They are very sophisticated in their design and execution and are designed to evade detection. Typical payloads of rootkits include
Backdoor programs: Log in backdoors, keyloggers
Packet sniffers: Inspect network traffic from within the network
Log-wiping utilities: Remove logs to cover tracks
DDoS (distributed denial of service) programs: Use the PC as a DDoS client
IRC/bots: Bots used to take over Internet Relay Chat (IRC) channels
Even today, it is still very difficult to detect boot viruses, and if you are concerned about being attacked by a rootkit, and you have Windows 8 or Windows 10, you should implement UEFI Secure Boot, which will protect the boot environment.
When Windows 8 was about to launch, Microsoft announced that it would enable UEFI Secure Boot on all new devices using Windows 8 and later versions. Following a massive outcry from concerned users (who believed that Secure Boot would prevent them from dual booting or installing a different operating system), Microsoft backed down and modified its plans a little. All new devices that carry the “Windows 8 Compatible” or “Windows 10 Compatible” logo, as shown in Figure 4-2, must allow the user to turn the Secure Boot feature off.
Figure 4-2. Windows compatible logos
Note
If you want to learn more about the Microsoft implementation of Secure Boot, please review the overview found on TechNet, https://technet.microsoft.com/en-us/library/hh824987.aspx?f=255&MSPPError=-2147217396 .
Modern Linux distributions such as Ubuntu, Fedora, Red Hat Enterprise Linux, and openSUSE currently support Secure Boot and will work without any tweaks on modern hardware, because their boot loader now contains a signed certificate that is recognized by Secure Boot.
It can be difficult to completely remove a rootkit infection. I will introduce some approaches in Chapter 6, but my preferred remedy is to format the drive, flash the UEFI or BIOS, and completely reinstall the operating system. As Lt. Ellen Ripley said in the 1986 movie Aliens, “I say we take off and nuke the entire site from orbit. It’s the only way to be sure.”
Macro Viruses
Originally, macros were used in Microsoft Excel and Word to speed up repetitive tasks. As the technology advanced, macros could be written that not only worked within Microsoft Office applications but could interact fully with the operating system also.
In modern versions of macro viruses, programmable code, such as Visual Basic for Applications (VBA), JavaScript, and .Net, is used that provides the application user and hacker much more creativity.
As macro viruses became more popular, Microsoft began to warn users that macros could be dangerous, and the dialog box displaying “This document contains macros” would alert them to the presence of a macro.
You may wonder why we need a warning about a macro contained within a spreadsheet. Most macros initialize themselves when the spreadsheet or document is opened; therefore, opening a spreadsheet containing a destructive macro virus would potentially create havoc on your machine.
If you received an e-mail from a colleague containing a macro enabled spreadsheet, it would have the file extension .XLSM. This would indicate the e-mail contains an Excel Macro-Enabled Workbook file created in Excel 2007 or newer versions.
If you are not aware that a file contains a macro, you should be cautious and not trust the macro. The file will still open, without the macro being run, and the contents, therefore, will be safe.
After the year 2000, macro viruses began to decline, but in recent years, macro viruses have made a comeback. One cunning tactic employed is for a macro virus to wait for you to open an infected document, and then it will quietly spread into your Office template files. Once your template files are infected, the virus can easily hijack Office every time you use it and infect all the documents that you edit or create thereafter.
Microsoft continues to protect users from macro malware, by restricting macro enabled documents. By using social engineering methods, malware authors are often able to trick susceptible users into enabling macros, thereby bypassing the built-in protection within Office.
E-mail and the Internet
Often e-mail and the Web are blamed for being the source of the majority of malware. This is only partly correct. E-mail and the Internet are now the modern delivery mechanism of malware, but in themselves, they are just the carrier. The malware is still an infected file or a macro that needs to be activated in some way by the user.
Most users have learned not to open suspicious-looking e-mail attachments, and rarely will a proficient user fall prey to a suspicious e-mail payload.
Recently, though, malware writers have become more professional, and e-mails are now better worded, and unless the user is kept up to date with current malware approaches, he or she is more susceptible to a rogue attachment. E-mail scams, together with their attachments, now present themselves as being from a reputable source, bundled with a very credible narrative and goal.
One recent example of how a competent user can fall foul of a modern attack is by relying on a belief that a PDF file is safe. Take the example of a user being sent a delivery note, addressed to her company, and the attachment is a PDF file. Typically, PDF documents are static with safe content. Today, PDF documents can contain rich formatting and dynamic elements, such as JavaScript or XML.
For example, a PDF file can be made to execute an embedded executable file without exploiting any vulnerability, although a warning message is displayed (although it is possible to customize the warning message and, therefore, socially engineer it to persuade the user to accept the warning).
Note
If you want to review how malicious PDF files can contain viruses, look at the Troj/PDFEx-DF. Sophos discusses it at URL https://nakedsecurity.sophos.com/2010/04/12/trojpdfexdf-sophoslabs-sees-malware-exploiting-launch/ .
A company will employ many layers of defense against malware, both internally on PCs and externally on mail servers. In all examples of e-mail borne viruses, it must be remembered that only when someone opens it can the virus activate itself. Vigilance and training of the user must always be the last line of defense.
The human factor can only at best be mitigated. Even with the best security awareness-training program, at least one in a thousand people will still click that well-crafted phishing e-mail.
How Malware Infects Networks
The majority of PCs using the Web now have some form of protection, yet more than 50% will have been infected with malware during the last 12 months.
We have to ascertain how more than half of all PCs can be infected, despite having some protection in place. We can identify potential areas that require urgent attention, including the following:
Antivirus software is not operational: Users often turn off antivirus software because it might negatively affect the performance of their device.
Antivirus software is not up to date: Users believe that their antivirus software is effective once installed. Often, a user is unaware that it requires daily updates, provided by the security vendor.
Constant game of cat and mouse: Anti-malware software needs to keep track of hundreds, or even thousands, of signatures related to possible viruses. This is updated daily and requires 100% proficiency by the security vendor.
Old applications are vulnerable: Older versions of applications, plug-ins, and operating systems beyond their end of life (EOL) can be exploited by malware.
Anti-malware software incorrectly configured: Security software designed to protect against malware is increasingly difficult for the average user to configure and set up on-demand scans, scheduled scans, e-mail scans, download scans, and on-use scans.
Ineffective anti-malware software: Not all anti-malware is as effective as others. The rise of freeware anti-malware software makes the choice extremely difficult for the user.
Multiple installations of anti-malware software: Not all anti-malware software will detect specialist attacks, such as spyware or adware infections, so users are forced to install two of more security solutions. Unfortunately, rival security products often fail to work nicely with each other, which can leave gaps for malware to slip through.
When deployed, most PCs typically will be performing their ability to detect and deter malware well. Often, users adopt a “set and forget” approach to security and will seldom check to see if their anti-malware solution continues to work, or if their PC is being routinely updated.
We have seen how, through poorly configured or maintained devices, malware can slip through the barrier created by traditional antivirus systems.
Malware can attack the network itself and the PC. An attack can aim for several possible outcomes , some of these are
Exfiltration theft of data
Identity, intellectual property theft
Data corruption/deletion
Disruption of operations, reputation
Payment of ransom, profit motive
If we analyze some of the most common types of attacks , as shown in Table 4-2, we can detect their motives.
Table 4-2. Common Malware Attack Vectors and Motives
Motive | DDoS attack | Virus | Phishing | Ransomware | Trojan Horse |
|---|---|---|---|---|---|
Exfiltration / theft of data | x | x | |||
Profit | x | x | x | x | |
Data corruption / deletion | x | ||||
Disruption of operations / take over | x | x | x | ||
Identity theft | x | x | x | ||
Awareness / spotlight | x |
It is clear to see that the motivation for creating malware has shifted from fame and notoriety to profit.
Malware authors now direct their efforts to bypass client-based security and operate in stealth mode, concealing itself within the operating system, using rootkit technology , whereby it can then disable any existing anti-malware software and take control of network access. Once the malware is in place, it can then steal data and user identities, until detected.
If malware can gain access to a PC via the Web, it has the potential to connect to other devices, using Windows networking .
Access to the network will often be a key objective for most malware, because access to the network is likely to deliver some beneficial goal. Malware uses the network to (1) provide a backdoor on the system, (2) spread viruses to other machines, or (3) contact the virus authors and allow remote control of a PC or server.
Ever since the early versions of Windows, Microsoft has employed a very open approach to file sharing and networking. Left unchecked, it can offer areas for malware to attempt exploits such as
Access shared files across the network using the Server Message Block (SMB) protocol: Upgrade to latest SMB version.
Access via network-connected multifunction printers and copier: Monitor and use complex passwords.
Available administrative shares, such as C$, IPC$, and ADMIN$: Remove them if they are not required.
Internal web-server vulnerability (they should be as secure as your DMZ web-servers)
Network administrators should employ NTFS and password-protected file sharing and ensure that no resources are left accessible, unless by an authenticated user.
Thankfully, Windows networking is a great deal more secure since the release of Windows Vista. With Vista, Microsoft fully redesigned the implementation of the TCP/IP stack to allow for an IPv4/IPv6 dual stack. It also engineered several performance enhancements (Jumbo frames) and security features, such as the introduction of Link Layer Topology Discovery (LLTD) and turning off the default behavior to allow viewing of other devices on the network.
Note
If you are interested in learning more about the new Next Generation TCP/IP Stack introduced in Windows Vista and Windows Server 2008, visit TechNet: https://technet.microsoft.com/en-us/network/bb545475.aspx?f=255&MSPPError=-2147217396 .
Network-Based Security
A new approach to detecting malware is to attempt to detect it before it arrives at the client. Instead of relying solely on the client device to protect itself, the network is also charged with the duty of overall network security.
Network attacks are typically restricted to fewer than ten distinct communication protocols, such as UDP, TCP, HTML, etc. Dedicated network equipment can look for viruses traversing the network.
Both solutions will analyze for the thousands of potential virus signatures, but the network device can achieve this while the virus is in transit, whereas a client-based anti-malware solution must monitor and then quarantine once the virus has landed onto the PC.
Increasingly, service providers will offer network-based solutions that allow enterprises to subscribe to a fully managed anti-malware solution. The hardware is supplied, maintained, and managed, and malware is detected, quarantined, analyzed, and reviewed by the service provider. Because this is deployed on a subscription model, this is Security as a Service.
By utilizing this type of solution, your network benefits from an “always-on,” “always up-to-date” solution that cannot be disabled by the user (or by malware).
With the constant threat from malware, it is recommended that both network-based and client-based security solutions are employed, as these represent separate layers in your defense-in-depth strategy.
Identifying External Attacks
The majority of security breaches are from external attacks. If malware is attacking computers within your environment, how will you know? Most PC users will have some awareness of malware threats, through training or personal experience, but as we have seen earlier, the attacks keep being re-engineered and become more sophisticated and less easy to spot. In extreme cases, home users can become exceedingly concerned by the threat of malware and identity theft, and I have seen users stop using their computers.
In order to discuss external attacks, I will first identify the most common types of external malware that are encountered today.
The common external malware types are currently
Firewall attacks and DDoS
E-mail borne viruses and ransomware
Spear phishing
Targeted application hacking
Firewall Attacks and DDoS
We saw in Chapter 3 how important the firewall and DMZ area are in creating a physical boundary that protects your internal resources from the Internet, wherein hide unknown threats.
The primary reason for hackers to implement a firewall attack is to create a breach opening and allow ingress of specialist network traffic, which can be laden with a Trojan horse or virus. Once they have gained control of the network firewall, or a device on the inside of the network, they will be able to hide their tracks and create additional pathways into the network. Having multiple access routes is useful if a tunnel is compromised or if each vector has a different purpose. Often, when a threat is uncovered, the typical response is to close the vulnerability, whereas the correct response should be to perform a full security audit and look for other threats residing on the network.
A distributed denial-of-service attack is when a hacker uses multiple bots (distributed robotic services) to attempt a flooding of the router with more requests than it can handle. A successful DDoS can result in several possible outcomes.
Authorized users being unable to access resources
Creation of a smokescreen for the “real” or “secondary” attack
Failure of one or more networking components
Compromise of the networking component
Opening of a backdoor into the computer, allowing remote control of it.
Loss of reputational goodwill
Note
Bots are defined as being individual infected machines, and botnets are multiple bots working together. Bots, when used for hacking purposes, are manipulated by the hacker. Bots can be used to issue spam on a near-continuous basis. The Rustock spamming botnet operated for five years between 2006 and 2011 and infected an estimated 2.4 million computers worldwide.
E-mail-Borne Viruses and Ransomware
We have all encountered e-mail-borne viruses with attachments that entice us to open them, thereby unleashing the payload to infect our computers. This will continue and become more effective.
We have already covered file based attachments in Chapter 1 and again in Chapter 3. In all business environments, unknown attachments within e-mails should be sandboxed (typically, automatically placed in a virtualized environment), until they have been checked and, if safe, released. Methods to evade detection, such as encrypting or compressing, should also result in the files being prevented from traversing within the internal e-mail system.
Because e-mail-borne viruses are one of the oldest and most well-known methods of attack, ensuring that your users remain well-trained and vigilant, coupled with up-to-date virus scanning software, should reduce the incidence rate of any e-mail virus.
Should you fall foul of an e-mail virus in which you open an infected file, it is likely that the payload will be some form of ransomware. This method of attack has gained huge success in recent years, because it encrypts your personal files and then holds you ransom until you pay the perpetrator. The concept has been very effective and financially successful, with the original ransomware viruses and their derivatives. Cryptolocker, discovered in late 2013, reportedly extorted a staggering $30 million in the first three months after release. Even if this is a wild exaggeration, it still shows that a lot of money is being made.
It is worth mentioning how you can identify whether you have been infected by ransomware. Ransomware requires an executable to deliver its payload, and, therefore, the most common method is to hide within a downloaded Torrent file.
Once infected, the virus will associate itself with system and application file extensions, so that when you try to open an application, for example, Word or Excel, the virus will display a custom pop dialog that informs you of its malicious action. Most ransomware viruses will encrypt your personal files and request that you pay a ransom in Bitcoin to have your files decrypted. The virus is normally time-bombed, to create urgency, so that the victim panics and makes prompt payment. Often, once payment has been received, the files are either not decrypted, or, if they are, the virus may lay dormant and resurface for another payment six months later.
An example of the dialog screen from the PClock2 ransomware is shown in Figure 4-3.
Figure 4-3. PClock2 ransomware display message
The existence of the PClock2 virus can be established by checking the registry for the presence of the following key:
[HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun]“wincl” = “%APPDATA%WinDskwindsk.exe”
The virus will also store malware files locally in the following locations:
%APPDATA%WinDskwindsk.exe: The malware executable
%APPDATA%WinDskwindskwp.jpg: The custom wallpaper generated by the malware
%DESKTOP%CryptoLocker.lnk: A shortcut to the malware executable
%USERPROFILE%enc_files.txt: List of encrypted files
After infection, the machine is unusable, until the virus is removed. This may be achieved using a decrypter tool available from your antivirus vendor.
Ransomware that has already been released should be detected by your anti-malware software, but due to the lucrative nature of this attack, it is likely that significant effort will be invested to create new variants of ransomware and make them harder to detect before they release their payload.
The suggested defense against this type of malware is to back up regularly (onto media stored disconnected from the PC ) and remain vigilant to all executable files. Enterprise machines should not be able to accidentally activate any ransomware executables, especially if they are using a modern operating system with UAC enabled. Users of older systems are particularly at risk.
Spear Phishing
One method of increasing the effectiveness of e-mail attacks is known as spear phishing. This is typically an e-mail-borne phishing attack that has been customized with your information, so that it appears legitimate. For readers of this book, this may not be a huge threat, but for inexperienced users, this type of targeted, specific scam whereby the sender e-mail address is also impersonated, the e-mail content can become even more compelling to the recipient who knows the purported sender.
With the explosion of personal and corporate information available on social media and public sites such as LinkedIn, it is now even easier to connect pieces of the jigsaw and make a previously laughable spam e-mail become entirely credible.
Targeted Application Hacking
On October 21, 2015, UK telecommunications provider TalkTalk was successfully hacked, with the loss of customer data. Once the breach was investigated, a database containing 4 million records, of approximately 157,000 customers, including names, addresses, and bank account details, had been accessed.
The perpetrators e-mailed several TalkTalk employees with ransom demands and included some proof of the stolen cache of data.
The attackers were apprehended in November and December 2015, whereupon more details of the breach become known. One of the hackers was a 15-year-old boy from Northern Ireland who had used an SQL injection attack on a database maintained in a third-party call center. Preceding the theft, the hacker used a DDoS attack that distracted TalkTalk’s security team.
During the trial of the hackers in November 2016, TalkTalk admitted that it was not aware that the hacked web server contained vulnerable web pages that could be used to access the membership database. The company also confirmed that it was not aware that the database software was outdated and not supported by Microsoft.
The incident cost TalkTalk an estimated $75 million and the loss of 95,000 customers, as well as a sharp drop in its share price. The criminal told magistrates, “I was just showing off to my mates.”
The SQL injection attack method in the TalkTalk breach had been discovered more than ten years ago, and a patch was available. It is important to review all applications for vulnerabilities and take steps to ensure that services provided by third-party contractors are also compliant with your security measures.
Another external attack on the database of an adult dating service, “Friend Finder Network,” reportedly exposed between 340 million and 412 million accounts, e-mail addresses, and passwords from its web sites, dumping them on the black market. No details of how the actual hackers gained access to the data was available at the time of writing.
It is not just the enterprise-grade database applications that are at risk of attack. In the last ten years, there have been severe vulnerabilities discovered in popular add-ons, including Oracle Java, Adobe Reader, and Adobe Flash. Unless PCs and their applications are regularly updated, they are vulnerable to exploit kits.
Identifying Internal Attacks
An internal attack refers to a malicious activity that seeks to disrupt the computer systems from within the workplace. This could be directly from a member of staff, a contractor, or a visitor. The action may be deliberate or accidental.
During a recent security briefing, the consensus was that human error opens more doors to hackers than technical shortcomings, resulting in a permeable perimeter that is a constant challenge to police. Insider threats remain a significant cyber risk to organizations, with a quarter of all malware attacks originating from the inside.
Trusted employees often require access to critical systems and data, to perform their role within the work environment. The employer has a legal duty to protect the business from any form of fraud or malicious activity. In light of this and other legislation (such as the US Sarbanes-Oxley Act of 2002), it is essential that careful consideration be given to how much scope each role within the workplace is given to individual employees.
A disgruntled employee can cause significant financial and reputational damage through the theft of sensitive data and intellectual property when they leave, and often the damage is not discovered for several months.
Members of staff with specific IT knowledge and access may cause destructive cyber damage by facilitating, or launching, an attack to disrupt or degrade critical services or wipe data from the organization’s network.
Accidental damage can also occur by staff, for example, if an employee inadvertently infects the network with a virus .
Other examples of accidental damage include
Clicking on a phishing e-mail
Plugging an infected USB into a computer
Ignoring security procedures
Allowing unauthorized use of company devices
Downloading unsafe content from the Internet
Social engineering is a growing threat. It is akin to the tactics employed by World War II spies, and there was a need to curtail all idle talk in case a spy was listening. Posters similar to the one shown in Figure 4-4 would remind you to keep your daily activities to yourself.
Figure 4-4. World War II poster aimed at curbing information leakage
Social engineering is one of the easiest methods by which to obtain sensitive information about an enterprise. Individuals, such as reception staff or junior employees, are regularly targeted and can unwittingly provide access to the network or carry out instructions in good faith that benefit the fraudster. Common (and successful) examples of social engineering include the following:
Phishing scams to obtain personal information, such as names, addresses, and Social Security numbers
URL link shorteners to obfuscate malicious links that redirect users to suspicious web sites
Pretexting, whereby an attacker focuses on creating a good pretext, such as a fabricated scenario, to try and steal information or scam their victim into allowing entry into the building
Baiting can be used to spread hidden malware by distributing free or gifted USB sticks to staff that contain a virus. A similar method is to leave USB sticks plugged into a meeting room PC and wait for it to be turned on and then capture and broadcast the credentials, using keylogging malware.
Tailgating is very common and relatively easy to pull off, especially in a large organization. Someone without the proper authentication follows an employee into a restricted area, leaves a USB in an unattended computer, and then walks out.
There are many ways to reduce the overall cyber risk to an organization, which will form part of your security policy documentation and should be included in employee employment contracts and contractor agreements.
The technological bar required to create sophisticated malware is becoming higher, but some malware is now obtainable to buy directly from the Dark Web. If malware eventually becomes less effective, it is possible that hackers and fraudsters will target physical access into an organization, as this may become the easiest entry vector.
Another very high-profile cyber attack occurred in July–August 2015 on the databases of the online dating service offered by Ashley Madison. This hack is believed to have been the result of an internal breach and emphasizes the importance of the internal threat. Ashley Madison claimed to have an international membership of 37.6 million, and details of this membership was stolen and subsequently made public. It was one of the largest file ransomware attacks.
Because of the highly sensitive nature of the data stolen and publicly released, the fallout following the breach included suicides, lost employment, and families and reputations destroyed. The hackers have never been identified, but many industry experts believe the breach bore the signs of an insider job.
Historically, companies have approached cyber security from a cost-benefit perspective. It is often thought cheaper to deal with the fallout from a breach. However, when the risk of a security leak is the size of Ashley Madison or AdultFriendFinder, security must take priority at any cost.
The need for a positive and proactive security culture that is alert and responsive to the threat posed by the various forms of espionage is extremely important in this modern age.
Summary
Although attacks sponsored by nation-states and terrorist groups and huge leaks of personal data make the headlines, they actually make up a very small minority of the total number of breaches. The main focus for malware today and in the near future is to steal your money. Ransomware is the biggest current security threat to the computer user at home and at work.
As the technical aspects of cyber warfare continue to rise, we will see more social engineering techniques deployed that aim to steal identity and gain the access that criminals desire.
In the next chapter, you will see how to assess PCs for security vulnerabilities and use tools to help remove malware, once your device is infected.