Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

Barracuda Networks

Barracuda: Growing confidence and emerging gaps in cloud security

960 640 Guest Post

For modern organisations, digital transformation is increasingly the only game in town. CIOs are turning to multiple cloud providers in droves for new app-based models, driving enhanced business agility to meet ever-changing market demands.

Yet security remains a constant challenge. Web applications themselves remain a major target for data theft and DDoS. A Verizon report from earlier this year claimed that a quarter of the breaches it analysed stemmed from web application attacks.

So, what are organisations doing about it? Chris Hill, RVP Public Cloud and Strategic Alliance International at Barracuda Networks reveals some interesting findings from its latest research…

Cloud maturity grows

The survey of over 850 security professionals from around the world reveals a growing confidence in public cloud deployments. Over two-fifths (44 percent) now believe public cloud environments to be as secure as on-premises environments, while 21 percent claim they are even more secure. What’s more, 60 percent say they are “fairly” or “very” confident that their organisation’s use of cloud technology is secure.

This makes sense. After all, cloud providers are capable of running more modern, secure infrastructure than many organisations could in-house. That means customers benefit from the latest technology, accredited to the highest security standards, versus heterogeneous, legacy-heavy in-house environments. As long as they pick the right third-party security partners and understand the concept of shared responsibility in the cloud, cyber risk can be mitigated effectively. The cloud even offers more options for backup and redundancy to further minimise risk.

Yet this isn’t the whole picture. Respondents to the study are still reluctant about hosting highly sensitive data in the cloud, with customer information (53 percent) and internal financial data (55 percent) topping the list. They complain of cybersecurity skills shortages (47 percent) and a lack of visibility (42 percent) as hampering cloud security efforts. And over half (56 percent) aren’t confident that their cloud set-up is compliant.

Could some of these concerns be linked to web application threats?

Websites under attack

The truth is that web apps are a ubiquitous but often poorly understood part of the modern cloud-centric organisation. As a business-critical method of delivering experiences to customers and productivity-enhancing capabilities to employees, web applications are a major target for cyber-criminals looking to steal sensitive data and interrupt key business processes. A Forrester study from 2018 found that the leading cause of successful breaches was external attacks — the most common of which focused on web applications (36 percent).

Fortunately, Barracuda Networks’ survey finds more than half (59 percent) of global firms have web app firewalls (WAFs) in place to mitigate these threats. The most popular option is sourcing a WAF from a third-party provider (32 percent), which makes sense, as long as they can protect customers from the automated bot-driven traffic that dominates the threat landscape. Not all can.

Patching and configuring

However, a greater concern is the fact that many organisations don’t appear to be taking the threat of web application vulnerabilities seriously. The Barracuda study found that 13 percent of respondents claim they haven’t patched their web application frameworks or servers at all over the past 12 months. Of those that did, it takes over a third (38 percent) of them between seven and 30 days to do so. For a fifth (21 percent), it takes over a month.

This is the kind of approach that landed Equifax in a heap of trouble when it failed to promptly patch an Apache Struts 2 flaw, leading to a mega-breach that has so far cost has over $1.4 billion. It’s an extreme example, but it is one that highlights the potential risks for businesses.

Another potential area of risk with web application environments is human error. A massive breach at Capital One earlier this year affected around 100 million customers and applicants, and it was blamed on a misconfiguration of an open source WAF.

Some 39 percent of respondents told Barracuda Networks they don’t have a WAF because they don’t process any sensitive information via their applications. But attacks aren’t just focused on stealing data. They can also impede mission-critical services. WAFs are certainly not a silver bullet. But as part of a layered approach to cybersecurity, they’re an important tool in the ongoing fight against business risk.

Conclusion

Growing cloud confidence is enabling digital transformations across organisations of every shape and size. However, that confidence comes with a cautionary tale. Attackers are also zeroing in on vulnerabilities and weaknesses that may have been ignored in the past, and many organisations are unaware of how these multi-layered attacks can unfold from a single access point. Web application security and cloud security posture are the key weapons customers need to deploy in order to continue their digital transformations safely in the cloud.

To ensure you are secure in the cloud, here are some tips:

• Ensure you have WAFs protecting all your apps. Don’t assume that just because an app doesn’t appear to have outside visitor engagement that it can’t be used as an attack vector. Once any vulnerabilities are discovered, attackers will exploit them, and it may help them gain access to your network and more valuable resources.
• Don’t leave application security in the hands of your development team. They aren’t security experts, nor do you pay them to be — you pay them to build great products.
• Deploy a cloud security posture management solution. Not only will this eliminate many security risks and failures, along with providing your development team with necessary guardrails to “build secure,” it greatly simplifies remediation and speeds investigations when issues do arise.

Barracuda snaps up bot detection software

960 640 Stuart O'Brien

Barracuda has acquired bot detection technology from InficSecure Technologies, adding capabilities to its WAF-as-a-Service and Web Application Firewall platforms.

Bot detection has evolved to combat more human-like bot attacks. Low-and-slow bots, which request data slowly and rotate IP addresses often, require special fingerprinting techniques to detect.

Barracuda says combining InfiSecure’s technology with its own Global Threat Intelligence Infrastructure’s set of behavioural data points, will provide WAF with powerful capabilities to combat such attacks.

Barracuda says a generic bot detection methodology fails to address the specific bots written for different applications. InfiSecure’s machine learning layer provides automatic profiling of each individual application to provide application-specific bot detection and mitigation capabilities and help ensure the highest protection.

“This strategic technology acquisition further strengthens our application security portfolio and our commitment to provide application security to our customers,” said Tim Jefferson, SVP, Engineering of Data Protection, Network and Application Security, Barracuda Networks. 

“InfiSecure perfectly complements our recently released Advanced Bot Detection and will bring next-generation capabilities to our WAF-as-a-Service and Web Application Firewall offerings.”

The Rising Email Threat: Are instant messaging tools the answer?

960 640 Guest Post

By Barracuda Networks

At Barracuda we believe two heads are better than one. Following that logic, we can’t argue the value of the opportunity to hear from our peers on industry trends. We recently discovered through such means that, for the channel, email security is its biggest focus in 2019, as partners are increasingly helping their customers fight the battle against email attacks.

This got us thinking: how do end users view email security? And does it match with their channel counterparts? Are they too prioritising it over the next 12 months?

To answer our question, we quizzed 280 high-level decision makers across different industries throughout EMEA on their email security measures, where it falls on their ever-changing priority list, and ultimately how equipped they are for the inevitable attack.

Attacks are going up, up, up 

The results pointed to an industry already aware of – and often affected by – the rising new wave of email threats. Of the 280 decision makers polled, a majority (87%) predicted email threats to increase in the coming year. Perhaps unsurprisingly, the majority (75%) also said they had witnessed a steady increase in email attacks over the past three years against their own organisation. 

Breaking those attacks down, in the last year, almost half (47%) were attacked by ransomware, 31% were victim to a business email compromise attack, and a huge 75% admitted to having been hit with brand impersonation. This final statistic gives credence to our recent spear phishing report, which found that 83% of all the email attacks we analysed focused on brand impersonation. Clearly the criminal’s favourite choice, and for good reason.

Email remains the weakest link

However, regardless of this awareness, many organisations admit to being vastly unprepared when it comes to email security. Despite email being used since the 1990s, a staggering 94% admitted that email is still the most vulnerable part of organisations’ security postures. 

Unsurprisingly, finance departments seem to experience the most attacks, with 57% identifying it as the most targeted department. What was surprising was the rise in customer support attacks; a not insignificant 32% identified this as their most attacked department in what could indicate a new emerging trend for would-be attackers.

Without proper employee training, these attacks will continue to succeed. However, training is still hugely lacking across most organisations we spoke to, with the most popular answer (29%) being from respondents who receive it just once a year. Shockingly, 7% stated they’d either never had training or that they weren’t sure.

The lack of training is clearly leaving employees either confused or unaware of security protocol, as over half (56%) stated that some employees do not adhere to security policies. Of those, 40% said their employees used a ‘workaround’ to do so, perhaps referring to shadow IT solutions and the issues they continue to cause in enterprise IT environments. Both of these issues could be solved by regular and in-depth employee security training.

Not all doom and gloom

That being said, we’d be amiss to ignore those taking measures to reduce email threats. For the 38% whose security budgets are increasing next year, we’d hope security awareness training will play a key role in where the funds will be spent – after all, regardless of whether you have the latest technology, your employees are still the last line of defence. 

However, with 62% of security budgets to either stay the same or decrease over the next year, it seems that organisations are taking to other ways to try and reduce the rising email threat. Over a third (36%) are implementing instant messaging applications such as Slack or Yammer, to reduce email traffic.

This approach comes with a warning from us: while we haven’t yet seen attacks using messaging platforms such as Slack, this may well change in the future and doesn’t necessarily mean that these platforms are immune to attacks. Any organisation going down this route should do so with care, as if we know anything about cyber attackers, it’s that they’re always trying new ways to catch their victims out.

Interestingly, those companies using instant messaging tools are more likely to use Office 365 (78%), compared to an average of 56% across the rest of the study. They were also slightly more likely to pinpoint email as the weakest link (97%) versus 92%. With that in mind, security should be front of mind in order to ensure Office 365 environments are fully protected in the move away from Exchange.

In the short term, while a shift away from email to communications tools such as Slack might be tempting in order to temporarily ease the email burden, it might not work out in the long run, as we wouldn’t be surprised if cyber attackers just changed their tactics in response. In the longer term, the right combination of technology and security awareness training is the key to email attack protection. Attacks will always increase in sophistication, but as long as you stay ahead of the game, it is possible to keep the bad guys out. After all, even at 30 years old, email attacks are still proving profitable for cyber criminals, so they won’t stop any time soon… 

Image by rawpixel from Pixabay

Document-based malware increase ‘alarming’

960 640 Stuart O'Brien

Researchers have uncovered what they’re calling an ‘alarming’ rise in the use of document-based malware.

A recent email analysis conducted by Barracuda Networks revealed that 48% of all malicious files detected in the last 12 months were some kind of document. 

More than 300,000 unique malicious documents were identified.

Since the beginning of 2019, however, these types of document-based attacks have been increasing in frequency – dramatically. In the first quarter of the year, 59% of all malicious files detected were documents, compared to 41% the prior year.

The team at Barracuda has taken a closer look at document-based malware attacks and solutions to help detect and block them.

Cybercriminals use email to deliver a document containing malicious software, also known as malware. Typically, either the malware is hidden directly in the document itself or an embedded script downloads it from an external website. Common types of malware include viruses, trojans, spyware, worms and ransomware.  

The Modern Framework for Malware Attacks

After decades of relying on signature-based methods, which could only be effective at stopping a malware strain once a signature was derived from it, Barracuda says security companies now think about malware detection by asking “What makes something malicious?” rather than “How do I detect things I know are malicious?”.

The focus is on attempting to detect indicators that a file might do harm before it is labeled as being harmful.

A common model used to better understand attacks is the Cyber Kill Chain, a seven-phase model of the steps most attackers take to breach a system:

·       Reconnaissance –target selection and research

·       Weaponisation –crafting the attack on the target, often using malware and/or exploits

·       Delivery –launching the attack

·       Exploitation –using exploits delivered in the attack package

·       Installation –creating persistence within the target’s system

·       Command and control –using the persistence from outside the network

·       Actions on objective –achieving the objective that was the purpose of the attack, often exfiltration of data

Barracuda says most malware is sent as spam to widely-circulated email lists, that are sold, traded, aggregated and revised as they move through the dark web. Combo lists like those used in the ongoing sextortion scams are a good example of this sort of list aggregation and usage in action.

Now that the attacker has a list of potential victims, the malware campaign (the delivery phase of the kill chain) can commence, using social engineering to get users to open an attached malicious document. Microsoft and Adobe file types are the most commonly used in document-based malware attacks, including Word, Excel, PowerPoint, Acrobat and pdf files.

Once the document is opened, either the malware is automatically installed or a heavily obfuscated macro/script is used to download and install it from an external source. Occasionally, a link or other clickable item is used, but that approach is much more common in phishing attacks than malware attacks. The executable being downloaded and run when the malicious document is opened represents an installation phase in the kill chain.

Archive files and script files are the other two most common attachment-based distribution methods for malware. Attackers often play tricks with file extensions to try to confuse users and get them to open malicious documents. 

Barracuda says modern malware attacks are complex and layered; the solutions designed to detect and block them are, too.

Detecting and Blocking Malware Attacks

Blacklists  —With IP space becoming increasingly limited, spammers are increasingly using their own infrastructure. Often, the same IPs are used long enough for software to detect and blacklist them. Even with hacked sites and botnets, it’s possible to temporarily block attacks by IP once a large enough volume of spam has been detected. 

Spam Filters / Phishing-Detection Systems —While many malicious emails appear convincing, spam filters, phishing-detection systems and related security software can pick up subtle clues and help block potentially-threatening messages and attachments from reaching email inboxes.

Malware Detection — For emails with malicious documents attached, both static and dynamic analysis can pick up on indicators that the document is trying to download and run an executable, which no document should ever be doing. The URL for the executable can often be flagged using heuristics or threat intelligence systems. Obfuscation detected by static analysis can also indicate whether a document may be suspicious.

Advanced Firewall — If a user opens a malicious attachment or clicks a link to a drive-by download, an advanced network firewall capable of malware analysis provides a chance to stop the attack by flagging the executable as it tries to pass through.

SD-WAN deployments up, but networking and security challenges persist

960 640 Stuart O'Brien
 
New research has highlighted the improved network security, connectivity, flexibility, and cost savings enabled by SD-WAN , but says 98% of IT leaders cite networking challenges with their current WAN setup.

The report from Barracuda Networks includes data from more than 900 respondents in the Americas, EMEA, and APAC.

Respondents come from companies ranging from 1,000 to more than 5,000 employees across multiple sectors, including healthcare, finance, education, manufacturing, public sector, and retail.

Overall, the study indicates that SD-WAN deployments are increasing to address networking challenges resulting from the explosive growth of WAN traffic due to high demand for cloud applications and services. Security remains a top concern for an overwhelming majority of IT leaders as they consider upgrading to an SD-WAN solutions.

Highlights include:

  • Networking challenges are common with current WAN setups.
    • Top three challenges are complexity (48%), cloud performance (47%), and performance between locations (46%).
  • SD-WAN deployments are on the rise.
    • One-third have already deployed SD-WAN in most of their sites, and 49 percent are in the process of doing so or will in the next year.
    • 70 percent of IT leaders said they risk losing a competitive advantage if they don’t update their WAN.
  • Security is a top priority when choosing an SD-WAN solution.
    • 81 percent said advanced threat protection and centralized management were very important or crucial to their SD-WAN purchase.
  • SD-WAN offers improved security and lower costs.
    • Most common benefits of SD-WAN deployments are improved network security (57%), connectivity (56%), and network flexibility and agility (53%). 
    • Nearly half of respondents said they had reduced overall costs thanks to SD-WAN, and 36 percent reduced costs specifically for MPLS services.
Click here to download the full report.

Study highlights demand for phishing attack simulation and training

960 640 Stuart O'Brien

A global study has highlighted market demand for simulation and training to combat phishing attacks.

The research, commissioned by Barracuda Networks, revealed several points highlighting the need for organisations to include simulation and training as part of their email security posture.

It includes responses from over 630 participants who all had a responsibility for email security in their organisations. Some of the key findings include:

  • 98 percent of respondents said their organization would benefit from additional email security capabilities with phishing simulation (63%), social engineering detection (62%), email encryption (60%), and data loss prevention (59%) leading the way in terms of capabilities valued.
  • 100% of the respondents have good intentions and believe that user training is important; however, only 77% are actually training their employees.
  • It was also reported that larger organisations (over 1000 employees) are more likely to train their employees.
  • Poor employee behaviour (84%) is a greater email security concern than inadequate tools (16%); however, there’s no consensus on the level of employee that will fall for an attack.

Accordingly, Barracuda has expanded its PhishLine product portfolio with a streamlined edition well-suited for organizations with less than 1,000 employees, tuned specifically to be ready for distribution through the reseller channel.

It claims PhishLine can prevent email fraud, data loss, and brand damage by training and testing employees to recognize highly targeted phishing attacks.

“As phishing attacks have become increasingly stealthy and targeted, our adversaries have shifted their focus from the largest organizations to smaller targets,” said Hatem Naguib, SVP and GM of Security at Barracuda. “Today’s announcement expands our PhishLine portfolio, by building on our enterprise grade offering with a solution aimed specifically at simplicity and fast time to value, fit for today’s resource-constrained midsized businesses.”