Like a scary clown lurking in the shadows, CIOs face a number of terrifying potential threats this Halloween season. Avoiding the threats and protecting the enterprise is paramount, but what are the best ways to do so?
The following are some of the most common nightmares awaiting CIOs and some tips on how to avoid becoming a victim:
Zombie computers — "possessed" devices that spread malware or launch DDoS attacks
There is growing concern about viruses that can infect computers and go unnoticed for years. In April, a botnet that forced approximately 4,000 Linux computers to spew spam onto the internet for more than a year was finally stopped.
Botnets, or "zombies," can harness "innocent" computers or internet-connected devices to automatically transmit viruses or launch DDoS attacks.
The botnet concern has grown recently as cybercriminals have used them to launch massive DDoS attacks. In September, French hosting firm OVH was hit with two concurrent DDoS attacks attributed to botnets made up of 145,607 compromised IoT devices. And just last week, DNS provider Dyn was hit with a sophisticated, highly distributed attack involving "10s of millions of IP addresses."
"CIOs should be particularly worried about employee-owned IoT devices like fitness trackers, smart watches and Bluetooth headphones showing up on their corporate networks or network devices with default passwords that haven't been changed," said Cris Thomas, strategist at Tenable Network Security.
In May, Sens. Lindsey Graham, R-SC, Sheldon Whitehouse, D-RI, and Richard Blumenthal, D-CT, introduced a bill that would give law enforcement agencies and courts expanded authority to combat a broader array of botnets and hopefully crack down on the zombies.
"This bill will arm law enforcement and our courts with tools to help fight back and better protect Americans from cybercrime," Whitehouse said in a statement. "Cybercriminals can wield these armies of zombie computers to carry out all manner of criminal activity — from pillaging private data, to shutting down businesses' websites, to attacking critical infrastructure."
Currently, the Department of Justice can only pursue botnets involved in fraud or illegal wiretapping. However, the agency can't go after botnets involved in destruction of data or DDoS attacks. The proposed legislation could change that, and would also make the act of selling or providing access to botnets a criminal offense. The legislation has not made any progress since May, however. But given rising concerns about botnets and zombies, it may soon be brought back to life.
"The good news is that constant vigilance can help reduce the fear and anxiety that keeps security professionals up at night," said Thomas. "This includes not only identifying which devices are connected to your network, but also knowing when they are connected, what data is being transmitted, who it is being sent to, and what the patch level is."
Dark data — the data you collect today could come back to haunt you
Dark data, a term coined by Gartner that refers to all the fragments and files that have been buried and forgotten within an organization's digital repositories, can create security risks, which can lead to legal and financial liability if inadvertently accessed by unauthorized individuals.
"The good news is that illuminating dark data doesn't need to be daunting or scary," said Mika Javanainen, senior director of product management at M-Files Corporation. "By using a metadata-driven approach to information management, companies can effectively shed light on dark data, transforming it into searchable, useful information."
Javanainen said by leveraging metadata as the foundation for information management, CIOs can ensure that data is quickly and easily located because it's not tethered to a specific location — it can be accessed and synced between various systems and devices with no duplication of content.
"In this way, a unique document can be found no matter where it resides," said Javanainen. "The key to shining the light on dark data is to eliminate information silos and break down the barriers between employees and their information, and metadata serves as the bridge for connecting previously disparate information repositories and business systems."
Mads C. Brink Hansen, product manager at TARGIT, says when it comes to dark data, the best action a CIO can take to protect his or her organization is to arm the IT team with a comprehensive data discovery tool with robust data governance capabilities.
"This way, the process of uncovering internal dark data requires minimal hand-holding from the IT specialists within the company, as BI users can create an experimental environment on their own," said Hansen. "And they can rest assured data is secure and only in the hands of those who should have access to it."
Malware — don't open that email!
Malware continues to grow at an alarming rate. Crytplocker, the ransomware that burst on the malware scene back 2013, is still going strong and spawning a seemingly endless number of variants, while Twitoor is a spooky new piece of malware and the first Trojan to use a Twitter account instead of a command and control server to control infected devices.
"The Trojan apparently lies dormant on Android devices, and awaits commands from a malicious Twitter account," said Tammy Moskites, CIO and CISO of Venafi. "Commands can either tell Twitoor to download and install other applications — generally of the data-stealing mobile banking malware variety — or switch to another malicious command-and-control Twitter account." This scary innovation could be the beginning of a new wave of social media-based malware.
Most of this malware targets businesses because they can pay higher ransoms, explained Moskites.
"In particular, ransomware has been successfully targeting healthcare over the last year because there is a large attack surface and shutting down even a portion of a network can cause catastrophic damage, so the motivation to pay the ransom is high and super scary," she added.
Cybercriminals are also getting more savvy in how they deploy malware. Earlier this year, emails delivering malware were discovered in the wake of the Brexit vote, capitalizing on recipients' fears by promising to protect bank accounts and creating a sense of urgency.
"This is a perfect example of the strategy to capitalize on current events to deceive uninformed users, and we can be sure that the sophistication level of phishing attacks and malware strains will only continue to rise," said Joe Ferrara, president and CEO of Wombat Security. "Where does that leave CIOs? Decrypting files on your own offers a slim chance of success, and paying the ransom is like playing Russian roulette with your network and data."
The only viable option for protecting against these issues, according to Ferrara, is to plan ahead, setup secure and reliable backup systems and proactively educate employees.
"There's no better time than the present for CIOs to take on the role of championing the value of cybersecurity education across all departments," said Ferrara. "An organization with employees that are educated on security best practices, common threats and potential attack strategies is in a much better position to protect itself from detrimental attacks and breaches. Keeping employees up-to-date on everything from phishing tactics to updating software applications can have a hugely positive impact on the general defense of an enterprise. Otherwise, beware of the unknown."
Mobile data leaks — you can run, but you can't hide
The growing use of enterprise mobile devices and the vast marketplace for self-serve apps has opened the door to data loss and security breaches in the enterprise.
Security firm Zscaler recently conducted research into the issue of mobile phone data leakage. The company observed about 20 million transactions using Android devices and 26 million transactions involving iOS devices. Approximately 3% of the Android-based transactions resulted in some level of privacy leakage, such as a user's mobile phone number or email address. When it came to iOS, about, 2% of transactions resulted in sending PII-related information.
Such leaked data — including device metadata, location and PII — can be leveraged for more sophisticated attacks on an enterprise, according to Deepen Desai, director of security research at Zscaler.
"Once leaked identifiers are obtained by hackers, they can create hyper tailored attacks, such as a spear phishing emails, that appear sufficiently credible and personalized for users to be lured into clicking or opening the malicious file," said Desai. "With more and more users operating on mobile devices in an enterprise environment, this individual threat becomes a threat to the enterprise."
To ensure protection, CIOs should look into strong Mobile Device Management (MDM) policies to control the software used on mobile devices within an organization, said Desai. "MDM implementations within corporate networks are effective at mitigating these issues. Administrators can also control the type of apps that are allowed to be installed and monitor the app traffic over the corporate network to further strengthen the policy enforcement."