1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.
CYREN CyberThreat ReportQ3 2015Avi Turiel
2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• Web Security in the Modern Workplace• Malware and other Ghosts• Scam Spotting • The worst day of the week is…
Agenda
3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. 3©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
About CYREN
THE BEST KEPT SECRET IN INFORMATION SECURITY FOR MORE THAN A DECADEFounded in 1991, CYREN (NASDAQ and TASE: CYRN) is a long-time innovator of cyber intelligence solutions. CYREN provides web, email, endpoint, and roaming cybersecurity solutions that are relied upon by the world’s largest IT companies to protect them and the billions of customers they serve from today’s advanced threats. CYREN collects threat data and delivers cyber intelligence through a unique global network of over 500,000 points of presence that processes 17 billion daily transactions and protects 600 million users.
3©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
4©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
CYREN Powers the World’s Security
Our Cyber Intelligence forms the security backbone of many of the world’s largest and most influential information technology and Internet security brands.
5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• Research Goal: • To understand the challenges in delivering Web security today• Gauge receptivity to deployment of cloud-based web security
solutions.
• Target: Respondents were filtered as follows:• Organizations with between 500 and 9,999 employees.• Must have an IT job title. CIOs/CTOs were excluded in order to focus
on the “implementer” role.• All respondents must have involvement in implementing/maintaining
web security solutions at their organizations.
Research background
6
7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Respondents: Industry
26%
74%
Public sector/Nonprofit (including governmentand education)
11%9%9%7%7%
4%4%4%4%4%
2%2%2%
7%
Healthcare
Hardware/Software/Network
Technology
Banking & Financial Services
Business/Professional Services
High tech and electronics
Information, Media & Entertainment
Insurance
Manufacturing (Industrial)
Chemicals/Energy/Utilities
Aerospace/Defense
Automotive
Distribution
Other
8©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Top Challenges to Web security
48%45%
43%39%39%
38%36%36%
32%30%
27%25%
21%4%
Multiple devices creating numerous “entry points” (laptops, tablets, …
Lack of the continuous visibility needed to detect advanced attacks
Lack of resources to implement new security solutions
Difficulty assessing your organization’s level of risk/ threat profile
No clear or uniform strategy for "incident response" (response is ad-…
Existing blocking and prevention solutions are insufficient to protect against…
Lack of access to real-time intelligence around the latest web security threats
Web security solutions are costly and difficult to integrate
Conventional security solutions don’t work well in cloud/hybrid environments
Movement towards cloud infrastructure and “anytime” data access from any …
Lack of support from the business for new security investments
Data and applications are moving to the Cloud
Lack of scalable security solutions (consistent through peak activity times…
Other
9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Rate Your Current Web Security Solution
11%
16%
13%
7%
34%
27%
21%
27%
39%
43%
46%
36%
11%
11%
14%
18%
5%
4%
5%
13%
Continuous monitoring
Attack prevention
Attack detection
Protection speed (how fast zero-hourvulnerabilities are blocked)
Extremely effective Very effective Somewhat effective Not very effective Not at all effective
45%
43%
% Extremely/ Very Effective
34%
34%
Those who indicate their organizations are using a cloud-based web security solution are significantly less likely to assign low effectiveness ratings to current solutions in the area of protection speed.
10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Cloud as a Viable Solution for Web SecurityWhat is holding your organization back from
considering a cloud-based web security model?Of those that do not see cloud as a viable solution for addressing Web security
67% of respondents either already use, or would consider, a cloud-based solution for Web security. Among those who are hesitant, lack of trust in cloud-based security is the top obstacle.
Yes, we don’t currently use but would investigate or consider a
cloud-based Web security solution
21%
46%32%
61%
39%
28%
28%
22%
17%
17%
28%
Don’t trust cloud-based …
Our current equipment does…
Our security mindset is…
Staff doesn’t have training, …
Timing, recently invested in…
Switching costs are too high
Never heard of cloud-based…
OtherYes, we have a cloud-based Web security solution in use today
No
11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Aside from Web security, what other security solution do you see the most need for?• Email security (including email anti-malware)• Breach detection (based on network traffic)• Detection of APTs• Anti-malware (locally installed on any device)
(Choose one)
Poll Question #1
12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• Cloud-based secure web gateway• Innovative detection technologies
• Custom sandbox arrays used on a global basis• Automatically investigates IPs, domains, hosts, and files associated
with suspicious behavior and maintains risk scores• Inline antimalware and URL filtering
• Comprehensive protection for business users – whether office-based, remote, or roaming
• Also protects users of Guest WiFi or Public WiFi services
CYREN WebSecurity
13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
JavaZero-DayMalware
14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• Packaged into 39 different Android apps• Installation of adware, unwanted homescreen
links, and further malware• Based on the code and app signatures, CYREN
believes the source of the malware to be China• Beware of apps that require enabling the
“Unknown Sources” check box
Ghostpush
15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Ghostpush flowDownload (infected)
popular app Infected app downloads
“Rootmaster” apk
Rootmaster roots device and installs “cameraupdate.apk”cameraupdate.apk installs
“monkeytest” service
monkeytest service installs other adware/malware
“cameraupdate” is installed in the “system/priv-app” directory and runs every time the device is restarted so that it can reinstall malware if deleted
Device pops up unwanted ads and links added to homescreen
16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• SEOHide• Injects code into compromised
websites to boost page rankings by hiding hyperlinks to them throughout the infected sites
• “Black Hat SEO”
• Faceliker• Hijacks mouse clicks to force users to
"like" a particular Facebook page
Web Malware
17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• VBS only supported by Internet Explorer • Script stores a hex-encoded string on the victim's computer
• Then decodes the string into svchost.exe• Then saves it in the temp directory, then executes
VBS/DropDownld.B
• Variant of worm/infector Ramnit• Disables Windows security, prevents
Windows Update from operating, stops install of AV
• Collects online services account information—financial, banking, social, and professional
18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• Spyware launched in August 2015• Found on compromised WordPress, Drupal, and Joomla
• JavaScript code contains an iframe that redirects to a malicious server • Gathers information such as the operating system, timestamp, timezone,
and existence of certain legitimate applications like Adobe Flash Player
JS/IFrame.VJ.gen
• Series of redirects to fake sites follow, that look identical to or closely resemble Flash upgrade sites, Google Chrome plugins, or other fake application sites
19©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Which is more secure?• Android • iOS• Both equally secure – as long as you stick to the official app store• Both equally vulnerable – even if you stick to the official app store
(Choose one)
Poll Question #2
20©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Phishing targeting business
21©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• “Impact Team” announcement /threat in July
• Customer data (~37 million users)
• Source code• Internal data
• Followed by release in Aug• Released details used by other
criminals (or not)
Ashley Madison breach
22©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Ashley Madison extortion emails
USD 3,850
23©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• Common phishing attack based on “shared Google doc”• Phishing aims for multiple email credentials• HTML code is duplicated in thousands of compromised sites• CYREN detection of code:
• HTML/Phish.AM• 20,000+ sites in last few weeks
Detecting Phishing with antimalware tools
24©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
• .doc attached malware
• Macro or RTF vulnerability
• Email includes “request” from recipient
More social engineering
25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
How do you spot scam phishing emails/websites?• Look at the URL• Any email I wasn’t expecting is probably phishing/scam• Browser warnings• Email properties (to, from, headers…)• Poor English
(Pick more than one)
Poll Question #3
26©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Applied Cyber Intelligence
28©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Q3 Android Threats
29©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Q3 Phishing
30©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Q3 Spam
5.4%
31©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Q3 Worst day of the week for spam and malware
32©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
You can also find us here:
www.CYREN.com
twitter.com/cyreninc
linkedin.com/company/cyren
©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.
Thank You. Any Questions or Thoughts?