Cisco Urges Basic Security Measures

cisco

Infections by the Cryptolocker malware could have been prevented by the use of fundamental security procedures

While there is a certain amount of focus by security vendors on zero-day threats that have not yet been patched, networking giant Cisco Systems doesn’t want people to forget about the need for good Internet hygiene to protect against all the other types of online threats.

In a press briefing on Monday, Craig Williams, technical leader of Threat Research Analysis & Communications (TRAC) at Cisco, talked about three recent sets of attacks, all of which could have been prevented if the victims had properly followed a few simple Internet security best practices.

Watering hole attack

Cisco Sign 2One of the attacks, known as a “watering hole” attack, targeted oil and gas companies. In a watering hole attack, a commonly visited website (the watering hole) is infected with some form of malware, which is then distributed to all subsequent visitors to the site.

Cisco TRAC discovered 10 websites in the oil and gas sector that had become watering hole sites. Williams did not specifically identify all 10 sites, though he did note that they include a large firm with operations in Africa, Morocco and Brazil; a natural gas power station in the UK; and a gas distributor in France.

From a technical perspective, the watering hole attack involved the placement of a snippet of malicious JavaScript code that points to a malicious domain. The malicious page includes an exploit inject by way of an iframe that could enable the attacker to infect a user by browser. An iframe is an embedded element within a website, Williams said.

In the oil and gas industry attack, Cisco TRAC found that three publicly reported vulnerabilities were to blame as the root cause of the infections. The vulnerabilities included CVE 2012-1723, which is a Java exploit, as well as the Microsoft IE 8 CVE 2013-1347 exploit and the Firefox CVE 2013-1690 exploit. Williams said all three of the vulnerabilities have already been patched by the affected software vendors with updates that are generally available for organisations and end users to deploy.

“There is no reason why these boxes should have been vulnerable except for the fact that they weren’t following best practices,” he said.

The oil and gas vendors, or anyone else for that matter, could have protected themselves from the watering hole attack with patching vigilance, Williams said. He recommends that users and organisations keep all servers up-to-date with the latest patches. It’s also important to update all plug-ins for web browsers, especially Java – an oft-targeted technology that is frequently updated.

Network security solutions, including antivirus and intrusion prevention systems (IPSes), can further reduce the risk, Williams said.

Cryptolocker

Another type of attack that good hygiene could easily prevent is the Cryptolocker ransomware attack, Williams added. The way Cryptolocker works is it infects user desktops and then encrypts data. The only way users get access back to their data is if they pay the ransom (hence the term “ransomware”) to the hackers.

Even if a device is infected with Cryptolocker, there is at least one easy fix: Users can reimage their PCs and then reload data from backups performed before the device was infected, Williams said.

“Due to the effective use of encryption, decryption is computationally prohibitive,” Williams told eWEEK. “The best defense against Cryptolocker is to perform regular backups.”

To prevent infection from Cryptolocker in the first place, use up-to-date antivirus software, as Williams said that among Cisco’s active security customers, he is unaware of any infections.

DNS takeover

Another type of attack that has recently been active is a DNS (Domain Name System) takeover, performed by the Syrian Electronic Army (SEA). In a DNS attack, the hacker gets access to the records that identify where a given domain name is supposed to go and then redirects that to a different Internet address. The SEA has successfully executed DNS attacks against The New York Times and Twitter, among other organisations.

In the SEA attacks, organisations were exploited and tricked into giving up their DNS log-in credentials. Again, Williams stressed that there are a number of basic best practices that organisations can and should undertake to protect their domain name information.

Williams suggests that organisations lock down their domains with their domain registrar to prevent unauthorised transfers. He also advocates for improved email security as well as the use of two-factor authentication mechanisms. With two-factor authentication, users need more than just a username and a password to gain access to a site or service.

Overall, Williams stressed that the best security comes with defense in depth. As such, it’s critically important for organisations to keep up-to-date with patches, avoid phishing scams, use two-factor authentication and lock down domain registration settings.

“It is very similar to using the ‘Club’ on your car’s steering wheel – you raise the bar so that a successful attack is less likely,” Williams said. “However, users must remain vigilant because complete security can never be guaranteed.”

Are you a security pro? Try our quiz!

Originally published on eWeek.