It turns out that the same remote access software that allows you to work in your pajamas at home has more insidious uses, as a new report published by the Department of Homeland Security revealed. Among the report's troubling findings is how hackers, once inside a network, are using a particular malware called Backoff that even fully updated antivirus systems find difficult to detect.
What's not as shocking, although equally worrying, is the report's conclusion that any information security program is only as good as the humans who guard the gates.
In this digital day and age, as many companies have discovered (here's looking at you, Target, Goodwill Industries and Neiman Marcus), a reactive, two-dimensional approach is no longer good enough to prevent a breach. To stand a fighting chance against the legion of hackers out there, companies need to take proactive security measures, or as the report advises, implement a "defense in depth" strategy that starts at the top and layers multiple tools and countermeasures.
Some key facts and findings from the report:
- Attackers use brute-force cracking to log in to remote desktop solutions many businesses use, including Microsoft Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop and LogMEIn Join.Me.
- After they gain access to these administrator accounts, hackers then deploy Backoff -- a family of point-of-sale (PoS) malware -- to exfiltrate consumer payment data.
- Backoff is capable of memory scraping, keylogging, command-and-control communication and injecting malicious stubs into explorer.exe.
- AV vendors will soon update their products to be able to detect Backoff's variants. In the meantime, apply indicators of compromise to security strategies.
- Use two-factor authentication for desktop access, limit the number of users and workstations granted remote access, install a remote desktop gateway to restrict access, and define complex password parameters.
Many CIOs have recognized that traditional security approaches are not up to the job, and as a result, are implementing a multilayered security defense. CIOs of this ilk also recognize the need for top-down participation in security strategy, including business alliances with board members to broaden their understanding of their responsibility for protecting information assets. For others, however, politics gets in the way of a sound security program, argues information security consultant Kevin Beaver. Politics and self-preservation, that is.
"The interesting thing, to me, that rarely comes up in these discussions is how the CIO can actually be part of the security problem. Not many, but quite a few CIOs view security as a threat to their jobs. If you point out security risks, then you're pointing out their shortcomings," Beaver commented in response to a story I did recently on CIOs advocating a top-down proactive security strategy. "In certain cases, depending on politics and culture," he added, "it's easier for them to not acknowledge what's wrong with security, because once they do something has to be done about it."
A do-nothing CIO, looking out only for No. 1? That's a pretty incendiary observation. But, given the damage done by breaches and the myriad moving parts that need to be in place to thwart them, some soul-searching on the part of certain CIOs is perhaps in order.
Information security systems are only as good as the humans guarding the gates.
CIO news roundup for week of July 28
In other news, as we begin the final month of summer:
- If you use Facebook's app for mobile messaging, take note: The social networking giant is giving users the next few days to download its dedicated Messenger app for that purpose.
- What if the NSA's mass surveillance and data mining was embraced by our society and privacy laws didn't get in the way? Well, Singapore's "curious mix of democracy and authoritarianism" has managed to do just that.
- Soon, misplacing your glasses or contacts might no longer be a nuisance. MIT and UC Berkeley researchers have developed new technology that uses "multiperspective" 3-D technology to automatically correct displays for vision defects.
- Venture capitalists are investing more money in enterprise software vendors, which could indicate these investors' belief that a major change in how technology brings about business is imminent.
- Businesses that use Google+ Hangouts for videoconferencing, rejoice: You no longer need a Google+ profile to use the service.
Check out our previous Searchlight roundups: Enterprise mobile now moves at Uber pace and Culture shock: Apple, IBM, Microsoft disrupt themselves on SearchCIO.
Read more on the Backoff malware campaign
How to adapt security programs to tackle mounting threats
The hidden costs of credit card breaches