Shortfalls in security professionals – turn to reliable managed security services

Shortfalls in security professionals – turn to reliable managed security services

Small to medium-sized businesses are faced with a two-headed beast in terms of cybercrime. To understand and defeat this enemy, you must examine its two main threats to your company’s cybersecurity.

Secure data transfer with Hornetsecurity’s Content Filter

The first part of this cybercriminal monster are the internal and external threats. Malware, phishing, DDoS attacks, and ransomware are just a few of the viruses and methods that hackers use externally to gain access to your site, software, or network. Internal data leaks stem from employees, either by intended sabotage (e.g. theft of IP by exiting employee) or accidental mistakes (e.g. an email sent to wrong recipient) that greatly open up every business to the potential of cybercrime.

Cyberattacks increase and become more and more dissipated

Both internal and external threats are more sophisticated in design than just 5 years ago, and they’re backed up by cyber criminals who simply just don’t stop. According to Gartner researchers, a survey of more than 3,000 CIOs found 95 percent of technology leaders expect cybersecurity threats to grow. In conjunction with this expectation is the fact most companies have no idea where their sensitive data is located, whether it’s secure or whether employees are mistakenly or purposefully misusing it.

The threats are real, and decision-makers know they must be dealt with, but it’s the second head of this cyber animal – the 3.5 million unfilled positions in the IT industry expected by 2021 – that causes alarm for SMBs.

IT security experts – the supply is low, the demand is high

This IT security employee shortage will leave SMBs in a tight spot, as security professionals are hard to find for any sized business and command top salary figures when available. Cybercriminals, of course, aren’t complaining. Small- to medium-sized business will face budget, HR, operations and financial issues when confronting a lack of skilled workers in the marketplace. Not being able to hire the right person with the right skills will cause culture issues with overburdened staff thinking about moving elsewhere. Projects will take longer to complete and end up being costlier in the long run.

According to Gartner researchers, only 65 percent of businesses have a cybersecurity expert on staff, and when a SMB looks to hire a security professional, the cost often exceeds their ability to reap any value from a large investment in talent. The culture fit and complex skillsets required also drive down the availability of affordable, qualified security staff for SMBs to hire.

So, if companies know the threats exist and realize the available talent pool has shrunk in size and risen in cost, why aren’t they taking a more proactive approach to tightening up their security defense right now?

There are solutions to overcome the ill effects of a smaller IT security talent pool, ones that are reliable, efficient and valuable to any SMB. Some companies have embraced the idea of creating “new collar” jobs in cybersecurity. These roles prioritize skills, knowledge and willingness to learn over degrees and the career fields they once worked in.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

The triumph of cloud security

And there are those businesses who have adopted cloud-based solutions. These cloud-based security solutions have grown in use and they’ve become known for extremely reliable service. According to a recent survey by Forrester, more than 50 percent of businesses will be adopting applications, platforms and services enabled by cloud-based technologies by the end of 2018. Half of IT spending will be cloud-based by the end of 2018, reaching up to 60 percent of entire IT infrastructure and 60-70 percent of all applications, technology, and services spending by 2020.

Cloud security has provided an affordable blanket of solutions that every SMB can adopt and rely on to relieve HR issues, financial concerns and operational constraints. Cloud-based security providers rely on their ability to quickly detect, contain, and mitigate any type attack.

As the threat landscape evolves, SaaS security providers continue to add new features into their platforms to address the latest concerns.Many cloud services contain native security controls that help companies improve their security posture by adding security controls not met in traditional environments and eliminating redundant controls, expensive appliances and burdensome overlap in traditional solutions.

What Hornetsecurity solutions offer you

For the past 11 years, one such cloud-based leader in security solutions has been Hornetsecurity. Its full suite of award-winning security solutions provides peace of mind for its 35,000-plus customers by delivering lowered administrative costs and 24/7 support. Hornetsecurity’s Advanced Threat Protection and Spam Filter Services are reliable, efficient and exemplify German engineered quality that SMB customers demand in protecting their data and email.

With Hornetsecurity working for your SMB, suddenly many of those internal and external threats are muted, your budget isn’t feeling the pinch, and the meager talent pool of IT security staffers is an afterthought. You’re not focusing administrative time on your security or budget, but on delivering positive business results.

Most importantly, cloud security today is simply better security, and it’s the best way to slay that two-headed beast of cybercrime.

CONTENT FILTER 2.0 – The security officer for your data transfer

CONTENT FILTER 2.0 – The security officer for your data transfer

The State Criminal Police Office of Lower Saxony is currently warning against an increase of emails with fraudulent application content. These emails are explicitly directed at companies with advertised vacancies and endanger in particular personnel departments that are involved in application processes. The seriously formulated emails are attached with alleged application documents in the form of archive data. If these files are unpacked, however, no application documents are revealed, but rather dangerous malware that infects the system.

Secure data transfer with Hornetsecurity’s Content Filter

With Hornetsecurity’s Content Filter, effective protection measures can be taken against unwanted file attachments. In addition to the general protection provided by the spam and virus filter, individual settings for attachments of incoming and outgoing emails can be made within the content filter. Updating the content filter to version 2.0 now also checks nested archives. Defined rules can still be applied for the entire domain or for certain user groups. This allows particularly vulnerable groups in the company to be deliberately protected against current attacks.

Easy setting – secure data transfer

The Content Filter offers an uncomplicated handling for the management of email attachments. Unwanted file formats, such as executable files, are grouped under the collective term .executable and can be selected from a predefined list with just a few clicks by the first time they are set up. Additional file formats that do not fall under one of the collective terms can be added if required. In addition, it is possible to individually configure the maximum permitted size for affected email attachments.

Hornetsecuity Content Filter 2.0

Fig. 1: Settings in the content filter for incoming emails

In case of application two actions can be set for handling the affected: Block email or cut attachment. In addition, encrypted Attachments, which are increasingly used in common formats such as PDF, ZIP, RAR etc., can be explicitly prohibited (Fig. 1). Furthermore, the content filter includes an automated comparison of file extensions with the supplied MIME type, which can differ significantly from the file extension in the case of suspicious email attachments. Archive Files that have internal nesting structures in the form of additional archives are analyzed and evaluated down to the security-relevant level.

If the content filter intervenes and removes a suspicious attachment, it changes the original state of the message. For signed emails, active intervention by the content filter causes the signature to be corrupted. If this occurs, the content filter informs the recipient and specifies whether the signature was valid before the change (Fig.2).

Hornetsecurity Content Filter 2.0

Fig. 2: Valid signature after truncating the content

However, if the certificate of the signed email is available on our systems, the email whose signature was broken by truncating the file attachment is re-signed and thus retains its validity.

The content filter can be activated for all Hornetsecurity partners and customers in addition to the spam and virus filter.

ATP – the interoperable complement for comprehensive protection

The current threat landscape of malware ranges from ransomware to cryptominers and is constantly changing. Spam, virus and content filters provide a solid basis against cyber attacks. These filters do not provide 100% protection against targeted and sophisticated attacks on companies. Further protection mechanisms are needed that adapt to the constantly changing types of attacks and malware. By combining Hornetsecurity’s interoperable filters, full protection against specific cyber attacks can be achieved and sustainably secured for companies.

In addition to the spam and virus filter, Advanced Threat Protection (ATP) from Hornetsecurity offers reliable protection against current malware attacks. ATP integrates seamlessly into the existing filters from Hornetsecurity email services and has, in comparison to the content filter, profound behavior analyses of file contents. Thanks to the integrated ATP engines such as the sandbox, URL Rewriting and URL Scanning , attacks such as targeted or blended attacks are detected early and the necessary protective measures are initiated in real time. For example, hidden links infiltrated in files can be recursively tracked in an isolated environment and the content hidden within can be subjected to forensic analysis. For content patterns that indicate malicious intent, the company’s IT security team is notified in real time for immediate protection.

Email encryption – A guide for implementation at SMBs

Email encryption – A guide for implementation at SMBs

Certificates, signed emails, symmetric and asymmetric encryption, S/MIME, TLS and PGP – for many who do not regularly deal with email encryption these terms are quite foreign. However, with the new basic data protection regulations (DSGVO) these terms have been pushed to the top of the to-do lists for many SMBs. Although, many companies lack the necessary knowledge to implement the new requirements in regards to the encryption of their email communication. In this article, Hornetsecurity aims to explain some of the basic terms and technologies around email encryption.

Asymmetric and symmetric email encryption – what are the differences?

If you take a closer look at asymmetric and symmetric email encryption you will very quickly discover that these two are fundamentally different. Essentially, they differ in the number and type of keys used.

Symmetric email encryption uses the same key to encrypt and decrypt the email. This means that the sender and recipient of an email share the same key. Thus, this procedure is very simple, but its security is essentially tied to the secrecy of the keys – if the key falls into the hands of a third party that person can decrypt the entire communication.

Asymmetric email encryption uses a total of four keys, one key pair each – a public and a private key per communication partner. The public key is accessible to everyone who wants to communicate and is transferred with the certificate exchange. It is used to encrypt the data, in our case, emails.

To decrypt the encrypted data again, the private key belonging to the public key is required. Although the key pair is mathematically interdependent and it’s practically impossible to calculate it.

S/MIME, PGP and TLS – what are the abbreviations?

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

PGP and S/MIME are asymmetric encryption methods. Both procedures have a decisive advantage and disadvantage. The advantage is that the email provider of the sender and recipient also has no insight into the email. The disadvantage is that only the message is encrypted. The sender and recipient as well as the subject can still be read.

The main difference between email encryption with S/MIME and PGP is the issue of certificates. While PGP (also known as OpenPGP) is an open source solution in which everyone can create their own certificates, certification at S/MIME takes place via official certification authorities, the so-called Certificate Authorities (CA).

TLS differs fundamentally from email encryption with S/MIME or PGP. Here it’s not the email itself that is encrypted, but only the connection between the two communicating servers. This means that the email cannot be accessed during transport, but it is not encrypted on the respective mail servers.

How to implement email encryption – there is no “one” way

All roads lead to Rome – but which ones lead to legally compliant email encryption? In fact, there are several ways for companies to implement legally compliant email encryption. The most prominent are on-premise and cloud-based solutions.

With on-premise solutions, the emails are encrypted directly on site, i.e. at the companies themselves. The email encryption software can be purchased, rented or operated completely independently from an external provider. Although this procedure offers the company a high degree of transparency and decision-making freedom, it involves an administrative effort that should not be underestimated. The costs for maintenance and operation are also quite significant. Today, on-premise solutions are considered a thing of the past and are increasingly being replaced by modern cloud-based computing.

E-Mail-Verschlüsselung bei Hornetsecurity

Graphic: Email encryption using cloud computing (click to enlarge)

With the cloud-based computing alternative, also known as “Software as a Service” (SaaS) solution, the security provider relieves the company of all expenses, such as administrative and operational costs. All of the company’s email traffic is then handled by the security provider’s servers, including Hornetsecurity’s email encryption service. The route between the customer’s mail server and the service provider is protected by TLS. This solution is characterized by the elimination of administrative work for any particular company. However, to fully ensure secure email communication, TLS and S/MIME can and should be used simultaneously. This is the only way to encrypt the email itself and its transport route.

Weiterführende Informationen:

With multiple levels of protection to be on the safe side

With multiple levels of protection to be on the safe side

Anti-virus solutions alone are not enough – but they still make sense

The world has become more complex, not only in politics and business but also in the field of IT security. Multi-layered defense measures are a must for companies if they want to effectively protect their IT infrastructure because cyber threats have also become much more versatile and professional. “Simple” solutions by themselves are no longer enough, yet still have their reason for being.

Until a few years ago it was relatively easy to organize the protection of your IT systems. And even today, there are still companies that rely on a few established defensive measures. Together with a firewall and a spam filter, classic AV solutions are still the standard to protect against intruders, and one of the main reasons this type of protection is generally accepted as a proven mechanism against malware. Antivirus products are highly automated and do not require extensive attention from IT administrators or security specialists, which saves money, time and effort.

Modern malware outwits classic AV products

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

On the other hand, the discussion has been smoldering for some time as to whether anti-virus solutions are still effective against malware at all or perhaps do more harm than good and should therefore be abandoned. The fact is, classic products for defending against malware no longer offer adequate protection. Classic AV scanners fail to recognize all malware specimens and many specimens are not recognized at all, even after many weeks or even months.

Strengths and weaknesses in malware detection are widely distributed among the various AV providers. In addition, new types of cyber-attacks are making life increasingly difficult for classic AV scanners. Polymorphic viruses, e.g. in the form of ransomware, are evading signature-based detection mechanisms in slightly modified forms. Classic AV scanners have little or no chance against file-less attacks such as CEO fraud as these do not contain any suspicious objects for investigation.

Equally problematic are links in documents that can lead to downloads of malware. Companies that solely rely on the use of classic security solutions weigh themselves in false security. Nevertheless, the use of classic AV scanners is necessary and sensible.

Many defensive measures spoil the attacker’s success

Modern IT security solutions and suites are built on the principle of multiple protection with multiple defense methods and there are good reasons for employing multi-level protection. If the first protective measures complete part of the task in a relatively simple way, the powerful and more complex filters behind it are no longer so heavily loaded and thus perform better.

Subsequent security levels based on heuristic or behavior-based filter systems significantly improve detection performance and thus increase the chance of being spared damage by malware. These include services that detect hidden links in emails or attachments, analyze the behavior of malware in a sandbox, or hold back suspicious email attachments for a certain period of time and then check these attachments again with updated signatures.

Many companies have recognized this and rely on a multi-part defense strategy with several defensive lines in place. This way, they minimize the risk of experiencing a nasty surprise and becoming victims of a cyber-attack.

Additional information:

  1. Hornetsecurity Managed Spamfilter Service for companies
  2. Want to learn more about Advanced Threat Protection? Find out more now!.
  3. Do you already know the Hornetsecurity Knowledge Base? Click here for more information.
Malware Analysis and Defense

Malware Analysis and Defense

Third part of the multipart “Defense against malware”

The workstations of our malware analysts do not differ from others in Hornetsecurity’s offices, even though the Security Lab is referred to as a “laboratory”. Erlenmeyer flasks, test tubes and Bunsen burners are not to be found, but quite normal computers. The work is done virtually, in sandboxes or by analyzing the data traffic. Nevertheless, the importance of malware analysts should not be underestimated, as it ensures that Hornetsecurity’s defense systems are always as up-to-date as possible and maintain the highest quality standard.

But what is the procedure for analyzing malware? Usually there is a very large, continuous stream of data to analyze. The main task is to extract valuable information from the raw data, process it and make it “intelligent”. To this end, analysts use various tools and programs to answer specific questions: What are the objectives of malware? Which characteristics are typical for the investigated malware? Is there any evidence of the attacker(s)? Ideally, actions can be derived from the findings such as writing new filter rules or creating algorithms.

Two different types of analysis

Two ways of analyzing malware are presented in more detail here. In static analysis, the code itself is viewed without executing the malware, while in dynamic analysis, the behavior of the malicious code is tracked in a secure environment.

In the static analysis, the analysts break down the malware to the smallest detail in order to draw conclusions from the code itself. For example, significant strings are extracted or shell scripts are started and further results are generated with disassemblers. Here you can find information on the activities of the malware and which features it shows, the so-called Indicators of Compromise (IoC). Based on the findings, the individual filter systems can be updated to prevent further attacks by this and similar malware as quickly as possible.

One possibility for dynamic analysis is to let the malicious code perform its task in the secure environment of a sandbox. This method can be well automated to obtain certain results. The filter systems can be updated based on these results. Does the code change certain files, does it make changes in the registry or has it generally adapted the system settings to DNS servers, for example? Who does the malware contact? These and other questions can be answered in the following way.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

Various possibilities of use

The most obvious application of the data obtained from malware analysis for IT security companies is to improve their defense methods and thus better protect their customers from attacks. To do this, analysts extract certain binary patterns and use them to create so-called Yara rules with which malware samples can be found, categorized and grouped. Behavior signatures applied in the sandbox can detect and categorize certain behavior patterns of malicious code.

An example: In the sandbox, an Office document in the file attachment is opened. There the behavioral signatures recognize that the document to be examined begins to collect and send information about user accounts. If this analysis takes place in a cloud-based environment, it is then possible to intercept the conspicuous emails and thus completely block the attacks.

All of these and many other defense measures should help to intercept and prevent an attack at the earliest possible point so that the damage caused by malware is as small as possible or, better yet, does not occur at all.

Much of the raw data obtained by malware analysis and the findings derived from it are also useful for general prevention. Research projects can benefit from this and make their scientifically-sound results available to the general public. In addition, the publication of malware analyses also serves to educate the public. Increasing knowledge about the approaches of cyber attacks and malware attacks helps to limit their success rates.

EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

EFAIL: A vulnerability in the PGP and S/MIME encryption methods?

UPDATE from May 16, 2018:

In order to proactively protect our corporate customers, who are still encrypting and decrypting their emails via an in-house solution and have not yet booked the Hornetsecurity Encryption Service, from EFAIL, we have also developed a special filter level for attacks according to the EFAIL pattern. The only prerequisite for this is that their email communication runs via the Hornetsecurity servers, which is generally the case with our email security products.

 

The filter level is already activated by default for all our customers who have booked at least the Hornetsecurity spam filter service and. It protects not only against EFAIL, but also against future attacks with similar patterns.

 

+++++

 

A known vulnerability is transferred to the PGP and S/MIME protocols and takes email manipulation to a new level. No problem for Hornetsecurity.

On Monday, May 14, 2018, a team of security researchers from the University of Applied Sciences Münster, the Ruhr University Bochum and the University of Leuven (Belgium) published a paper that questions the security of the PGP and S/MIME encryption standards and thus attracts worldwide attention.

However, the vulnerabilities discovered (CVE-2017-17688 and CVE-2017-17689) do not affect the protocols themselves, but use an already known vulnerability to decrypt encrypted emails by the mail client and send them to the attacker.

A prerequisite for the execution of the attacks is that the attacker already possesses emails in encrypted form. To do this, the emails need to be intercepted during transport. The attacker must have previously executed a man-in-the-middle attack (MitM) or compromised a mail server to gain access to the emails passing through him or the server. Only if these requirements are met, the attacker can execute one of the EFAIL attacks described in the paper.

The authors of the paper present two similar attacking methods to decrypt emails with existing PGP or S/MIME encryption.

The first method is quite simple, but limited to certain email clients (Apple Mail, iOS Mail, Mozilla Thunderbird) and any third-party plug-ins installed there:

To do this, the attacker creates an email with three body parts. The first part formats the email as HTML and inserts an image tag with a target website. The quotation marks and the image tag are not closed. This is followed in the second body part by the PGP- or S/MIME-encrypted text. The third part consists of HTML formatting again and closes the image tag from part one.

EFAIL vulnerabilty pgp smime encryption methods

(Source: EFAIL attacks, 14/05/04 )

If the attacker sends this email to the sender of the encrypted message, it is possible that the message is decrypted and transmitted to the stored website. To do this, the email client must be configured so that it automatically downloads external images without asking the user.

The second way to read PGP or S/MIME encrypted emails is a well-known method of how to extract plain text in blocks of encrypted messages.

The attacking scenarios are called CBC attack (S/MIME) and CFB attack (PGP). They determine a known text portion in an encrypted message and overwrites subsequent blocks with their own content. The EFAIL attack inserts an image tag with a target website into the encrypted text, as described in the first part. If the message is then delivered to the actual recipient of the encrypted message, it is possible that the message is decrypted and transmitted to the attacker.

Hornetsecurity News


Stay in touch

Sign up to get the latest News about Cloud Security.

The emails encrypted by Hornetsecurity are protected by design against attacks of this kind, since Hornetsecurity does not even allow the different content types (multipart/mixed) required for the attack.

The encryption methods themselves – S/MIME and PGP – were not broken; rather, vulnerabilities were found in email clients for HTML emails that bypass these encryption techniques. In addition, we object to the recommendation of various security researchers to generally deactivate content encryption: PGP and S/MIME are still not per se more insecure than a pure transport-encrypted transmission or no encryption at all, even after this publication. Since the attack requires a MitM attack, i.e. a breaking of the possible transport encryption, a general levering out of content encryption would be fatal: Possible attackers could even read the email traffic directly like a postcard!

Hornetsecurity Encryption Service, which is immune to EFAIL, does not require any client plug-ins: Encryption and decryption are fully automated by Hornetsecurity in the cloud – no installation, maintenance or user interaction is required – simply secure!

Further information: