21347932_GA-internet-security-threat-report-volume-20-2015-social_v2

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 101DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSAPPENDIX

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 102DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSLooking AheadThreat Intelligence and Unified SecurityToday’s attackers are skilled enough and sufficiently resourced to have the persistence and patienceto carry out their espionage activities over a period of months or even years. They have only to besuccessful once in order to breach their targets’ defenses; however, those targets must be able toresist each and every one of those assaults, every second of every day. Threat intelligence is a vitalcomponent in understanding these potential threats, uncovering new attacks, and better protectingcritical company assets. Threat intelligence can provide a prioritized list of suspicious incidents bycorrelating all available information from across the enterprise.Advanced attackers use exploit toolkits against not only older vulnerabilities but also new, zero-dayones, and being good at defense means being harder to breach. The battle is an asymmetric one, andattackers already understand the defenses and their weaknesses. A unified security model is not justabout investing in great technology. It also takes a holistic approach that combines threat intelligence,risk management, and the very best technical solutions. A unified approach will not only help revealwho is being targeted but also how and why. Understanding the new threats is critical, and businessesshould now expect to be attacked—the question is not “if” but “when” and “how.”Unified security can leverage the combined visibility and threat intelligence gathered across theenterprise to block, detect, and remediate attacks. It can help guide how to better protect confidentialinformation and reduce risk, supporting the continual assessment of not only people and their skillsbut also processes and technology to ensure the best response is followed. Processes are continuallyupdated and skills maintained. Ultimately, by becoming harder to breach, attackers must work harder;no one wants to be the weakest link in the supply chain. This, we believe, is the future of security.Security GamificationAs the 15th-century security consultant Niccolo Machiavelli observed, “Men are so simple and yield soreadily to the desires of the moment that he who will trick will always find another who will suffer tobe tricked.”Internet security relies on the human element as much as it does on technology. If people were moreskillful, they could help reduce the risks they faced. This is as true of consumers’ avoiding scams as itis of government employees’ avoiding the social engineering in targeted attacks.In this context, gamification can be used to turn “the desires of the moment” into lasting changesof behavior by using the psychological rewards and instant gratification of simple computer games.Gamification could be used, for example, to train people to be wary of phishing emails or to generate,remember, and use strong passwords.Symantec sees a big market opportunity and a great need for this kind of training in the coming years.Security SimulationCompanies can prepare for security breaches and understand their defenses better using simulationsand security “war games.” By extending conventional penetration testing into a simulated response andremediation phase, companies can train their people and improve their readiness. This message is notlost on governments. In January 2015, UK Prime Minister David Cameron and U.S. President BarackObama agreed to carry out “war game” cyberattacks on each other. Companies should follow theirexample in 2015.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 103DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSDetermined Attackers Will Likely SucceedIn the battle between attackers and corporate IT security, the bad guys have to be lucky onlyonce. The IT department has to be lucky all the time. With this in mind, IT managers (and indeedconsumers) need to plan for the worst. There is no magic-bullet technology that will guaranteeimmunity from Internet crime or determined, targeted attacks. So assume you’ve been hackedor you’re about to be hacked. Switch from a binary “safe”/“not safe” view to a nuanced, almostmedical approach to trends, symptoms, behavioral prevention, diagnostics, and treatment.On a technical level, it means ensuring you have effective data loss prevention software on eachendpoint, gateway, and email server to prevent data exfiltration. It also means that backup anddisaster recovery become much more important, as do detection and response planning. This isnot a counsel of despair—we should never make it easy for attackers by giving up on prevention—but it is better to be wise before the event than sad after it.Data Sharing Between Companies Is EssentialData sharing between companies is essential to security. Historically, companies have beenafraid to share too much information with other companies, so they’ve effectively fought individ-ual battles against the bad guys and depended on their own internal resources. We believe theyneed to pool their threat intelligence and their experience to combat the criminals. Tools thatallow them to do this while retaining some IP protection will become increasingly important. Forexample, security electronic data exchanges could share hashes, binary attributes, symptoms,and so on, without revealing corporate secrets or information that could be useful in an attack.Insecure Operating SystemsA quarter of PC users were running Windows XP and Office 2003 in July 2014141 even as theirsoftware went out of support and Microsoft stopped updating it. A lot of people are still in denialabout this change. This leaves them unpatched as new threats emerge. Over the next year,this presents a significant security risk. For embedded devices running out-of-date operatingsystems, companies will need to find new ways of protecting them until they can be replaced orupgraded.Internet of ThingsAs consumers buy more smart watches, activity trackers, holographic headsets, and whatevernew wearable devices are dreamed up in Silicon Valley and Shenzhen, the need for improvedsecurity on these devices will become more pressing. It’s a fast-moving environment where inno-vation trumps privacy. Short of government regulation, a media-friendly scare story, or greaterconsumer awareness of the dangers, it is unlikely that security and privacy will get the attentionthey deserve. The market for Internet of Things–ready devices is growing but is still very frag-mented, with a rich diversity in low-cost hardware platforms and operating systems. As marketleaders emerge and certain ecosystems grow, the attacks against these devices will undoubtedlyescalate, as has already happened with attacks against the Android platform in the mobile arenain recent years.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 104DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSBest Practice Guidelines for BusinessesEmploy defense-in-depth strategies Secure your websites against MITM attacks and malware infectionEmphasize multiple, overlapping, and mutually supportivedefensive systems to guard against single-point failures in any Avoid compromising your trusted relationship with yourspecific technology or protection method. This should include customers by:the deployment of regularly updated firewalls as well as gatewayantivirus, intrusion detection or protection systems (IPS),  Implementing Always On SSL (SSL protection on yourwebsite vulnerability with malware protection, and web security website from logon to logoff);gateway solutions throughout the network.  Scanning your website daily for malware;Monitor for network incursion attempts,vulnerabilities, and brand abuse  Setting the secure flag for all session cookies;Receive alerts for new vulnerabilities and threats across vendor  Regularly assessing your website for any vulnerabilities (inplatforms for proactive remediation. Track brand abuse via 2013 1 in 8 websites scanned by Symantec was found to havedomain alerting and fictitious website reporting. vulnerabilities);Antivirus on endpoints is not enough  Choosing SSL Certificates with Extended Validation to display the green browser address bar to website users;On endpoints, it is important to have the latest versions ofantivirus software installed. Deploy and use a comprehensive  Displaying recognized trust marks in highly visible locationsendpoint security product that includes additional layers of on your website to show customers your commitment toprotection including: their security. Endpoint intrusion prevention that protects unpatched Protect your private keys vulnerabilities from being exploited, protects against social engineering attacks, and stops malware from reaching Make sure to get your digital certificates from an established, endpoints; trustworthy certificate authority that demonstrates excellent security practices. Symantec recommends that organizations: Browser protection for avoiding obfuscated web-based attacks;  Use separate Test Signing and Release Signing infrastruc- tures; File and web-based reputation solutions that provide a risk-and-reputation rating of any application and website to  Secure keys in secure, tamper-proof, cryptographic hardware prevent rapidly mutating and polymorphic malware; devices; Behavioral prevention capabilities that look at the behavior  Implement physical security to protect your assets from of applications and prevent malware; theft. Application control settings that can prevent applications Use encryption to protect sensitive data and browser plug-ins from downloading unauthorized malicious content; Implement and enforce a security policy whereby any sensitive data is encrypted. Access to sensitive information should be Device control settings that prevent and limit the types of restricted. This should include a Data Loss Protection (DLP) USB devices to be used. solution. Ensure that customer data is encrypted as well. This not only serves to prevent data breaches, but can also help mitigate the damage of potential data leaks from within an organization. Use Data Loss Prevention to help prevent data breaches: Implement a DLP solution that can discover where sensitive data resides, monitor its use, and protect it from loss. Data loss prevention should be implemented to monitor the flow of information as it leaves the organization over the network, and monitor traffic to external devices or websites.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 105DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSBest Practice Guidelines for Businesses DLP should be configured to identify and block suspicious Ensure regular backups are available copying or downloading of sensitive data; Create and maintain regular backups of critical systems, as DLP should also be used to identify confidential or sensitive well as endpoints. In the event of a security or data emergency, data assets on network file systems and computers. backups should be easily accessible to minimize downtime of services and employee productivity.Ensure all devices allowed on companynetworks have adequate security protections Restrict email attachmentsIf a bring your own device (BYOD) policy is in place, ensure a Configure mail servers to block or remove email that containsminimal security profile is established for any devices that are file attachments that are commonly used to spread viruses,allowed access to the network. such as .VBS, .BAT, .EXE, .PIF, and .SCR files. Enterprises should investigate policies for .PDFs that are allowed to be includedImplement a removable media policy as email attachments. Ensure that mail servers are adequately protected by security software and that email is thoroughlyWhere practical, restrict unauthorized devices such as external scanned.portable hard-drives and other removable media. Such devicescan both introduce malware and facilitate intellectual property Ensure that you have infection and incident responsebreaches, whether intentional or unintentional. If external procedures in placemedia devices are permitted, automatically scan them forviruses upon connection to the network and use a DLP solution  Keep your security vendor contact information handy, knowto monitor and restrict copying confidential data to unencrypted who you will call, and what steps you will take if you haveexternal storage devices. one or more infected systems;Be aggressive in your updating and patching  Ensure that a backup-and-restore solution is in place in order to restore lost or compromised data in the event of successfulUpdate, patch, and migrate from outdated and insecure attack or catastrophic data loss;browsers, applications, and browser plug-ins. This also appliesto operating systems, not just across computers, but mobile,  Make use of post-infection detection capabilities from webICS, and IoT devices as well. Keep virus and intrusion preven- gateway, endpoint security solutions and firewalls to identifytion definitions at the latest available versions using vendors’ infected systems;automatic update mechanisms. Most software vendors work dili-gently to patch exploited software vulnerabilities; however, such  Isolate infected computers to prevent the risk of furtherpatches can only be effective if adopted in the field. Wherever infection within the organization, and restore using trustedpossible, automate patch deployments to maintain protection backup media;against vulnerabilities across the organization.  If network services are exploited by malicious code or someEnforce an effective password policy other threat, disable or block access to those services until a patch is applied.Ensure passwords are strong; at least 8-10 characters long andinclude a mixture of letters and numbers. Encourage users Educate users on basic security protocolsto avoid re-using the same passwords on multiple websitesand sharing of passwords with others should be forbidden.  Do not open attachments unless they are expected andPasswords should be changed regularly, at least every 90 days. come from a known and trusted source, and do not execute software that is downloaded from the Internet (if such actions are permitted) unless the download has been scanned for viruses;  Be cautious when clicking on URLs in emails or social media programs, even when coming from trusted sources and friends;

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 106DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS Deploy web browser URL reputation plug-in solutions that display the reputation of websites from searches; Only download software (if allowed) from corporate shares or directly from the vendor website; If Windows users see a warning indicating that they are “infected” after clicking on a URL or using a search engine (fake antivirus infections), educate users to close or quit the browser using Alt-F4, CTRL+W or the task manager.Building Security into devices The diverse nature of ICS and IoT platforms make host- based IDS and IPS, with customizable rulesets and policies that are unique to a platform and application, suitable solutions. However, manufacturers of ICS and IoT devices are largely responsible for ensuring that security is built into the devices before shipping. Building security directly into the software and applications that run on the ICS and IoT devices would prevent many attacks that manage to side-step defenses at the upper layers. Manufacturers should adopt and integrate such principles into their software develop- ment process.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 107DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTS20 Critical Security ControlsOverview assets, infrastructure and information. Based on the informa- tion we have today about attacks and threats, what are the mostThe Council on Cybersecurity 20 Critical Security Controls is a important steps that enterprises should take now, to secureprioritized list designed to provide maximum benefits toward systems and data?improving risk posture against real-world threats. This list of20 control areas grew out of an international consortium of U.S. The Critical Security Controls are designed to provide organi-and international agencies and experts, sharing from actual zations the information necessary to increase their securityincidents and helping to keep it current against evolving global posture in a consistent and ongoing fashion. The Controlscybersecurity threats. are a relatively small number of prioritized, well-vetted, and supported set of security actions that organizations can take toMany organizations face the challenges and increasing threats assess and improve their current security state.to their cybersecurity by strategically choosing a securitycontrols framework as a reference for initiating, implementing, To implement the Controls you must understand what is criticalmeasuring and evaluating their security posture, and managing to your business, data, systems, networks, and infrastructures,risk. Over the years, many security control frameworks have and you must consider the adversary actions that could impactbeen developed (e.g. NIST), with the common goal of offering your ability to be successful in the business or operations.combined knowledge and proven guidance for protecting criticalTop 5 Priorities 02 04 We emphasize the use of the first five Inventory of Authorized and Continuous VulnerabilityControls for every organization. This Unauthorized Software Assessment and Remediationhelps establish a foundation of securityand has the most immediate impact on Identify vulnerable or malicious software Proactively identify and repair softwarepreventing attacks. From this foun- to mitigate or root out attacks: Devise vulnerabilities reported by securitydation organizations can apply other a list of authorized software for each researchers or vendors: Regularly runControls as they meet the business need type of system, and deploy tools to automated vulnerability scanningof the organization. track software installed (including type, tools against all systems and quickly version, and patches) and monitor for remediate any vulnerabilities, withIn the following pages you will see a unauthorized or unnecessary software. critical problems fixed within 48 hours.table that outlines the areas identifiedin the ISTR and ties them to Critical 03 05 Security Controls: Secure Configurations for Malware Defense01   Hardware & Software on Laptops, Workstations, and Servers Block malicious code from tamperingInventory of Authorized and with system settings or content, capturingUnauthorized Devices Prevent attackers from exploiting sensitive data, or from spreading: services and settings that allow Use automated antivirus and anti-Reduce the ability of attackers to find and easy access through networks and spyware software to continuously monitorexploit unauthorized and unprotected browsers: Build a secure image that and protect workstations, servers,systems: Use active monitoring and is used for all new systems deployed and mobile devices. Automaticallyconfiguration management to maintain to the enterprise, host these standard update such anti-malware tools onan up-to-date inventory of devices images on secure storage servers, all machines on a daily basis.connected to the enterprise network, regularly validate and update theseincluding servers, workstations, configurations, and track system imageslaptops, and remote devices. in a configuration management system.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 108DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSCritical Control Protection PrioritiesINTERNET OF THINGS HARDEN ENHANCE REDUCEMOBILE THREATS DEFENSES DETECTION IMPACTPROTECT WEB SERVERS 04 05 06 07 01 09 10 11 14 12 13 17 19WEB-BASED ATTACKS 18SPAM & PHISHING 02 03 04 05 06 01 10 08 17TARGETED ATTACKS 07DATA BREACHES 02 03 04 05 06 01 14 16 18 20 08 12 17 13MALWARE THREATS 10 11BOTS 02 03 04 05 06 01 14 16 12 13 15 17 02 05 01 09 20 12 13 02 03 04 05 06 01 14 16 18 20 12 13 15 17 11 02 03 04 05 06 01 14 16 09 18 08 12 17 13 15 10 11 07 20 19 02 03 04 05 01 14 16 09 18 08 12 17 13 20 02 03 04 05 01 14 18 17 13 19

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 109DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSCritical Controls01   05 08 Data Recovery CapabilityInventory of Authorized and Malware DefenseUnauthorized Devices Minimize the damage from an attack: Block malicious code from tampering Implement a trustworthy plan forReduce the ability of attackers to find and with system settings or content, capturing removing all traces of an attack.exploit unauthorized and unprotected sensitive data, or from spreading: Automatically back up all informationsystems: Use active monitoring and Use automated antivirus and anti- required to fully restore each system,configuration management to maintain spyware software to continuously monitor including the operating system,an up-to-date inventory of devices and protect workstations, servers, application software, and data. Backconnected to the enterprise network, and mobile devices. Automatically up all systems at least weekly; back upincluding servers, workstations, update such anti-malware tools on sensitive systems more frequently.laptops, and remote devices. all machines on a daily basis. Regularly test the restoration process. Prevent network devices from using auto-02 run programs to access removable media. 09 Security Skills AssessmentInventory of Authorized and 06 and Appropriate TrainingUnauthorized Software Application Software Security to Fill GapsIdentify vulnerable or malicious software Neutralize vulnerabilities in web- Find knowledge gaps, and eradicateto mitigate or root out attacks: Devise based and other application software: them with exercises and training:a list of authorized software for each Carefully test internally-developed and Develop a security skills assessmenttype of system, and deploy tools to third-party application software for program, map training against thetrack software installed (including type, security flaws, including coding errors skills required for each job, and use theversion, and patches) and monitor for and malware. Deploy web application results to allocate resources effectivelyunauthorized or unnecessary software. firewalls that inspect all traffic, and to improve security practices. explicitly check for errors in all user03 input (including by size and data type). 10 Secure Configurations forSecure Configurations for 07 Network Devices such asHardware & Software on Laptops, Wireless Device Control Firewalls, Routers, and SwitchesWorkstations, and Servers Protect the security perimeter Preclude electronic holes from formingPrevent attackers from exploiting against unauthorized wireless access: at connection points with the Internet,services and settings that allow Allow wireless devices to connect to other organizations, and internaleasy access through networks and the network only if they match an network segments: Compare firewall,browsers: Build a secure image that authorized configuration and security router, and switch configurations againstis used for all new systems deployed profile and have a documented standards for each type of networkto the enterprise, host these standard owner and defined business need. device. Ensure that any deviationsimages on secure storage servers, Ensure that all wireless access points from the standard configurations areregularly validate and update these are manageable using enterprise documented and approved and thatconfigurations, and track system images management tools. Configure scanning any temporary deviations are undonein a configuration management system. tools to detect wireless access points. when the business need abates.04 Continuous VulnerabilityAssessment and RemediationProactively identify and repair softwarevulnerabilities reported by securityresearchers or vendors: Regularly runautomated vulnerability scanningtools against all systems and quicklyremediate any vulnerabilities, withcritical problems fixed within 48 hours.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 110DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSCritical Controls 11 14 17Limitation and Control of Maintenance, Monitoring, and Data Loss PreventionNetwork Ports, Protocols, and Analysis of Security Audit LogsServices Stop unauthorized transfer of Use detailed logs to identify and uncover sensitive data through networkAllow remote access only to legitimate the details of an attack, including the attacks and physical theft: Scrutinizeusers and services: Apply host-based location, malicious software deployed, the movement of data across networkfirewalls, port-filtering, and scanning and activity on victim machines: Generate boundaries, both electronically andtools to block traffic that is not explicitly standardized logs for each hardware physically, to minimize exposure toallowed. Properly configure web servers, device and the software installed on attackers. Monitor people, processes,mail servers, file and print services, it, including date, time stamp, source and systems, using a centralizedand domain name system (DNS) addresses, destination addresses, and management framework.servers to limit remote access. Disable other information about each packet and/automatic installation of unnecessary or transaction. Store logs on dedicated 18software components. Move servers servers, and run bi-weekly reports to Incident Responseinside the firewall unless remote access identify and document anomalies. Managementis required for business purposes. 15 Protect the organization’s reputation, 12 Controlled Access Based as well as its information: Develop anControlled Use of on the Need to Know incident response plan with clearlyAdministrative Privileges delineated roles and responsibilities Prevent attackers from gaining access for quickly discovering an attackProtect and validate administrative to highly sensitive data: Carefully and then effectively containing theaccounts on desktops, laptops, and servers identify and separate critical data from damage, eradicating the attacker’sto prevent two common types of attack: (1) information that is readily available presence, and restoring the integrityenticing users to open a malicious email, to internal network users. Establish a of the network and systems.attachment, or file, or to visit a malicious multilevel data classification schemewebsite; and (2) cracking an administrative based on the impact of any data exposure, 19password and thereby gaining access to and ensure that only authenticated users Secure Network Engineeringa target machine. Use robust passwords have access to nonpublic data and files.that follow Federal Desktop Core Keep poor network design from enablingConfiguration (FDCC) standards. 16 attackers: Use a robust, secure network Account Monitoring and Control engineering process to prevent security 13 controls from being circumvented. DeployBoundary Defense Keep attackers from impersonating a network architecture with at least three legitimate users: Review all system tiers: DMZ, middleware, private network.Control the flow of traffic through accounts and disable any that are not Allow rapid deployment of new accessnetwork borders, and police content associated with a business process and controls to quickly deflect attacks.by looking for attacks and evidence of owner. Immediately revoke system accesscompromised machines: Establish a for terminated employees or contractors. 20multi-layered boundary defense by relying Disable dormant accounts and encrypt Penetration Tests andon firewalls, proxies, demilitarized zone and isolate any files associated with Red Team Exercises(DMZ) perimeter networks, and other such accounts. Use robust passwordsnetwork-based tools. Filter inbound and that conform to FDCC standards. Use simulated attacks to improveoutbound traffic, including through organizational readiness: Conductbusiness partner networks (“extranets”). regular internal and external penetration tests that mimic an attack to identify vulnerabilities and gauge the potential damage. Use periodic red team exercises— all-out attempts to gain access to critical data and systems to test existing defense and response capabilities.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 111DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSBest Practice Guidelines for ConsumersProtect Yourself Think Before You ClickUse a modern Internet security solution that includes the Never view, open, or copy email attachments to your desktop orfollowing capabilities for maximum protection against malicious execute any email attachment unless you expect it and trust thecode and other threats: sender. Even when receiving email attachments from trusted users, be suspicious. Antivirus (file- and heuristic-based) and behavioral malware prevention can prevent unknown malicious threats from  Be cautious when clicking on URLs in emails or social media executing; communications, even when coming from trusted sources and friends. Do not blindly click on shortened URLs without Bi-directional firewalls will block malware from exploiting expanding them first using a preview tool or plug-in. potentially vulnerable applications and services running on your computer;  Use a web browser plug-in or URL reputation site that shows the reputation and safety rating of websites before visiting. Browser protection to protect against obfuscated web-based Be suspicious of search engine results; only click through attacks; to trusted sources when conducting searches, especially on topics that are hot in the media. Use reputation-based tools that check the reputation and trust of a file and website before downloading, and that  Be suspicious of warnings that pop up asking you to install check URL reputations and provide safety ratings for media players, document viewers and security updates. Only websites found through search engines; download software directly from the vendor’s website. Consider options for implementing cross-platform parental  Be aware of files you make available for sharing on public controls, such as Norton Online Family.142 sites, including gaming, bitTorrent, and any other peer-to- peer (P2P)exchanges. Keep Dropbox, Evernote, and otherUpdate Regularly usages to a minimum for pertinent information only.Keep your system, program, and virus definitions up-to-date Guard Your Personal Data– always accept updates requested by the vendor. Runningout-of-date versions can put you at risk from being exploited by Limit the amount of personal information you make publiclyweb-based attacks. Only download updates from vendor sites available on the Internet (in particular via social networks). Thisdirectly. Select automatic updates wherever possible. includes personal and financial information, such as bank logins or birth dates.Be Wary of Scareware Tactics  Review your bank, credit card, and credit informationVersions of software that claim to be free, cracked or pirated frequently for irregular activity. Avoid banking or shoppingcan expose you to malware, or social engineering attacks that online from public computers (such as libraries, Internetattempt to trick you into thinking your computer is infected and cafes, and similar establishments) or from unencryptedgetting you to pay money to have it removed. Wi-Fi connections.Use an Effective Password Policy  Use HTTPS when connecting via Wi-Fi networks to your email, social media and sharing websites. Check the settingsEnsure that passwords are a mix of letters and numbers, and and preferences of the applications and websites you arechange them often. Passwords should not consist of words from using.the dictionary. Do not use the same password for multiple appli-cations or websites. Use complex passwords (upper/lowercase  Look for the green browser address bar, HTTPS, and recog-and punctuation) or passphrases. nizable trust marks when you visit websites where you log in or share any personal information.  Configure your home Wi-Fi network for strong authentica- tion and always require a unique password for access to it.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 112DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSBest Practice Guidelines for Website OwnersDespite this year’s vulnerabilities, when it comes to protecting made this a very real possibility for so many websites, this is ayour website visitors and the information they share with you, problem. With PFS, however, if hackers crack or get hold of yourSSL and TLS remain the gold standard. SSL certificate private keys, they can decrypt only information protected with those keys—not historical data—from that pointIn fact, due to the publicity that Heartbleed received, more on.companies than ever have started hiring SSL developers towork on fixes and code. This has focused more eyes on the SSL Use SSL Correctly. As we realized in 2014, SSL is only as good aslibraries and common good practices in implementation. its implementation and maintenance. So be sure to:Get Stronger SSL Implement Always-On SSL. Use SSL certificates to protect every page of your website so that every interaction a visitor hasSSL certificate algorithms become stronger than ever in 2014. with your site is authenticated and encrypted.Symantec, along with several other CAs, has moved to SHA-2as default and is winding down support for 1024-bit roots.143 Keep Servers Up to Date. This applies beyond server SSLMicrosoft and Google announced SHA-1 deprecation plans that libraries: any patches or updates should be installed as soon asmay affect websites with SHA-1 certificates expiring as early as possible. They’re released for a reason: to reduce or eliminate aJanuary 1, 2016.144 In other words, if you haven’t migrated to vulnerability.SHA-2, visitors using Chrome to access your site will likely see asecurity warning and as of January 1, 2017, your certificates just Display Recognized Trust Marks. (such as the Norton Securedwon’t work for visitors using Internet Explorer. Seal) in highly visible locations on your website to show customers your commitment to their security.Symantec is also advancing the use of the ECC algorithm—amuch stronger alternative to RSA. All major browsers, even Scan Regularly. Keep an eye on your web servers and watch formobile, support ECC certificates on all the latest platforms, vulnerabilities or malware.and there are three main benefits to using it: Keep Server Configuration Up to Date. Make sure that old,1. Improved Security unsecure versions of the SSL protocol (SSL2 and SSL3) are disabled, and newer versions of the TLS protocol (TLS1.1 andCompared to an industry-standard RSA-2048 key, ECC-256 keys TLS1.2) are enabled and prioritized. Use tools like Symantec’sare 10,000 times harder to crack.145 In other words, it would take SSL Toolbox to verify proper server configuration.146a lot more computing power and a lot longer for a brute-forceattack to crack this algorithm. Educate Employees2. Better Performance Basic common sense and the introduction of some good security habits can go a long way toward keeping sites and servers safeWebsite owners used to worry that implementing SSL certif- this year:icates would slow their sites. This led to many sites’ havingonly partial-on SSL, which creates serious vulnerabilities. ECC  Ensure employees don’t open attachments from senders theyrequires much less processing power on the website than does don’t know.RSA and can handle more users and more connections simulta-neously. This makes the implementation of always-on SSL not  Educate them on safe social media conduct: offers that lookonly sensible but viable too. too good probably aren’t legitimate; hot topics are prime bait for scams; not all links lead to real login pages.3. Perfect Forward Secrecy (PFS)  Encourage them to adopt two-step authentication on anyAlthough PFS is an option with RSA-based and ECC-based website or app that offers it.certificates, performance is much better with ECC-based certif-icates. Why does that matter? Without PFS, if hackers got hold  Ensure they have different passwords for every emailof your private keys, they could retrospectively decrypt any and account, application, and login—especially for work-relatedall data they captured. Considering the Heartbleed vulnerability sites and services.  Remind then to use common sense—having antivirus software doesn’t mean it’s OK to go on malicious or question- able websites.

MOBILE & IOT WEB THREATS SOCIAL MEDIA & SCAMS TARGETED ATTACKS 2015 Internet Security Threat Report 113DATA BREACHES & PRIVACY E-CRIME & MALWARE APPENDIX BACK TO TABLE OF CONTENTSGet Safe or Get ShamedAttackers have become more aggressive, more sophisticated,and more ruthless than ever in their attempts to exploit theInternet for ill gains. There is, however, plenty that individualsand organizations can do to limit attackers’ impact.SSL and website security are now in the public consciousness,and if you’re not doing your part you could find yourself beingpublicly shamed on HTTP Shaming, a site set up by softwareengineer Tony Webster.147When it comes to businesses and their websites, good securityprocesses and implementations are all that stand in the way oftotal financial and reputational ruin. So get secure in 2015 withSymantec.