I’m certainly not what you would call an avid NCAA college basketball fan. But each March, the brilliant folks at CBS suck me in with this wonderfully hypnotic theme song for the NCAA Men’s Basketball Championship Tournament, known in the US simply as “March Madness.” I’m not alone. Tens of millions of Americans even plunk down hard-earned cash to join March Madness pools, in which they attempt to best predict the outcome of the tournament. During the 2013 March Madness tournament, American corporate office pools alone represented a mind boggling $US 3 billion in wagers.
Unfortunately, the cyber-security professional part of my brain gets stressed out during this season. Enterprise security professionals brace for waves of March Madness related cyber-attacks because nearly every aspect of any employee’s involvement with March Madness opens up new cyber risks to both that individual and the company. The network bandwidth consumed by non-work-related video streams and the network threats are well documented, but this year the stakes get even higher with the surge in cyber-attacks and advanced persistent threats (APTs) that misuse keys and certificates to gain a trusted status. Let’s walk through typical employees’ March Madness related behaviors, and weigh the risk your enterprise faces over the next three weeks.
The University of Michigan Wolverines aren’t the only ones working hard during the 3 weeks of March Madness
The first risk posed by March Madness actually occurs as employees join pools before the tournament begins. Cyber-attackers know of pools’ popularity and are, as I type, in the midst of sending out artfully crafted spear phishing emails to millions of fans. By abusing trust in certificates, attackers can put themselves between a user and a legitimate pool site, intercepting all transmitted data without the user realizing anything is wrong. Many users are trained to look for the “green bar” and for the padlock symbol in the URL field. But attackers can obtain a wildcard SSL certificate, associated with a ficticious company, for their fraudulent March Madness pool website. Now the website not only looks and feels exactly like the real site, it also has that padlock, giving victims a false sense of security. Such cyber-attacks, which abuse SSL, are on the rise. In fact, Gartner estimates that by 2017, 50% of cyber-attacks will leverage SSL.
After employees have joined a pool and filled out a bracket, they need to follow the action. Cyber-criminals are aware that millions of Americans, many of them sitting at their desks at work, will be online and searching for live score updates. Many employees will even try to stream games right to their computers. Attackers oblige these user requests by sending out fraudulent emails offering “free live streaming” of the games. Once a user clicks on a link in these emails, malware, perhaps similar to The Mask, installs itself and begins siphoning off credentials such as user certificates, SSH keys and RDP files for attackers’ future use in infiltrating the user’s corporate network. Once attackers gain entry, they advance their privilege by injecting their own SSH keys and moving to different areas of the network. Finally, they exfiltrate data without raising any alarms, using self-signed certificates to hide the suspicious outbound traffic.
When employees leave the desk, they’ll want to follow the action on a mobile phone or tablet. Numerous mobile apps promise to deliver March Madness game alerts right into the palm of your hand, and among those apps are a fair number of fraudulent ones. As far back as 2010, the US government has actually used a malicious March Madness mobile app as the scenario for drills preparing for a massive cyber-attack against critical infrastructure. Fraudulent apps that are digitally signed by certificates are exceptionally difficult to differentiate from valid apps. In 2013, 27% of all Android mobile malware was signed by fraudulent certificates, and Venafi expects this figure to rise to 100% by the end of 2014. These nefarious apps appear to be valid and trusted, yet they are nothing but advanced mobile malware, designed to steal data, credentials, and certificates (corporate and personal) that reside on the mobile device.
Attacks against keys and certificates present a new way for cyber-attackers to circumvent security controls, access sensitive data, and exfiltrate the stolen data without being noticed. Three months into 2014, these attacks continue to grow at alarming rates, as does the number of pieces of malware signed by SSL certificates, which reached 1.2 million in the last quarter of 2013 alone. Now in the wide-reaching social, sporting phenomenon that is March Madness, cyber attackers see one of the best social engineering opportunities of the year to target millions of Americans at the same time under the same cover story—all while exploiting the fact that attacks misusing keys and certificates are not detected by traditional security controls.
The ability to quickly detect anomalous keys and certificates is vital to minimizing the damage done by these next-generation attacks on trust. The faster you learn about a vulnerability or compromise, the less damage occurs. And the only way to detect anomalies and trust vulnerabilities is to have a solid, ongoing understanding of known good certificates and keys and of valid usages. By implementing a comprehensive program to secure trust by protecting keys and certificates, you can easily gain the clear visibility required to respond to these next-generation attacks on trust. Venafi’s Trust Protection Platform™ gives you the tools for just such a program. To find out how, in only two weeks, you can obtain a next-generation, trust protection platform—fixing critical certificate vulnerabilities, providing ongoing, policy-based monitoring, and rapidly detecting and alerting you to certificate anomalies—contact us here.