Frustrated by malware and spear phishing attacks getting past your email security defenses? According to the SANS institute report, 95% of all attacks on enterprise networks gained entry through a spear phishing attack. By adding an additional email security layer that utilizes technologies such as multi antivirus scanning and data sanitization, you can catch more malware threats and spear phishing attempts with malicious attachments, which previously would have passed by undetected. 

Tony Berning, Senior Product Manager at OPSWAT, will discuss how the Metascan® Mail Agent can be used with any third-party email security gateway to scan email attachments and significantly increase your protection against email-borne threats. Tony will complete the webinar with a live demo of Metascan Mail Agent.

Date: November 17th, 2015

Time: 10am-11am (PST)

Register for the webinar here

Featured speaker:

Tony Berning, Senior Product Manager at OPSWAT, manages the Metascan and Metadefender product lines at OPSWAT, working with customers and partners to deliver products that meet customers’ multi-scanning and security needs.

Using naming conventions to track the detection of viruses can be difficult because vendors often report the same virus with completely different names, even if they otherwise agree on the format. Although this is not always true, it applies to most of the cases we have experienced at OPSWAT. The question is, how similar are the names of viruses used by different vendors and are there any trends in naming patterns used? 

As a first step in answering this question, we did a search online to try to find naming convention rules for anti-malware vendors with the largest market share. Surprisingly, we were only able to locate naming convention information from four vendor websites:

1. Avira Resource
2. Microsoft Resource
3. Symantec Resource
4. Trend Micro Resource

For research purposes, we decided to conduct an experiment where we scanned 30 well-known malware samples with our multiple anti-malware scanner, Metascan Online, and analyzed the scan results. The table below shows a summary of the detection details from our research:

Conclusions

From data above, we can infer that the naming conventions seem to lack consistency across different anti-malware vendors - there isn't even consistency in the inconsistency! However, if we build some regular expression filters and try to group the results into a certain pattern, we should still be able to find a few nuggets of useful information. 

1. BitDefender, Emsisoft, F-secure and Lavasoft are all comparable for detection rates and virus naming conventions.
2. Some malware files were detected by Sophos but not by Preventon. However, if both of these vendors report a threat, the naming convention reported for the threat is usually the same. 
3. Similarly to Sophos and Prevention, some malware files are detected by CYREN but not F-Prot. However, if both of these two vendors report a malware type, their reported virus naming convention is usually the same.
4. Microsoft always follows the naming convention as “Type:Platform/MalwareFamily.Variant”. For example, “Virus:Win32/Madang.A!dam”,  “TrojanSpy:AndroidOS/Adrd.A”, “Worm:Win32/Vobfus.gen!O” and so on.
5. Most anti-malware vendors report the virus' behavior and OS consistently. That being said, nearly every virus would have 3 to 5 different values of their family, name and variant from different anti-malware vendors.
6. Trojans and worms are two of the most confusing categories across vendors. Some vendors will classify a Trojan as worm while others may do the complete opposite and name a worm as a Trojan. This makes it particularly difficult to find vendor detection for these types of malware. CARO officially states that ‘worm’ is not a malware type, but many vendors still use it.
7. The virus naming convention used by K7 Computing is different from any other vendor. K7 Computing uses the following format: “Behavior (9 digit unique id)”.

There are definitely more clues that we could have pulled from the raw data above, but they don't really offer a reliable way for users or other post-detection programs to parse and execute their next action. Sadly, there isn't an industry-wide malware naming convention system that has gained widespread adoption, though several have tried. CARO (Computer Antivirus Research Organization), perhaps one of the best-known organizations on virus naming conventions, has been pushing for a naming standard since the 1990’s. Unfortunately, they did not get very far in convincing anti-malware vendors - there are simply too many practical limitations to maintain consistency after the conventions are adopted. A few other vendors have tried and failed to succeed after CARO. One such example is the CME (Common Malware Enumeration). Hoping to capitalize on the success of the CVE (Common Vulnerability Enumeration), they petitioned for a common naming standard but failed due to the changing nature of malware. Their website still provides details on the venture, nearly 10 years after ceasing the project:

In late 2006 the malware threat changed away from the pandemic, widespread threats CME was developed to address to more localized, targeted threats, which significantly reduced the need for common malware identifiers to mitigate user confusion in the general public.

Therefore, all CME-related efforts transitioned into support to MITRE’s Malware Attribute Enumeration and Characterization (MAEC™) effort.

Interestingly enough, the new effort, MAEC (Malware Attribute Enumeration and Characterization), focuses more on attributes and less on actual malware specimens. They describe the new project in the following way:

International in scope and free for public use, MAEC is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns.

By eliminating the ambiguity and inaccuracy that currently exists in malware descriptions and by reducing reliance on signatures, MAEC aims to improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware; reduce potential duplication of malware analysis efforts by researchers; and allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances.

This new effort is commendable and gets to the heart of the real issue – how can organizations share information about threats? It’s a hot topic in the news that no one has an easy answer to. The US Federal government has created a new entity specifically for this purpose and the CIA is reorganizing to make sharing info on cyber threats easier. Additionally, many vendors in the security industry are creating platforms for sharing collective intelligence on threats. Of course, there is also a language barrier to consider when naming threats; it would be much easier if vendors could agree on a common language to use. 

The increasing popularity of threat exchanges may hasten the widespread adoption of a single threat description language. As of now, there are several competing standards in use (thankfully the formats are often interchangeable) though issues such as copyright of the language and patentability of inventions have given some in the industry reason for concern. 

Different geography, languages, and focus amongst anti-malware vendors are all challenges that have hampered efforts for a unified malware naming convention standard. That being said, one could argue that they are not blockers. Take another industry, encryption, for example. How was it that RSA encryption became such a successful standard? How did RSA become the standard over others? Are there lessons to be learned from the RSA example and can they be used to create a general malware database naming convention across most of the anti-malware vendors and research organizations? We don't have the answer to this question yet, but this is definitely something that security industry professionals should think about and move towards. 

Or maybe a philosophical change is in order. Take the quote from Mitre about MAEC “MAEC is a standardized language for … malware based upon attributes such as behaviors, artifacts, and attack patterns. By eliminating the ambiguity and inaccuracy that currently exists in malware descriptions and by reducing reliance on signatures…” Mitre isn’t trying to correct the problems CARO experienced in implementation, rather they are proposing an entirely different way of communicating information about malware, instead of trying to name the malware. 

English regionalisms are a nice analog for this challenge and solution. For example, on the West Coast we have sprinkles, however on the East Coast there are jimmies. These are identical products, but to someone without this knowledge they would have no reasonable chance of associating the two unless they saw them side-by-side and found no differences. Even if this observer were to conclude that sprinkles are jimmies, what would they now call them? Ostensibly they would need to remember both names and use the appropriate name depending on their audience. Alternatively, they could declare a unique number or new name and get everyone to agree on its use, or taking MAEC as an example the solution would be to replace the name with a description. So instead of a sprinkle or a jimmie, they would be “small particles of chocolate, candy, sugar, etc., used as a decorative topping for cookies, cakes, ice cream cones, and the like.” [1] The drawback to this is obvious and, therefore, impractical for human communication, but not necessarily for computers. The ‘cost’ of being more verbose is more easily overcome by a computer than a human, but eventually a human is still involved and may just want to call it a sprinkle. 

References

1. Naming convention resource from BitDefender
2. Naming convention resource from ESET
3. Naming convention resource from Lenny Zeltser

Credit for the content in this post is also attributed to Adam Winn, Senior Product Manager at OPSWAT. You can check out posts by Adam here. 

Maintaining endpoint visibility with or without client agents is fundamental to any network or information security architecture. Regardless of processes, programs, or the number of devices and people, being able to monitor the endpoints containing and accessing your data is an important step in protecting your organization’s intellectual property and bottom line. Unfortunately, there are security headwinds (or downright myths) implying that endpoint visibility is both troublesome and risky, even unnecessary or unwanted.

With the broad selection of endpoint monitoring tools available, some of these drawbacks are based in reality, while others are simply talking points used by one vendor to promote their own strategy at the expense of others. Here are three myths about endpoint visibility and why they don’t apply to OPSWAT Gears: 

The Three Myths:

Anton Chuvakin, a researcher at Gartner, is credited for coining the term “Endpoint Detection and Response” (EDR), and has strong views on the current state of the technology. His latest “reality check” for the antivirus community argues that:

1. Agents cause problems, and nobody in the industry would prefer their EDR to rely on an agent because:

   “...your prospective customers will still hate you with a passion [only because some stupid fat agent killed their dear Excel or slowed the system to a crawl 5 years ago]. Of course, I am watching the attempts to create a decent “agentless EDR” with much elation …”
    

2. There's no desire to perform audits, and believing so is unrealistic given:

   “...the fact that EDR tooling makes certain tasks (like checking what is running on all your machines, etc) easier, there is an implication that there is a desire to perform those tasks and that there is somebody to actually do those tasks…”
    

3.  Focus on the endpoint is just a trend, and is not feasible for a lot of companies.

   “...focus on the endpoint may be a trend, but it does not mean it is operationally feasible for a lot of companies.” - Anton Chuvakin.

Ultimately, critics like Chuvakin believe that endpoint focus may just be a trend, isn’t needed by IT administrators or organizations, and provides more risks and overhead than protection. Here is why they couldn't be more wrong:  

MYTH 1: Agents cause problems

Firstly, just because an endpoint visibility solution uses an agent to check the security posture of an endpoint, does not make it inherently worse than an agentless solution. This distaste for agent-based solutions has been exaggerated and needs to be addressed. 

A bad agent-based solution can be absolutely terrible, yes, but so can a bad agentless solution. Integrating a lightweight and well-built agent into your existing security infrastructure offers tremendous benefits over agentless solutions. Why? Because the agent benefits hinge on the architecture needs of the customer, not necessarily the capabilities of the software vendor. In fact, many “agentless” solutions are actually using the device's operating system as their agent, and are thereby limited in their detection abilities; leaving you and your network vulnerable to exploitation. Put it this way, if you are trying to assess whether the endpoint's operating system has been compromised, why would you trust that same operating system to tell the truth? That doesn't make any sense to us. It would be like asking a clinically insane person whether or not they're delusional; of course they're going to say "No", because if they knew they were crazy, they wouldn't had been deemed clinically insane in the first place. Same goes for infectious threats and operating systems. Asking an infected system to report on its own infection status is problematic. In order to conduct and maintain good endpoint visibility, solutions should perform their own inspections without total reliance on the operating system-provided APIs. This independent analysis would be a more accurate way to detect and prevent network infections. 

Most importantly, having an agent means you, your team, and fellow coworkers can work remotely and be vetted by an endpoint visibility solution, before accessing the organization's VPN or SaaS applications. Mobility is increasing, even if BYOD adoption has an uncertain future. The professionals of our modern industries use an arsenal of cloud-based applications in order to communicate, design, or store the projects they're working on. From Google Drive and Evernote, to Salesforce and Box, many of the services we use are helpful because they provide mobility and flexibility. Having that freedom for you and your coworkers to work wherever, whenever, can be vital to your company culture. However, with increased mobility, comes an increase in the chance of malware infection. Imagine, for an instance, that when you go out with your laptop to a coffee shop or to a park, it is like taking your infant child through a lush rainforest. Yes, it can be relieving, beautiful and freeing, but it can also be frightening as there are also lots of hidden bacteria and threats all around you. With each "Public Wifi", or Starbucks lounge you connect your device to, you are entering a new area of the cyber-rainforest. With a layered approach to detect and prevent those threats, your baby (and this time I mean your latest Macbook Pro) will need to be secured during your jungle excursion, and vetted before it is ready to rejoin the ranks of your coworkers. With endpoint visibility solutions like OPSWAT Gears, you, your team, and fellow coworkers can be both free and secured. 

You might be thinking, but what about the security risks of unmanaged devices? Guest devices without a designated administrator or software monitoring the health and status of a device presents a security risk, and before they are brought into a network of sensitive information, the guest devices should be scanned. However, it is understandable that not all visiting guests will agree to install an agent on their beloved laptop. It's somewhat intrusive to be expected to download the software of a company when you're their guest, right? -- and that’s why dissolvable agents have become popular for many enterprise applications, especially as a teleconferencing solution. We’re not talking about antiquated Active-X or Java-based agents either. These are native applications that have been carefully designed and tested to provide on-demand users with the same experience as users of the installed application.

MYTH 2: There’s no desire to perform audits

Secondly, some security product managers are actually arguing that there isn’t really a need for program monitoring and auditing, as administrators are rarely empowered or expected to carry out such activities. This line of thinking paints IT administrators as reactionary employees, seeking nothing other than to avoid ridicule of crashed programs and servers. However, I would argue that IT administrators are aware of the importance of their role in protecting their organizations from crippling data breaches, take their vocation seriously, and will use all the tools within their reach to limit vulnerabilities without hindering productivity.

So how can a well-designed endpoint visibility and protection platform reconcile this difference in opinions? For starters, it needs to be much more than just visibility. It is trivial to build an application that collects a ton of data and simply dumps it in some database. These applications exist and are typically heavily marketed with big budgets, and quickly become shelfware for many organizations. No one wants to sort through gigabytes (or even terabytes) of data about their endpoints looking for some proverbial needle-in-a-haystack. Trust us, we don't like the sound of that either. Just look at what’s happened with SIEM -- the golden child of security analytics has certainly helped certain organizations but more-so has kept systems integrators and analysts pockets lined with corporate dollars for implementation and management services. With OPSWAT Gears, you can test it out on twenty-five devices for free, and "free" certainly will not break the IT budget. 

But how is Gears different? We focus on collecting relevant data and presenting only what is useful to the IT administrators. But what do IT admins really care about? They want the basics like antivirus presence, antivirus status, and disk encryption, but also want information regarding OS patches, passwords and lock screen status. These are just a few of the many features that are very important to administrators, and Gears offers these features for Linux, Android, Windows, and Mac devices. It is deceivingly complicated to collect device data in a reliable way across multiple operating systems, especially if you are dealing with unmanaged devices where these settings and software are mostly ad hoc, and can not be centrally managed. We’re now on the fourth generation of our OESIS SDK, and have spent hundreds of man-hours addressing the challenge of making it easier to build Gears into your security architecture. OPSWAT Gears is uniquely positioned to take advantage of the administrator management experience by providing them with digestible information, and empowering them to focus on creating actionable policies without a complicated setup. We designed Gears to simplify endpoint security management, not complicate it.

MYTH 3: Focus on the endpoint is just a trend

Lastly, the feasibility and tangible benefits of endpoint visibility and security will directly determine whether endpoint-focus is just a trend, or simply part of the never-ending vacillation between “secure the network” and “secure the endpoint”. Obviously, both agentless and agent-based approaches have merits, otherwise this argument would have been settled long ago. But here at OPSWAT, we feel there is room for both strategies, and an effective security defense should incorporate both. Agent or agentless security strategies are not mutually exclusive, the caveat being that neither should become such a management burden that the other suffers for attention. False alarms, false positives, endless logs of meaningless data and the like are a surefire way to kill any security initiative. Same goes for performance issues -- a bloated agent that slows down the endpoint will lead to end-user revolt, which then eventually creates IT dissatisfaction, and ultimately leading to product abandonment by the IT administrators themselves. Hello shelf! 

When we design software at OPSWAT, we follow a few simple tenets, including “end-users should respect it” and “IT admins should love it”. If your software or appliance doesn’t satisfy those two basic (yet difficult to accomplish) criteria, then it is doomed to become shelfware. Big marketing dollars pushing sub-par software can give an entire product category a bad reputation. So try out OPSWAT Gears for free today for up to twenty-five devices, and see for yourself why you'll never shelve an OPSWAT product. 

Discussions about Mac computers requiring antivirus or anti-malware software are typically quite terse -- most feel that antivirus software for Mac computers isn't necessary, though it's not a bad idea per se. 

Even among professionals in the cyber security industry, there is very little use of anti-malware software. I don't have any survey to prove this (nor do I feel the need to even search for one) -- I see it every day working in San Francisco. One of the products I manage, OPSWAT Gears, is designed to monitor endpoint security compliance, especially the presence of antivirus products on workstations. When telling people about the product, they often say, "Oh this is pretty cool and I can definitely use it for my Windows workstations, but I personally have a Mac, I don't really need antivirus right?" My answer used to be a confident, "Not really, especially if you keep your system and software patched. Scan any suspicious downloads and attachments with Metascan Online and you'll probably be fine."

Even if someone did manage to get their Mac infected with malware, it was usually just adware (again, no stats to back this up, just my own observations). They would then need to figure out what malware they had and then hit up Google for removal instructions. A little bit of time lost and frustration but no serious damage. 

Some of the more exotic exploits like Thunderstrike 2, while definitely more serious than adware, wouldn't even be detected or blocked by anti-malware software, so that's not a good reason either. 

Now I think things are starting to change. I was reading the Security Affairs blog and saw that a few days ago a Brazilian researcher, Rafael Salema Marques, published a proof of concept (PoC) ransomware for Mac OS X called Mabouia. The video shows a Microsoft Word file (.docx) being opened and instantly the personal files on the device are encrypted with 32-rounds XTEA encryption. And while 32-rounds of XTEA isn't perfect, this is just a PoC and the level of encryption isn't the point of the demonstration. 

While watching the video, you'll notice that when the user executes the weaponized Word file, they aren't prompted for their username and password. No super user rights are required for the malware to do its damage. If the user places value in their personal files, then the malware doesn't need to look beyond the current logged-in user to wreak havoc. 

Video Credit: Rafael Marques

I'm not saying this PoC of Mac ransomware is the first horseman of the OS X security apocalypse. I don't expect to see code like Mabouia enhanced into a self-replicating Mac ransomware infection that can wipe out an entire school district anytime soon, but with reports showing that CryptoWall 3 may have grossed over $325 million USD, it's naive to think someone isn't thinking about how to profit from the over 60 million Mac computers out there. 

In the past, my advice about using anti-malware software on a Mac used to be based on the fact that the repercussions of an infection weren't severe. But, I would think that the prospect of a $387 (1 BTC) ransom is a pretty convincing reason to install anti-malware software with real time protection on a Mac.

In this month’s Gears release, we have made the onboarding process much easier for Android users, enabled cookie injection for Firefox browsers, and made other fixes and enhancements that will make Security Score information more clear. In light of recent Android breaches, we are also announcing our upcoming APK scanning feature!

Code Name: Ohio

• Easier Onboarding for Android Users
• Firefox Cookie Injection Improved 
• APK Scanning Coming Soon
• Other Fixes and Enhancements 

Easier Onboarding for Android Users

Android device users now have access to one-click device registration for Gears Mobile. The Google Play download link on the Gears guest device download page is now customized for each account. When a new user installs Gears Mobile for Android using this link, they will automatically have their device registered the first time they open the app! This makes onboarding new users faster and easier than ever.

We're working on bringing the same feature to iOS soon, so stay tuned.

Firefox Cookie Injection Improved

The NAC for SaaS cookie API reliability is dramatically improved for Firefox users on Windows with our latest release. Previously, the configuration for cookie injection only required a host address. This created an incompatibility for some domains when querying the cookies from Firefox. To improve reliability, Gears customers that are setting up NAC for SaaS must now provide the base domain in addition to the host address. For example, if you enter a host address such as 'myvpn.example-company.com' then the base domain is 'example-company.com'. 

 
Click to Enlarge

This setup only needs to be done once and shouldn't ever change. Feel free to let me know if you have any questions about it.

APK Scanning Coming Soon

According to Security Week, Palo Alto Networks reported that 18,000 Android applications have allowed a user’s text messages to be stolen. What’s worse, is that users have been tricked into confirming in-app purchases through pop-up messages, leaving the user unaware of their purchase until they receive their next phone bill. The Taomike SDK, which displays advertisements in mobile apps for in-app purchases (IAPs), has been held responsible for these leaks. 

With the rise in infected Android applications, the need to protect mobile devices and user information has become more challenging. Which is why we wanted to announce that OPSWAT Gears will soon be able to scan all installed Android applications for malware with Metascan Online. Look for an update to Gears Mobile for Android with APK scanning in the coming weeks! 

Other Fixes and Enhancements

• In the details view for Security Score, if Gears is unable to gather information, it is now listed as 'Not Available' where previously it said 'Not scanned' or 'Never'
• Customer specific enhancements and fixes

The NATO information assurance symposium (NIAS) is the NCI Agency's annual cyber security event for NATO organizations and industry partners. This year, OPSWAT’s Director of Product Management Szilard Stange gave an in-depth presentation on how the threat landscape has changed, the rise of malware exploits, and how data sanitization can repair infected files.

Watch the presentation below to learn how data sanitization technology can be utilized within your existing security architecture:

If you enjoyed the video and would like to learn more about data sanitization, read Szilard’s three-part data sanitization series:

• The Case for Data Sanitization 
• File Structure Alterations
• Active Content Curing 

Please let us know if you found this video helpful and tweet us @OPSWAT if you have any questions! 

Metascan 20 Package Available

By popular demand, OPSWAT is offering a new Metascan® package with 20 anti-malware engines to help protect your organization from known and unknown threats. Metascan 20 includes the powerful anti-malware engines of McAfee, Sophos, Ikarus, and Zillya in addition to the Metascan 16 engines. Since no single anti-malware engine can detect all threats 100% of the time, utilizing multiple scanning engines exponentially increases your threat detection and prevention capabilities. 

To learn more about our new package option, contact OPSWAT Sales.

Metascan Workflows- Out of Beta

With the release of Metascan 3.10.0, Metascan workflows are out of Beta, and web scanning now uses the Metascan workflows to process files. This addition will help internal usage of on-premise Metascan servers. For instance, if a consultant or support team member needed to scan a set of files within an offline environment, the IT admin could send them the Web Scan link so that they can scan their files. The consultant and support member could then retrieve their scanned files from a network directory designated by Metascan’s workflow. 

Click Images to Enlarge

Web Scanning can be found on the Metascan Dashboard

Users will then be able to scan their files through the on-premise server

Set copy-to post actions for all Web Scanned Files

Other Fixes and Enhancements

• The Metascan ICAP server can be configured to not scan files over a certain size.
• The Metascan REST server is no longer an optional component and is now required.

Version 3.10.0 of Metascan is now available on the OPSWAT Portal. If you have any questions, or would like assistance in upgrading, please contact OPSWAT Support.

Important Announcement: OPSWAT encourages all users to upgrade their systems to the latest versions of Metadefender and Metascan when possible. For any users that are using versions of Metascan older than 3.9.1, please be aware that OPSWAT will soon stop releasing offline definition update packages for Metascan versions prior to 3.9.1. If you have Metascan installed in an offline environment and do not upgrade Metascan to a recent version you will have to use the Automatic Definition Update Download Utility to download definition updates.

OPSWAT today announced the release of their quarterly market share report, which shows the top 12 anti-malware vendors by market share as well as various other user behavior statistics collected from their device security and compliance tool, OPSWAT Gears. 

Out of the 59 anti-malware vendors analyzed for the November 2015 report, the top three by market share are Microsoft, Avast and Malwarebytes. To see all of the top vendors and their corresponding market share, please view the full report. 

OPSWAT's Marketing Manager, Stacey Matthews-Winn, remarked on the continuing importance of using anti-malware solutions, “Signature-based antivirus isn't dead, it needs to be viewed in light of a larger defense strategy. As an analogy, a skilled criminal can pick a residential door lock in seconds, but locking your front door is still a good idea."

Winn went on to say, “And many, if not most, endpoint security vendors have long since added generic detection and advanced heuristics to their solutions to detect evasive threats. We hope that the business-to-business marketing for advanced threat solutions doesn't have a negative impact on home and SOHO (Small office/home office) utilization of traditional endpoint security products, and for that reason it’s important that we continually broaden the scope of endpoint security solutions that we track to look for these trends.”

Along with market share data for the top anti-malware vendors, this report also includes Windows encryption product market share, a comparison on the security practices of Windows versus Mac users and new threat data for Windows devices. 

Windows devices were found to be more secure overall in the areas of anti-malware protection and RTP (Real Time Protection) status. 71.5% of Windows devices had at least one anti-malware engine installed compared to only 57.2% of Mac users. Discrepancies in this data are explained in detail along with statistics on the usage of real time protection. 

For more details on the collection of this data and a complete breakdown of threat data and Windows and Mac device comparisons, please view the full report.

The data in this report was collected from free accounts of OPSWAT Gears, an enterprise device security and compliance tool that enables organizations to directly assess and manage the endpoint security posture of their devices through a unified view of mobile and PC endpoints, and their applications/security issues. Administrators can take rapid action to remediate issues on non-compliant devices and improve endpoint security. Gears is completely free for up to 25 devices. To try the free Gears tool, please visit opswatgears.com/download.

For more information regarding this report, please contact marketing(at)opswat(dot)com. Previous OPSWAT quarterly market share reports are available to view on OPSWAT’s website.

Would you like to increase your malware threat protection on Blue Coat ProxySG web traffic and downloads? Metascan can be used with ProxySG to significantly improve your malware threat protection. If you already use ProxyAV, Metascan can be used on top of ProxyAV to block more known and unknown threats. Metascan uses ICAP in the same way as ProxyAV does, but offers superior threat detection rates by scanning web traffic with up to 30 anti-malware engines as well as performing data sanitization to remove possible embedded threats in documents. Find out more about the benefits of using Metascan with Blue Coat ProxySG.

Ready to find out how many more threats Metascan can block? Download the 14-day evaluation version of Metascan and follow the steps in the Getting Started Guide below to configure Metascan and Blue Coat ProxySG and experience the benefits of multi-scanning for yourself:

Metascan and Blue Coat ProxySG Getting Started Guide

This Getting Started Guide describes in easy steps how to configure Metascan with Blue Coat ProxySG to start scanning your web traffic and downloads.

System Requirements:

The following systems are required for this deployment

• Blue Coat ProxySG Server
• One or more Metascan servers

Configuring Metascan

By default, the ICAP service is disabled in Metascan. To enable the ICAP service, please do the following:

1. Open the Metascan Management Console (http://<server ip>:8008/management)
2. Navigate to the Sources-> ICAP Server Configuration page
3. Click the 'Start ICAP Service' button

This will start the Metascan ICAP server with the default settings.

Note on Metascan Licensing: Metascan must have a valid license, including licensing for the appropriate number of remote clients to function correctly.

Configuring the Blue Coat ProxySG Server

Log into your ProxySG Management Console (e.g. https://<ip address>:8082).

Disable Automatic Cache Refresh

1. Click on the 'Configuration' tab, and navigate to 'Proxy Settings'->'HTTP Proxy'
2. Select the 'Freshness' tab and select the 'Disable refreshing' option
   
3. Select the 'Acceleration Profile' tab and uncheck the following options
   1. Pipeline embedded objects in client request
   2. Pipeline redirects for client request
   3. Pipeline embedded objects in prefetch request
   4. Pipeline redirects for prefetch request
      
4. Click 'Apply' to save these settings

 
Adding REQMOD Service

1. Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'
2. Click 'New'
3. Enter a service name for the Metascan service (in this example we use 'MetascanReqmod') and click 'OK'
   
4. In the services list, select 'MetascanReqmod' and click 'Edit'
5. Update the following values
   1. In ICAP Service
      1. Set Service URL to 'icap://<Metascan Server>/OMSScanReq-AV'
      2. Select 'Use vendor's "virus found" page'
   2. In ICAP Service Ports
      1. Check 'This service supports plain ICAP connections
      2. Set the 'Plain ICAP port' value to your Metascan's ICAP port (1344 by default)
   3. In ICAP v1.0 Options
      1. Check 'Request modification'
      2. Check 'Send Client address'
         
6. Click 'OK'
7. Click 'Apply' to save the configuration

Adding RESPMOD Service

1. Within the 'Configuration' tab, navigate to 'External Services'->'ICAP'
2. Click 'New'
3. Enter a service name for the Metascan service (in this example we use 'MetascanRespmod') and click 'OK'
   
4. In the services list, select 'MetascanReqmod' and click 'Edit'
5. Update the following values
   1. In ICAP Service
   2. Set Service URL to 'icap:///OMSScanResp-AV'
   3. Select 'Use vendor's "virus found" page'
6. In ICAP Service Ports
   1. Check 'This service supports plain ICAP connections
   2. Set the 'Plain ICAP port' value to your Metascan's ICAP port (1344 by default)
7. In ICAP v1.0 Options
   1. Check 'Response modification'
   2. Check 'Send Client address'
      
8. Click 'OK'
9. Click 'Apply' to save the configuration

Create Metascan REQMOD Policy

1. Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'
2. Click the 'Launch' button
3. In the 'Blue Coat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'
   
4. Enter a layer name (in this example we use 'Metascan ICAP ReqMod') and click 'OK'
   
5. In the newly created 'Metascan ICAP ReqMod' tab, right click on 'Use Default Caching' and choose 'Set...'
   
6. In the 'Set Action Object' window, click 'New' and select 'Set ICAP Request Service...'
   
7. In the 'Add ICAP Request Service Object' window, set the following values
   1. Set 'name' to 'Metascan ICAP Request Service'
   2. In 'Available services', select 'MetascanReqMod' and click 'Add'
      
   3. Click 'OK' to finish and 'Apply' to save

Create Metascan RESPMOD Policy

1. Within the 'Configuration' tab, navigate to 'Policy'->'Visual Policy Manager'
2. Click the 'Launch' button
3. In the 'Blue Coat Visual Policy Manager' window, navigate to 'Policy'->'Add Web Content Layer'
   
4. Enter a layer name (in this example we use 'Metascan ICAP RespMod') and click 'OK'
5. In the newly created 'Metascan ICAP RespMod' tab, right click on 'Use Default Caching' and choose 'Set...'
   
6. In the 'Set Action Object' window, click 'New' and select 'Set ICAP Request Service...'
   
7. In the 'Add ICAP Response Service Object' window, set the following values
   1. Set 'name' to 'Metascan ICAP Response Service'
   2. In 'Available services', select 'MetascanRespMod' and click 'Add'
      
8. Click 'OK' to finish and 'Apply' to save
    

Did you find this guide helpful? Tweet at us @OPSWAT and let us know if you have any questions!

Are your security products compatible with leading network technology? If you are a vendor or user of security products, you can limit chances of poor usability issues by certifying your products with OPSWAT. All products involved in our free certification program are certified compatible with leading network solutions like Juniper, Cisco, and Citrix. This month, Webroot, GridinSoft, Symantec, VIPRE, F-Secure, Rising and Malwarebytes have all had their new products certified. Submit your product today, or view our certified products list before purchasing a solution. 

	Webroot SecureAnywhere Complete 9.X​ GridinSoft Anti-Malware 3.X
	Webroot SecureAnywhere Complete 9.X
	Symantec Endpoint Protection 12.X
	Webroot SecureAnywhere Complete 9.X VIPRE Internet Security 2016 9.X
	Malwarebytes Anti-Malware 1.X F-Secure PSB Workstation Security 10.X
	Rising Personal Firewall V16 24.X F-Secure PSB Workstation Security 10.X

OPSWAT Certification is a free program, and submitting products is an easy, development-free process. Become an OPSWAT Certified Partner by submitting and receiving OPSWAT Certifications for your products! 

We just finished a successful event, the OPSWAT Cyber Security Seminar, in Herzliya, Israel. Along with our Israeli partners, eBusiness Design and Bulwarx, we held a half-day seminar to demonstrate the latest features of our technologies and how they can be integrated with other solutions to fit into your data flow and device security needs. 

Dan Lanir, Vice President of Professional Services and Support, gives presentation
 

The OPSWAT team and partners from eBusiness Design and Bulwarx

If you missed the conference, please feel free to download any of the presentations below:

Introduction

Metascan 

• Windows and Linux Engines
• Value of multi-scanning
• Data Sanitization
• Web Security
• Email Security
• Metadefender and Secure File Transfer
• Management Station
• Metascan Online

Bulwarx Metascan Integrations 

• Metascan Client
• CyberArk Vault

OPSWAT Support in Israel with Bulwarx

Protecting Endpoints with RSA ECAT and OPSWAT Metascan

Gears: Endpoint Security and Visibility

If you are interested in other educational events from OPSWAT, we are holding a Cyber Security Seminar in the DC Metro area on February 9th. Along with our partners from Inquest and Punch Cyber, we will be sharing several threat detection and research technologies and providing information on how to use these technologies to bolster your organization’s cyber defenses.

Do Macs need antivirus? Has there been new malware infections? Is it too late to protect myself? Yes, Yes, and No. Read this month-in-review to find out why your beloved Mac will need an additional layer of security, why researching new infections is so troublesome, and how you can protect your company from hazardous emails and attachments with OPSWAT's Metascan® 20.  

Stop More Threats with Better Email Security

Frustrated by malware and spear phishing attacks getting past your email security defenses? By adding an additional email security layer that utilizes technologies such as multi antivirus scanning and data sanitization, you can catch more malware threats and spear phishing attempts with malicious attachments, which previously would have passed by undetected. 

Watch the webinar >>

New Metascan 20 for Advanced Protection

By popular demand, OPSWAT is offering a new Metascan package with 20 anti-malware engines to help protect your organization from known and unknown threats. Metascan 20 includes engines from McAfee, Sophos, Ikarus, and Zillya in addition to the Metascan 16 engines. 

Learn more about Metascan 20 >> 

The Top Rated Anti-malware Vendors

We are excited to announce the release of our November 2015 Market Share Report. This report shows the top 12 anti-malware vendors by market share as well as various other user behavior statistics collected from our device security and compliance tool, OPSWAT Gears. 

Check out the full report >>

Block More Malware On Blue Coat ProxySG

Would you like to increase your malware threat protection on Blue Coat ProxySG web traffic and downloads? Metascan can be used with ProxySG to significantly improve your malware threat protection. We made this handy guide to show you how!

Read the guide >> 

OPSWAT Cyber Security Seminar

Along with our Israeli partners, eBusiness Design and Bulwarx, we held a half-day seminar to demonstrate the latest features of our technologies and how they can be integrated with other solutions to fit into your data flow and device security needs. 

Check out presentations from event >>

Three Myths About Endpoint Visibility

Agent or agentless endpoint visibility tools? Here are three myths about endpoint security agents that you should know before purchasing a solution:

1. Agents cause problems
2. There's no desire to perform audits
3. Focus on the endpoint is just a trend

Read about the 3 myths >>

Studying Anti-malware Naming Conventions

Watch our newest Policy Patrol video for an overview of how it can help protect your organization from zero-day and targeted attacks. Using Metascan's multi-scanning technology, Policy Patrol Security for Exchange can quickly scan and sanitize email attachments with up to 40 anti-malware engines. 

Check out our research >> 

Do Macs Need Antivirus?

Mabouia, a proof of concept ransomware for OS X, shows how vulnerable an unsuspecting Mac user may actually be. The ever increasing popularity of Mac laptops combined with the financial incentives of ransomware seems like a recipe for rethinking the need for third party anti-malware software for Macs.

Learn more about this new ransomware >> 

Video: NIAS Data Sanitization Presentation 

The NATO information assurance symposium (NIAS) is the NCI Agency's annual cyber security event for NATO organizations and industry partners. This year, OPSWAT’s Director of Product Management Szilard Stange gave an in-depth presentation on how the threat landscape has changed, the rise of malware exploits, and how data sanitization can repair infected files.

Watch the video >> 

OPSWAT, provider of solutions to secure and manage IT infrastructure, today announced the release of their new Metascan Hash Database, a fast-growing collection of millions of scan results from 40+ antivirus engines. Delivered on-premises and updated daily, the Metascan Hash Database enables ISVs and enterprises to integrate fast anti-malware multi-scanning technology into their applications and networks without requiring files to be sent outside of the network, offering improved detection rates, fast throughput and low latency.

Accessible through a customizable API or as an engine in OPSWAT’s multi-scanning solution Metascan, the Metascan Hash Database offers fast throughput and low latency by querying an on-premises database for existing scan results, rather than having to rescan each file. This allows software vendors to incorporate fast multi-scanning technology into their security applications, decreasing the volume of files that need to be subjected to more intensive analysis. IT professionals can take advantage of the advanced threat protection benefits of multi-scanning while maintaining high efficiency.

James Arnold Ph.D., Director of Data Science and Product Manager at OPSWAT, said: “Metascan Hash Database not only offers the benefits of fast multi-scanning, it can also reduce the impact of false positives by allowing you to set which antivirus engines to trust, the minimum number of engines that must detect a file as malware, and how recent the scan results must be.”

About Metascan Hash Database

Powered by Metascan Online, the Metascan Hash Database contains a rapidly growing database of scan results of more than 40 leading commercial anti-malware engines including Kaspersky, McAfee, Symantec, AVG, Avira and many others. The database consists of files from different operating systems including Windows, iOS, Linux and Android, as well as a wide variety of file types, such as executables, archive, document, graphical, audio, video, PDF, text and emails. To download an evaluation version, visit the OPSWAT Portal.

About OPSWAT

OPSWAT is a San Francisco-based software company that provides solutions to secure and manage IT infrastructure. Founded in 2002, OPSWAT delivers solutions that provide manageability of endpoints and networks, and helps organizations protect against zero-day attacks by using multiple anti-malware engine scanning and document sanitization. OPSWAT’s intuitive applications and comprehensive development kits are deployed by SMB, enterprise and OEM customers to more than 100 million endpoints worldwide.

With our latest Gears release, code name, West Virginia, administrators can now enforce operating system (OS) versions for Windows and Mac devices, and use our improved cookie injection to identify devices through web domains, or SaaS products. 

OS Version Enforcement

Gears administrators can now enforce the operating system version of Mac and Windows devices in their network. Since OSX and PC operating system updates typically include security patches and important improvements, being able to enforce the latest OS version is important for mitigating security risks in your organization’s network. 

Click to Enlarge

NAC for SaaS Cookie Injection

In order to aid an endpoint’s ability to send its compliance information to the cloud, we have improved OPSWAT Gears' ability to call the cloud API by using the cookies on the endpoint itself. With cookie injection, Gears can be used with SaaS products to control access to the service according to the compliance status of the endpoint attempting to connect. The cookies on the devices are used as an identifier, and can now be configured with multiple web domains. Admins can Integrate their web-based software, like ExpressVPN, by adding the domain information as shown below: 

Click to Enlarge

You can find out more about the cookie injection integration in our Developer Portal, and can now download the latest version of OPSWAT Gears as well. 

All malware is inherently dangerous, but there are a few threats that stand out amongst the others when it comes to inflicting damage. We took a look at some of the most destructive malware of all time from traditional viruses, worms and Trojans to increasingly prevalent PUAs such as adware and spyware. This list, while covering most of the all-time worst threats, is not all- inclusive. For example, notable threats are not on this list such as the ILOVEYOU bug, although they also rank as highly destructive. How many of these threats do you remember?

1. CIH Virus - 1998

The CIH virus, also known as the "Chernobyl virus", was named after the explosion of the nuclear plant in Russia because it was written to execute on the anniversary of the explosion. The virus worked by wiping data from the hard drives of infected devices and overwriting the BIOS chip within the computer, which rendered the device unusable. BIOS chips, originally manufactured by IBM for PCs, are a type of firmware used when a device is booted or turned on. This virus caused tremendous damage because the BIOS chip was not removable on many PCs, requiring the user to replace the entire motherboard. The virus was created by a student at the Taipei Tatung Institute of Technology, named Chen Ing Hau. Although the virus caused millions of dollars in damages, Chen was never imprisoned or fined and actually got a job at a software company through his resulting infamous creation. 

2. Melissa Worm - 1999

The Melissa worm was a macro virus that caused millions of dollars in damages to infected PCs. The virus spread via email and was supposedly created by David L. Smith, who named the virus after an exotic dancer from Florida. The virus used an enticing subject line to get its victims to open it. Once the email was opened, the virus was able to replicate and send to an additional 50 email addresses accessed through the originally infected computer. 

3. Code Red Worm - 2001

Code Red was a computer worm that affected almost 360,000 computers by targeting PCs that were running Microsoft's IIS web server. The worm was first discovered by two eEye Digital Security employees and was named for the Code Red Mountain Dew they were drinking when they discovered it. The worm targeted a vulnerability in Microsoft's IIS web server using a type of security software vulnerability called a buffer overflow. 

Spread of the Code Red worm from Caida

4. Slammer Worm - 2003

In January of 2003, the Slammer worm struck 75,000 users with a DoS attack. The worm targeted a vulnerability found in Microsoft SQL and spread rapidly. Denial-of-service attacks are used by malware writers to overload a companies' network with meaningless traffic, eventually causing the network to crash. Owen Maresh of Akamai is credited with being the first person to discover the destructive worm from Akamai's Network Operations Control Center. At its height, the Slammer Worm sent 55 million database requests across the globe and is said to have spread within just 15 minutes, surpassing the speed of the Code Red Worm from 2001. 

5. SoBig.F Worm - 2003

The SoBig.F Worm was a piece of malware that appeared only a few weeks before the Slammer worm mentioned above. The SoBig.F worm entered a device via email, which if opened could search the infected computer for additional email addresses, then sending messages to those aliases. The worm caused $37.1 Billion in damages and is credited with bringing down freight and computer traffic in Washington D.C, as well as Air Canada. Email subject lines used to entice users included, "Your details, Thank you!, "Re: Details, Re", "Re: My details", as well as various others. The speed at which the worm spread is said to surpass that of the ILOVEYOU virus and Anna Kournikova worm, both of which also spread via email. The worm's creator still remains unknown.

6. My Doom Worm - 2004

The My Doom worm, known as one of the fastest spreading viruses in history, passes both the ILOVEYOU bug and SoBig worm in speed. It was transmitted via email and usually contained a variety of subject lines including, "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed". Though its creator still remains unknown, some speculate that it originated in Russia. The worm was first discovered and named by an employee at McAfee for the line, "mydom" that appeared in its code. 

7. Stuxnet Worm - 2010

The Stuxnet Worm entered devices through infected USB drives and thus had to be manually inserted into a device in order to spread. The dangerous thing about this particular virus is that internet connectivity was not needed for it to spread, making it particularly fatal for critical infrastructure plants. Once on a device, the worm would then run a check to see if the infected device had access to industrial control systems. If it did, the worm would then take control of plant centrifuges, causing them to eventually fail. The main victims of Stuxnet's payload were Iranian nuclear plants and a uranium enrichment plant. Although not verified, some believe that the United States and Israel were responsible for the creation of the worm, in order to hamper Iranian nuclear development. 

Stuxnet Diagram from L-Dopa

8. Cryptolocker Trojan - 2013

The Cryptolocker Trojan is ransomware that encrypts its victims' hard drives and then demands a payment. When the ransom message appears on the victim's computer, they are given a time limit in which they must pay the ransom in order to unlock their files. The Trojan enters a user's system through an email, supposedly sent by a logistics company. Within the email, there is an attached zip file which contains a PDF that requires the user to enter a provided password to open. Once opened, the Trojan begins its attack on the victim's computer. By posing as a legit company, the ransomware uses social engineering to trick the user into performing the required actions.

Cryptolocker Screenshot from Bleeping Computer

9. ZeroAccess Botnet - 2013

Known as one of the largest botnets in history, ZeroAccess affected over 1.9 million computers, using them to earn revenue through bitcoin mining and click fraud. Botnets involve a group of computers, also known as zombies, that are controlled by malicious software and used to send SPAM emails or launch HTML attacks, the first of which was utilized by the ZeroAccess Botnet. These controls are orchestrated by the BotMaster or the command center of the botnet. The SPAM emails sent by the botnets often contain malware that is then used to infect more computers. 

10. Superfish Adware - 2014

Superfish adware made its claim to fame through a class action lawsuit filed against Lenovo, the largest maker of PCs in the world. Superfish spyware came pre-installed on Lenovo machines without Lenovo customers being told of its existence. Superfish installed its own root certificate authority which allowed it to void SSL/TLS connections, creating an opening or "hole" for attackers. This exposed Lenovo users to potential cyber criminals while providing Superfish and Lenovo with a way to target unsuspecting users with tailored advertisements.

References:

1. ESET Reference
2. TCM Resource
3. PC Mag Reference
4. F-Secure Reference
5. WIRED Reference
6. CNN Reference
7. Naked Security Reference
8. IEEE Spectrum
9. Panda Security Reference
10. ZDNet Reference
11. CNET Reference

Earlier this week, OPSWAT's CEO, Benny Czarny, presented at the Defense Innovation Summit in Austin, TX. The event highlights global innovation, business and defense leadership. Benny Czarny was one of the review panelists for the Cyber Innovation Challenge, a challenge that is designed to accelerate private-sector and defense sourced technology solutions aligned with warfighter and national security problem-sets. We enjoyed participating in the event and look forward to sharing our insights at future cyber security events. 

Defense Innovation Panelists - Photo Credit: Bernice Glenn (Senior Advisor, NSTXL) 

If you are interested in learning more about what was presented at Defense Innovation, you can view the SlideShare presentation below:

If you want to attend an OPSWAT event, we will be holding a Cyber Security Seminar in Washington D.C. on February 9th. During the seminar, we will be discussing the value of multi-scanning, the benefits of data sanitization and showcasing our new threat map, which helps you geo-locate threats uploaded to Metascan Online. Event registration details can be found here.

OPSWAT has expanded the engine offering for Metascan for Linux! In addition to the Metascan for Linux 1 and 5 engine packages, we are now offering a 10 engine package. The 10 engine package includes all the engines in the Metascan 5 package, as well as the antivirus engines Avira, Quickheal, Ikarus, Agnitum and Cyren. The addition of these engines offers enhanced malware detection rates and brings Metascan for Linux protection to a new level.

​Szilard Stange, Director of Product Management at OPSWAT, said: "The Metascan for Linux 10 engine package is great for organizations looking for higher assurance that their security architecture provides robust protection against known and unknown threats. By using ten built-in engines Metascan for Linux provides powerful multi-scanning for the Linux platform."

Metascan for Linux offers improved security, while also being highly scalable. Using the RESTful APIs, ISVs, IT admins and malware researchers can easily integrate Metascan for Linux into their architecture to increase the integrity of their scanning and file processing. Metascan for Linux supports many different 64-bit Linux distributions, including Debian, Red Hat Enterprise Linux, CentOS and Ubuntu.

Ready to try it out? Download the Metascan for Linux 10 engine package from the OPSWAT Portal and contact OPSWAT Sales for your activation key. Current Metascan for Linux customers using 5 engines can easily upgrade to 10 engines without having to re-install the security layer. Please contact OPSWAT Sales for your upgraded activation key.

As we move into 2016, we would like to wish all of our partners, customers and employees a prosperous and joy-filled holiday season. We can't wait to see what 2016 will bring!

Are you a Metascan customer with multiple Metascan installations? Your job just got a whole lot easier with the new Metascan Central Management system. Instead of having to manage each Metascan installation individually, this can now all be done from a single location.

The Metascan Central Management system provides an easy way to track and manage multiple instances of Metascan (v3 and v4) within your network. With a simple, clear interface, Central Management is a centralized console that allows you to view the managed engines on each installation, as well as control updates and check the license and update status. 

 
Click to Enlarge

Streamlined Update Process

Central Management supports both online as well as offline update management for Metascan instances. For offline environments, updates can be downloaded using our Update Downloader utility and transferred to Central Management for distribution among the different Metascan installations.

Status Updates with Health Score

Central Management monitors the health status of the Metascan instances and assigns a health score to indicate whether a Metascan installation needs further attention. The health score is determined based on various indicators such as connection status, freshness of the database, product version, and licensing status. 

Click to Enlarge

File and Malware Scanning Statistics

Central Management also provides statistics on the number of files scanned to date as well as the malware found by all managed Metascan instances.

Download Central Management from the OPSWAT Portal and contact sales to request an evaluation key.

It should come as no surprise that Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) that control key functions in critical infrastructure are especially at risk of cyber attack. If saboteurs manage to compromise critical infrastructure services, a country’s economy and military defenses can be severely hampered.  In addition, since organizations that operate critical infrastructure often own valuable intellectual property, this information can be a target for foreign state actors trying to steal intellectual property to advance their economies or to win competitive bids.

So what is the current state of SCADA Security? In the past year we have seen some disturbing news that highlights the growing risk of SCADA attacks:

• December 2014 - SCADA attack causes physical damage: In late 2014, an unnamed German Steel Mill suffered extensive damage from a cyber attack. The attackers were able to disrupt the control system and prevent a blast furnace from being shut down, resulting in ‘massive’ damage.
• March 2015 - Energy sector hit the hardest: A report by the US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) found that it received 245 cyber incident reports from asset owners and industry partners in the fiscal year of 2014. The largest number of these incidents occurred in the energy sector with 79 incidents.
• April 2015 - Number of SCADA attacks doubles: According to the 2015 Dell Security Annual Threat Report, SCADA attacks are on the rise. The report found that in 2014, the number of attacks on SCADA systems doubled compared to the previous year. Most of these attacks occurred in Finland, the United Kingdom, and the United States. This is probably due to the fact that in these countries SCADA systems are more likely to be connected to the internet.
• October 2015 - Nuclear industry especially at risk: Chatham House, a UK think-tank, reported that the risk of a cyber attack on nuclear infrastructure is growing. The trend towards the digitization of SCADA systems is increasing the vulnerability of nuclear facilities, and many are inadequately prepared. Even where facilities are air-gapped, this safeguard can be breached with nothing more than a flash drive.
• November 2015 - SCADA Security priority for US military: At the recent CyberCon 2015 conference, LTG Alan Lynn, DISA (Defense Information Systems Agency) director, said, “We recognize the enemy will use the Internet to recruit, to take down SCADA systems. In short, we expect a cyberattack as a prelude to war.”

How Can SCADA Security be improved?

It is clear that SCADA security needs to be improved. The most common method used to protect SCADA and ICS systems is ‘air-gapping’ the control systems and completely disconnecting them from the internet and the corporate network. This has the advantage that attackers are not able to access the system from the outside, but also severely hampers productivity. In addition, this creates a new attack vector in the form of portable media. Since portable media such as USB devices, CDs and DVDs are often the only way to transfer data into a secure facility, they become the new attack vector for hackers. Not only can USB sticks contain malware, they can also be booby-trapped. Microsoft recently revealed a vulnerability in Windows which could allow an attacker to execute malicious code from a booby-trapped USB. Given these problems, how can SCADA Security be improved? 

The following three technologies can be used to bolster the security in SCADA and ICS systems:

1. Portable Media Security: By extensively scanning any portable media such as USB sticks, CDs and DVDs for malware before they are allowed to connect to the secure network, as well as applying security policies to limit allowed file types and media devices, the portable media attack vector can be significantly minimized.
2. Data Diode: By making use of a data diode or one-way gateway to connect lower security networks to higher security networks, data transfer is only possible either in or out of the secure network, not vice versa. This significantly improves productivity by providing limited connectivity, while still maintaining the integrity of the secure network since data can only be transferred in one direction.
3. Secure File Transfer: Secure file transfer can be used to safely send data into the secure network. For instance, after scanning portable media for any malware, the files can be sent into the secure network with secure file transfer, avoiding the need to bring portable media into the secure area. This not only improves productivity but also avoids the risk of booby-trapped USB devices being connected to the secure network.

There is no doubt that in 2016 cyber security will be one of the top concerns for SCADA and ICS operators. By ensuring that security is planned into the system from the beginning rather than being added on as an afterthought, SCADA security can be strengthened and attacks can be countered.