Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/9/2015
04:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Utilities And Education The Most Bot-Infested Sectors

The more bots in-house, the more a company is likely to have reported a data breach, BitSight report finds.

Utilities and the education sector harbor the most botnet infections, according to a new study that highlights how bot infections correlate with a higher rate of data breach.

"What I found interesting was that utilities had the most concerning industry-wide grade," says Tom Turner, executive vice president of BitSight Technologies, which published its findings today. The takeaway from this report: "If I'm assessing risk, there's a higher risk of publicly disclosed breach occurring within that industry."

BitSight, a security ratings firm, studied public breach disclosure data between March 2014 and March 2015 across the finance, retail, healthcare, utilities, and education industries. The study concluded that organizations with a botnet grade of B or below had experienced breaches at a rate of 2.2 times more than organizations with an A grade. BitSight's algorithm for security ratings calculates grades based on risk vectors, of which the existence of botnet infections is one.

The study found the percentage of publicly disclosed breaches among companies with an A grade was 1.7%, while for those with a B or below, it was 3.7%. "This does not mean the infections were the cause of the breaches; rather, it means that the infections and breach incidents are correlated," the report said.

Half of the utilities in the study received a botnet grade of B or lower.  Among the botnets found in those companies were the TDSS botnet (30.2%), best known for burrowing in PCs such that it loads prior to Windows startup, Carufax (26.8%), ZeroAccess (15.1%), Sality (14.7%), and Banload (13.2%).

But education fared even worse, with 33% of institutions earning an F in their botnet grade, and less than 23% getting an A. The main botnets dogging universities:  Jadre (59.2%), Flashback (22.1%), the Java exploit targeting Apple OS X, TDSS (8.3%), Zeus (6%), and Sality (4.4%).

"Although the Flashback botnet itself has largely been shut down, the large number of infections that still exist indicates that people are running machines that have not been updated; thus, they are still vulnerable to other forms of infection," the report says.

Financial services firms, not surprisingly, were the least bot-infected, with 74% receiving a grade of A. Even so, they harbored Zeus (46.1%), Sality (30.8%), and Viknok (10.4%)--known for elevating operating system privileges-- botnet infections, as well as Redyms (7.3%) and Cutwail (5.4%).

Forty-three percent of retailers, meanwhile, scored below an A grade for botnets. Zeus (38.9%), Dipverdle (22.7%), and ZeroAccess (19.2%), were the top infections here, followed by Cutwail (11.3%) and Mevade (7.9%).

A little over half of healthcare organizations scored an A. Zeus (39%), Cutwail (17.3%), Viknok (16.2%), Redyms (15.3%), and Qakbot (12.%) were found infecting this sector.  "The fact that Viknok can be used to gain elevated operating system privileges, which can lead to theft of sensitive information, is concerning given the sensitivity of patient data," BitSight said in its report.

The report concludes that organizations with bot-infected machines are more likely to report a data breach. "The implications for organizations across industries are that botnet infections cannot be ignored. Companies with poor botnet grades have been breached far more often than those with good grades, and actions should be taken to mitigate these risks," the report says.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/13/2015 | 1:02:05 PM
Re: Education enterprise users: a legion of hackers and victims.
I agree. Unless we find a way of demonstrating how a security threat may impact them personally students would be getting it. The same for employees when it comes to security awareness, we can continue to talk about it, many employees would not care about what happens to company's network or applications. 
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/13/2015 | 12:57:49 PM
Re: Not Surprising in Schools
Agree. You can even do gamification on the phishing test, it would be fun and informative, students would love that.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/13/2015 | 12:55:51 PM
Re: Not Surprising in Schools
I like the ideas of phishing test. That would help the individual, school and then companies who are hiring those students. Great way of starting security awareness.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
4/13/2015 | 12:53:35 PM
Botnet grade?
This is just my take on this. No need to introduce a new term to an already complex study of terminologies. There is no such thing called botnet grade, you just need to identify what vulnerabilities and threats you are facing and evaluate risk based on that, it is as simple as  Risk = Threats x Vulnerabilities. This is what we need to focus.
madhu jy
50%
50%
madhu jy,
User Rank: Apprentice
4/13/2015 | 7:03:22 AM
Re: Not Surprising in Schools
nice post
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2015 | 1:29:58 PM
Re: Not Surprising in Schools
Ryan, I've read about those phisinng exercises and agree that it's a really solid way to get the message across-- (expecially when the execs flunk the test). Not sure how well they would translate to an academic environment. But there really seems to be an urgent need for that environment. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
4/10/2015 | 1:23:41 PM
Re: Not Surprising in Schools
@Marilyn. It's funny you should mention phishing test as many enterprises incorporate the same type of user awareness techniques. Many employees fail these tests but its the understanding afterwards that furthers their security presence. 

To your point about conducting a phishing exercise, I very much agree. Its a simple yet very interesting way of introducing people to security.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2015 | 1:17:21 PM
Re: Not Surprising in Schools
Most colleges require some kind of Technology 101 class for incomingn freshman, but judging  from my daughter' and her peers' information security savvy, the message needs to be much stronger. Maybe schools  should make them pass a phishing test before giving them access to the network..
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
4/10/2015 | 1:17:17 PM
Re: Not Surprising in Schools
Most colleges require some kind of Technology 101 class for incomingn freshman, but judging  from my daughter' and her peers' information security savvy, the message needs to be much stronger. Maybe schools  should make them pass a phishing test before giving them access to the network..
aws0513
50%
50%
aws0513,
User Rank: Ninja
4/10/2015 | 11:04:09 AM
Education enterprise users: a legion of hackers and victims.
Recently, a local large university hired a new CISO.

I told my boss I do not envy his task.  A university user community is comprised of staff, educators, and students.  The students are the vast majority of that population.  Because students do not have the culture of security that employees may have, they can be classified as either hackers or victims of hackers.

Moreover, many schools do not implement substantial security controls on their networks because students (and some educators) begin to squawk about "internet freedom" and "ability to conduct unfettered research".  BYOD has been common at univerities before it was an acronymn.  The students expect, and in many cases are expected, to bring their own systems to the campus.  I know of many campuses that have separated networks for students and staff/educators simply because of how dangerous the student side of the equation is.  

Admittedly, many colleges have acceptable use policies for their enterprise networks, but it is often difficult to enforce most of these policies because of how they are written or because the college does not have very effective monitoring or forensics operations.

I distinctly remember a discussion I had with a network technician that said (paraphrased) "If we began to knuckle down on students conducting unacceptable activities on the network, we would likely have far less students on the rolls."

So the challenge may be: How is it possible to engage students on what good security controls and practices provide?  If they understand the "why" factor of a security control they are not fond of, it may be easier to implement those controls while at the same time change behavior of students.

BTW...  as for utility companies not doing well in the research results...  there is no excuse.  IMHO the cause is an apparent lack of urgency on utilities to get their IT security house in order.
Page 1 / 2   >   >>
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15142
PUBLISHED: 2020-08-14
In openapi-python-client before version 0.5.3, clients generated with a maliciously crafted OpenAPI Document can generate arbitrary Python code. Subsequent execution of this malicious client is arbitrary code execution.
CVE-2020-15145
PUBLISHED: 2020-08-14
In Composer-Setup for Windows before version 6.0.0, if the developer's computer is shared with other users, a local attacker may be able to exploit the following scenarios. 1. A local regular user may modify the existing `C:\ProgramData\ComposerSetup\bin\composer.bat` in order to get elevated comman...
CVE-2020-9708
PUBLISHED: 2020-08-14
The resolveRepositoryPath function doesn't properly validate user input and a malicious user may traverse to any valid Git repository outside the repoRoot. This issue may lead to unauthorized access of private Git repositories as long as the malicious user knows or brute-forces the location of the r...
CVE-2020-15141
PUBLISHED: 2020-08-14
In openapi-python-client before version 0.5.3, there is a path traversal vulnerability. If a user generated a client using a maliciously crafted OpenAPI document, it is possible for generated files to be placed in arbitrary locations on disk.
CVE-2020-22721
PUBLISHED: 2020-08-14
A File Upload Vulnerability in PNotes - Andrey Gruber PNotes.NET v3.8.1.2 allows a local attacker to execute arbitrary code via the Miscellaneous " External Programs by uploading the malicious .exe file to the external program.