2014 CHECK POINT ANNUAL SECURITY REPORT

CHECK POINT 2014

SECURITY REPORT

01 INTRODUCTION AND METHODOLOGY 03

02 THE EXPLOSION OF UNKNOWN MALWARE 11

03 THE DEVIL YOU KNOW

Malware in the Enterprise 21

04 APP(ETITE) FOR DESTRUCTION

High-Risk Applications in the Enterprise 37

05 DATA LOSS INCIDENTS

The Big Comeback 49

06 THE SECURITY ARCHITECTURE FOR TOMORROW’S THREATS

Software-Defined Protection 59

07 ABOUT
Check Point Software Technologies 65

01
2014 CHECK POINT ANNUAL SECURITY REPORT

02
2014 CHECK POINT ANNUAL SECURITY REPORT

04
 2014 CHECK POINT ANNUAL SECURITY REPORT

01 INTRODUCTION
AND METHODOLOGY

SCANNING THE PRINTOUT, I COULD SEE THE HACKER GOING FISHING ON THE MILNET. ONE BY ONE, HE
TRIED FIFTEEN AIR FORCE COMPUTERS, AT PLACES LIKE EGLIN, KIRTLAND, AND BOLLING AIR FORCE
BASES. NO LUCK. HE’D CONNECT TO EACH COMPUTER, TWIST THE DOORKNOB ONCE OR TWICE, THEN
GO ON TO THE NEXT SYSTEM. UNTIL HE TRIED THE AIR FORCE SYSTEMS COMMAND SPACE DIVISION.
HE FIRST TWISTED ON THEIR DOORKNOB BY TRYING THEIR SYSTEM ACCOUNT, WITH THE PASSWORD
OF “MANAGER.” NO LUCK. THEN GUEST, PASSWORD OF “GUEST.” NO EFFECT. THEN FIELD, PASSWORD
“SERVICE.” […] SHAZAM: THE DOOR HAD SWUNG WIDE OPEN. HE’D LOGGED IN AS FIELD SERVICE.
NOT JUST AN ORDINARY USER. A COMPLETELY PRIVILEGED ACCOUNT. […] SOMEWHERE IN SOUTHERN
CALIFORNIA, IN EL SEGUNDO, A BIG VAX COMPUTER WAS BEING INVADED BY A HACKER HALFWAY
AROUND THE WORLD.
Clifford Stoll, The Cuckoo’s Egg1

More than twenty-five years ago, a UNIX admin challenges of cyber defense. The technologies involved,
tracked a 75-cent billing error back to an Eastern the means of connection, and the methods of intrusion
Bloc spy ring that was attempting to steal secrets have evolved tremendously since the late 1980s, yet
from the United States government and military. identifying compromised systems, incident responses,
The story of how he traced a path from the initial and securing systems and data against future attacks
red flags to the discovery of the larger infestation continue to define the core challenges of organizations
and his battle against the intruder was recounted worldwide, regardless of size and industry.
in The Cuckoo’s Egg and remains a model of the

05
 2014 CHECK POINT ANNUAL SECURITY REPORT

01 INTRODUCTION AND METHODOLOGY

In 2013, information security gained its greatest 5 QUESTIONS THAT EVERY

prominence in the public consciousness, driven by ENTERPRISE NEEDS TO ASK
high-profile data breaches. The theft and publication of 1. HOW HAS TODAY’S RAPIDLY EVOLVING SECURITY
U.S. intelligence information dominated the headlines
LANDSCAPE AFFECTED YOUR ORGANIZATION?
for much of 2013 and shook diplomatic relationships
across the globe. Large-scale breaches of payment 2. WHAT THREATS HAVE YOU FACED, AND WHICH
card data erupted throughout the year and ruined EMERGING RISKS MOST CONCERN YOU?
the holiday season for major retailers and countless 3. DO YOU FEEL THAT YOU HAVE THE RIGHT
consumers alike. Cyber warfare and “hacktivism”2
STRATEGY AND TOOLS TO RISE TO
reshaped the nature of conflicts among people and
nations, even as the emergence of the “Internet of
THE CHALLENGE—OR ARE YOU INCREASINGLY
Things”3 brought more aspects of daily life onto the OVERWHELMED BY WAVE AFTER WAVE OF
grid—and rendered them susceptible to threats. TROUBLING DEVELOPMENTS?
4. WHAT NEW MEASURES WILL YOU
Within the security community, an explosion of unknown
ADOPT IN THE YEAR TO COME?
malware—not just new threats, but new ways of
creating and deploying undetectable threats on a 5. HOW WILL YOU HELP YOUR ORGANIZATION AS A
massive scale—brought into question the viability WHOLE TO MOVE TO A MORE SECURE FOOTING?
of existing strategies and technologies. Even more
familiar types of malware proved stubbornly resistant The Check Point security research team analyzed
to the defenses in place, while mobility, consumerization a year of event data from more than 10,000
and “shadow IT” vastly increased the complexity of the organizations to identify the critical malware and
security challenge. information security trends in 2013 that organiza-
tions must address in 2014 and beyond. The Check
Point 2014 Security Report presents the results of our
research. This in-depth analysis of security threats
and trends in 2013 will help security and business
decision-makers understand the range of threats
facing their organizations. The report also includes
recommendations on how to protect against these
and future threats. The highlights of our research are:
Malware Trends

• Ransomware
• Hacktivism
• Next Gen APTs (Mass APT Tools)
Adwares & DDoS • Utilizing Web Infrastructures (DNS)
Viruses
Viruses Worms Spywares APTs • State Sponsored Industrial Espionage

97 04 07 10 14
19 20 20 20 20

06
 2014 CHECK POINT ANNUAL SECURITY REPORT

01 INTRODUCTION AND METHODOLOGY

AN AVERAGE DAY
IN AN ENTERPRISE
ORGANIZATION

Every 1min a host

accesses a malicious website

Every 3mins a bot is

communicating with its
command and control center

Every 9mins a High Risk

application is being used
24
49
27
H

mins

mins

10 mins

Every 10 mins
a known malware is
9
3
1
mins

mins

min

being downloaded

Every 27mins
an unknown malware is
being downloaded

Every 49mins
sensitive data is sent
outside the organization

Every 24h a host is

infected with a bot

Chart 1-1
Source: Check Point Software Technologies

07
2014 CHECK POINT ANNUAL SECURITY REPORT

COMPLETE THREAT PICTURE

IT Environment – Users, Data, Systems

Business Objectives
D ING
N
S TA RITY
Malware – Threat Landscape
D ER ECU
UN R S
U
YO

• The use of unknown malware exploded, driven Data sources for this report
by the trend of malware “mass customization”4— The Check Point 2014 Security Report is based on a
an average of 2.2 pieces of unknown malware collaborative research and analysis of security events
(malware that hasn’t been seen before) hit gathered from Check Point security gateway threat
organizations every hour. analysis reports (Security Checkup)5, Check Point
• Malware exposure and infections increased across Threat Emulation6 sensors, Check Point ThreatCloud™ 7,
the board, reflecting the increasing success and Check Point Endpoint Security reports.8
of targeted malware campaigns—in 2013, 73%
of organizations had at least one bot detected, A meta-analysis of network security events at 996
compared with 63% in 2012. companies was conducted using data collected from
• Every category of high-risk application increased Check Point Security Checkup assessments, which
their presence in enterprises worldwide—for scanned the companies’ incoming and outgoing live
example, 63% of organizations saw BitTorrent network traffic. This traffic was inspected by Check
usage, compared with 40% in 2012. Point multi-tier Software Blades9 technology to detect
• Data loss incidents increased across industries a variety of high-risk applications, intrusion attempts,
and data types—88% of organizations experi- viruses, bots, sensitive data loss and other security
enced at least one potential data loss incident, threats. The network traffic was monitored in real time
compared with 54% in 2012. by implementing the Check Point Security Gateway10
inline or in monitor (tap) mode.

08
 2014 CHECK POINT ANNUAL SECURITY REPORT

01 INTRODUCTION AND METHODOLOGY

On average, each organization’s network traffic was Geography

monitored for 216 hours. The companies in our research

s
ica
reflected a wide range of industries located globally as

**
*
EA
er

AC
depicted in Chart 1-2.

Am

EM

AP
24% 47% 29%
In addition, events from 9,240 security gateways were
analyzed using data generated by Check Point
ThreatCloud. ThreatCloud is a massive security
database updated in real time and populated with
Industries
data collected from a large network of global sensors

Go elc lting

t
en
strategically placed around the globe. ThreatCloud

T u

l
m
ve o

ria
4% Cons

ce
rn

st
gathers threat and malware attack information and

an

r
he

du
Fin
1%

Ot

In
enables identification of emerging global security
trends and threats, creating a collaborative network to 12% 15% 22% 46%
fight cyber crime. For our research, ThreatCloud data
gathered over the full 12 months of 2013 was consoli-
dated and analyzed.
Chart 1-2
Threat data for unknown malware was gathered from * EMEA – Europe, Middle East and Africa
** APAC – Asia Pacific and Japan.
Check Point Threat Emulation sensors for the period
between June and December 2013. Check Point Threat Source: Check Point Software Technologies

Emulation performs cloud-based sandboxing and

dynamic analysis of suspicious files detected by Check
Point gateways. Anonymized Threat Emulation data from The Check Point 2014 Security Report core data is
848 security gateways was relayed into ThreatCloud complemented with examples of published incidents
for aggregation, correlation and advanced analysis. that illustrate the nature of today’s threats, their impact
on the affected organizations and their implications
Finally, a meta-analysis of 1,036 Endpoint Security for the security community. Expert recommendations
reports in a variety of organizations was conducted. provide guidance for ensuring that your security
This security analysis scanned each host to validate strategy and solutions are relevant and effective for
data loss risks, intrusion risks and malware risks. The protecting against today’s security risks. The report is
analysis was performed with a Check Point Endpoint divided into chapters addressing unknown malware,
Security report tool which checks whether an antivirus known malware, high-risk applications and data loss.
solution was running on the host, if the solution was
up-to-date, whether the software was running on
the latest version, and more. This tool is free and is
publicly available. It can be downloaded from the Check
Point public website.

09
2014 CHECK POINT ANNUAL SECURITY REPORT

10
2014 CHECK POINT ANNUAL SECURITY REPORT

12
 2014 CHECK POINT ANNUAL SECURITY REPORT

02 THE EXPLOSION OF
UNKNOWN MALWARE

The threat of unknown malware

Traditional security technologies such as Anti-Virus THE KNOWN IS FINITE,
and Intrusion Prevention systems are most effective THE UNKNOWN INFINITE
in detecting attempts to exploit known software and Thomas Henry Huxley11
configuration vulnerabilities and to some extent they
are also preemptive in protecting against unknown
exploits. Hackers understand this and have the luxury In late 2013, Check Point malware researchers
of testing their new malware and exploits against these working with our Threat Emulation service discovered
technologies to check whether they are detected. and analyzed a new malware variation that employed
a sophisticated combination of techniques to hide
The arms race between security vendors and hackers itself from proxies and anti-malware solutions. Referred
leads to a fast-paced evolution in the techniques to as “HIMAN”12 by industry researchers, this malware
used by hackers, who are continuously trying to use exemplified the traits of the targeted attacks that are
both unknown vulnerabilities (also known as zero-day challenging enterprises and IT security professionals
exploits, since it usually takes hours or days until they around the world.
are detected and protections are provided for them)
and unknown infection methods in order to circumvent A Security Gateway run by a Check Point customer
security defenses. subscribed to Threat Emulation service scanned a
Microsoft Word document that was attached to an email

83,000,000 2013

144 %
34,000,000 2012

18,500,000 2011

18,000,000 2010
INCREASE IN NEW MALWARE
12,000,000 2009
FOUND FROM 2012 TO 2013
Source: AV-Test.org
13
Chart 2-1
2014 CHECK POINT ANNUAL SECURITY REPORT

2.2
PIECES OF UNKNOWN MALWARE HIT
AN ORGANIZATION EVERY HOUR

from the address “boca_juniors@aol.com” with the operation of anti-malware tools to avoid detection,
Subject line “Reception Invitation.” When opened in a without having to go to the expense of developing
sandbox environment, it exploited a known vulnerabil- or purchasing a true zero-day vulnerability. This
ity (CVE-2012-0158) in order to drop a file named “kav. sophistication extends to the command and control
exe” in the user’s Local Settings\Temp folder of the target (C&C) communications and exfiltration processes as
computer. The name of the dropper file seems to be a well: HIMAN can brute-force outbound proxies using
decoy initial name intended to resemble the Kaspersky stored credentials, encrypt collected data using AES14,
antivirus executable13, and the malware itself appears and employ obfuscation techniques during exfiltration
to be related to previous malware campaigns which to evade outbound filtering.
researchers attributed to one or more Chinese APT
groups. Analysis revealed that the file is a two-stage Once successfully installed, and having established
dropper that renames itself in the process of installing a verified connection to a functioning C&C server,
itself on the target system, and then hooks the explorer. HIMAN dynamically composes and runs a script that
exe process to load a malicious DLL. collects data about running services, local accounts
with Administrator rights, and other information about
Check Point security researchers conducted a search system configuration and any parts of the local net-
of databases of known malware and found that no work that are visible to the infected machine. Armed
antivirus vendor was able to detect this malware at the with this information, an attacker has a map of the local
time it was discovered. network and a launch pad into their target organization for
further reconnaissance, lateral movement, exfiltration
The malware injected a malicious library (mswins64.dll), and execution of attacks on servers, systems and
using a series of Windows function calls and mutual business processes.
exclusion checking to install the malware in the client
system in a manner designed to avoid detection Using a combination of known and rare techniques
by existing anti-malware solutions. Once installed, the to establish a foothold in the network of a targeted
malware wrote an entry in the registry using a organization and steal sensitive information, the
registry path other than the well-known ones that are HIMAN malware highlights both the flexibility of
commonly employed by the malware process—and malware writers and attackers, and the challenges
which are therefore more closely monitored by anti- facing security professionals in 2013.
malware software. This combination of lesser-used API
calls and registry paths enables the malware to increase its
LESS THAN 10% OF ANTIVIRUS ENGINES
chances of evading detection.
DETECTED UNKNOWN MALWARE
HIMAN shows how malware writers are leveraging WHEN IT WAS FIRST CAUGHT IN THE WILD
expertise in Windows API calls, OS behavior and the

14
2014 CHECK POINT ANNUAL SECURITY REPORT

TARGETED ATTACK, GLOBAL CAMPAIGN

On October 22, 2013, a media company received six Analysis identified the malicious payload as a custom-
suspicious emails which were subsequently analyzed by ized variant of the Zbot Trojan19, which steals information
the Check Point Threat Emulation service. by man-in-the-browser attacks, keystroke logging, form
grabbing and other methods. Registering these samples at
• From: No-Replay@UPS.COM VirusTotal20 revealed a low (<10 percent) detection rate for
• Subject: UPS Delivery Notification both the malicious attachment and the Zbot variant at the
• Attachment: invoiceBQW8OY.doc time of submission.
(MD5 ad0ef249b1524f4293e6c76a9d2ac10d)
Check Point security researchers analyzed the different
During automated simulation in a virtual sandbox of a URLs from which the malicious document was downloaded
user opening a potentially malicious file, multiple abnormal and determined that a list of unique parameters passed to
behaviors were detected: the infecting servers was in fact a Base64 encoded target
• Microsoft Word crashed and reloaded with an empty designator containing the targeted email address. These
document unique URLs represented email addresses of users in large
• A registry key was set international organizations—including financial institu-
• A new process was initiated on the end device tions, international car manufacturers, telcos, government
agencies, and North American education and municipal
As a result, Check Point Threat Emulation determined that organizations—that were targeted by this attack. These
this file was malicious. targets indicate that the attacks are part of a targeted
campaign designed to capture user credentials,
Further analysis by Check Point security researchers banking information and other information that could be
discovered that the documents from all six emails were used to gain access to the targeted organizations’ most
identical and exploited the CVE-2012-0158 vulnerability sensitive data.
affecting Microsoft Word. This vulnerability, also known as
the MSCOMCTL.OCX RCE18, allows remote code execution
on the end device.

35 %
OF FILES INFECTED WITH
UNKNOWN MALWARE ARE PDFs
16
 2014 CHECK POINT ANNUAL SECURITY REPORT

02 THE EXPLOSION OF UNKNOWN MALWARE

2013: Promising start, that exploits a known vulnerability or weakness, but

disappointing finish cannot be detected at the time of its discovery even by
Security administrators are becoming more and up-to-date antivirus, anti-bot or Intrusion Preven-
more acquainted not only with targeted attacks, tion System (IPS) solutions. The window of effective-
but also with the new tools required to fight them. ness for an unknown malware is often only 2–3 days,
Automated, network-based malware sandboxing because its existence in the wild gives antivirus
technologies were well-known tools to security teams vendors time to detect it on their global networks and
at large companies and public agencies, who de- build signatures for it.
ployed them as add-on layers to their existing security
infrastructure to help detect targeted malware that This is a crucial distinction because it enables us to
might otherwise evade their existing signature- and understand the true nature of the kinds of malware that
reputation-based defenses at the gateway and endpoint. exploded on the scene in 2013.

However, 2013 saw a dramatic increase in the Making the unknown known
frequency of “unknown malware”—attacks that applied In 2013, Check Point emulation engines, an advanced form
the obfuscation and evasion techniques of APTs to of automated malware sandboxing, deployed around the
known malware in targeted campaigns with a global world, detected that 2.2 pieces of unknown malware
reach (see inset: Targeted Attack, Global Campaign). struck organizations every hour, a rate of 53 every day.
While laser-focused, targeted attacks with highly
specialized malware remain a challenge, now “mass cus- Check Point research found that two main factors
tomization” means that the heightened effectiveness of drove this sudden increase in frequency:
targeted malware is also available to broader-reaching 1. Attackers were employing automated mechanisms
campaigns that are motivated by financial gain. for creating evasive, unknown malware on a large
scale, and then targeting organizations around the
“Unknown” or “zero-day” world through coordinated campaigns in order to
It is important to distinguish between unknown maximize their effectiveness.
malware and what are often referred to as “zero- 2. The manual investigation and response processes
day” exploits. Zero-day malware exploits a previously that had been employed to mitigate targeted attacks
unknown and unreported vulnerability for which there is would be unable to keep up with this new high
no patch. Unknown malware refers to malicious code volume of incidents.

How Sandboxing Works

File Unknown
Virtual Sandbox

Inspection Service
File OK

File received via Suspicious files are Open and run unknown If clean, continue to
email attachment sent to a local or file in virtual OS. Monitor destination. If malicious,
or downloaded off-box virtual sandbox for malicious action: possible actions:
• Registry • Continue to destination
• File system with alert
• Services • Block
Chart 2-2 • Network socket

17
2014 CHECK POINT ANNUAL SECURITY REPORT

02 THE EXPLOSION OF UNKNOWN MALWARE

Analysis of detections in 2013 showed that the A flood of new malware

majority of unknown malware was delivered to Analysis of Check Point 2013 malware data highlights
targeted customers via email, most often embedded in the high frequency with which unknown malware
attachments. In 2013, PDF was the most popular was detected at gateways around the world. Data
format, accounting for almost 35 percent of the files from external sources confirmed these findings.
detected by emulation to contain unknown malware, AV-TEST21, an independent IT security and anti-virus
designed to exploit unpatched versions of Adobe research institute, registers over 220,000 new malicious
Reader (Chart 2-3). Ongoing research shows that programs every day. AV-TEST recorded over 80 million
that the EXE and archive formats are also popular, new malware in 2013, more than double compared
accounting for 33% and 27% of malicious files with 2012.
analyzed, respectively.

Of the Microsoft Office file formats, the most popu- Types of Unknown Malware
lar was Word (.doc), though our analysis of malware

ce
ffi
sandboxing data found that attackers spread their

tO
of
attacks around other formats as well. In all, we
os
icr

ive
detected unknown malware in 15 different Office file
M
ch

F
E
5%

PD
EX
Ar
types, including template files for Word and Power-
Point, and multiple Excel formats. Although the major- 27% 33% 35%
ity of malicious archive files were in the ZIP format—
presumably because all Windows systems have the
ability to open ZIP archives—Check Point analysis
nonetheless detected malware in all of the other major
archive file types, such as tar, RAR, 7z and CAB.
Chart 2-3
Source: Check Point Software Technologies

2.2 PIECES OF UNKNOWN MALWARE

Our research into 2013 malware data sheds much
STRUCK ORGANIZATIONS EVERY HOUR, greater light on this trend and its widespread
A RATE OF 53 EVERY DAY impact. Across our entire sample, one-third of
organizations downloaded at least one infected file
with unknown malware.

18
 2014 CHECK POINT ANNUAL SECURITY REPORT

TALES FROM THE CRYPTER

In order to bypass detection by anti-malware software, confused with encrypting ransomware such as
modern malware authors maintain and use specialized CryptoLocker25, crypters like this sample disguise execut-
obfuscation tools called “crypters.” To verify that their ables through the use of various encryption and encoding
variants are undetected, malware authors avoid online schemes, cleverly combined and recombined, often more
antivirus scanning platforms such as VirusTotal and than once.
others which share samples with anti-malware vendors,
and instead utilize private services such as RazorScan- This detected sample, which was able to evade most anti-
ner, Vscan (aka NoVirusThanks) and chk4me. Crypters are virus solutions, was compared with a similar detection from
classified by hacker communities as UD (UnDetectable) or FUD a different country, which was determined to be a differently
(Fully UnDetectable) according to their success at evading obfuscated version of the same DarkComet payload, and to
antivirus detection. be communicating to the same C&C server. Together, these
factors indicate that these two distinct detections—one in
In 2013, Check Point Threat Emulation detected a Europe and the other in Latin America—are in fact part of
crypted and previously unknown malware variant designed the same campaign.
to deliver the DarkComet remote administration tool (RAT)23.
In the case of our detected sample, an embedded PDB These detections highlight the inner workings of the
string revealed it to be a product of the iJuan Crypter, which family of advanced attacks that are changing both the
is available online both as a free (UD) version as well as a threat landscape and the range of solutions that secu-
premium (FUD) purchase option. Technically classified rity managers need in order to defend their networks
as a Portable Executable (PE)24 Packer, and not to be and their data.

This explosion of unknown malware has been driven Recommendations

in part by the accessibility of obfuscation techniques The explosion in 2013 of unknown malware means
that had in the past required specialized skills, tools or that organizations must revisit tools and processes
both (see inset: Tales from the Crypter)22. The cases deployed primarily to detect and respond to low-
we have studied in this chapter illustrate the ways in volume targeted attacks. Detection-only capabilities
which the malware now being delivered has achieved that require manual mitigation and lack automatic
a higher degree of sophistication than often associated blocking leave security teams overwhelmed as they
with mere variants. This sophistication compounds attempt to keep up with the wave of unknown malware
the challenges they pose because it requires more striking their networks.
subtle, intelligent detection and analysis capabilities
to be deployed on a scale beyond the management, Emulation, or advanced automated malware
monitoring and incident response resources available sandboxing, is now a must-have solution for any
in many organizations. organization. Even the most responsive antivirus,
anti-bot and IPS solutions will face a 2–3 day window
during which unknown malware remains undetected—
an interval more than sufficient for attackers to gain a
foothold within an organization.

19
2014 CHECK POINT ANNUAL SECURITY REPORT

02 THE EXPLOSION OF UNKNOWN MALWARE

Life Cycle of a Malware

Creation
DIY Kit/Malware Tookit DIY Toolkit
Packer/Crypter
SpyEye Binder/Joiner
Zeus Builder
Citadel Builder
Malware QA
Crypter/Packer Validation Multi-AV Scan
UPX GUI Detection Malware QA
NoVirusThanks
PFE CX Known Malware
Indectables.net

Joiner/Binder Unknown
File Joiner Launched
EXEBundle

Critically, these solutions must be an integral part of • Automation—Reducing manual processes for
an organization’s security infrastructure rather than an analysis and mitigation enables organizations to
additional layer that runs on top of it. Organizations keep up with these attacks while also addressing
should look for emulation solutions that can provide: other security and business objectives. Automated
• Integration—Seamless integration with existing prevention is critical, but so are reporting and workflow
gateways, mail and endpoint infrastructure is the integration for efficient notification and response.
only way to scale and deploy without increasing
complexity and cost. Mail integration is especially The rapid rise of unknown malware clearly changes
critical as email is the primary attack vector against the game in security, calling for new strategies and
clients both on and off the network. technologies as well as an approach to security that
• Prevention—Detection-only approaches are can provide effective protection without overwhelming
no longer sufficient for high-volume unknown the organization’s resources. Adapting to these new
malware. Organizations must look for prevention- requirements should be seen as a top priority—and
based solutions that provide the ability to detect one of considerable urgency—for every organization.
and automatically block unknown malware before At the same time, more familiar and long-established
it can reach its destination. types of attacks continue to pose a serious threat,
and require continued vigilance and proactive coun-
termeasures. The latest trends on known malware
are explored in the next chapter.

EMULATION, OR ADVANCED AUTOMATED

MALWARE SANDBOXING,
IS NOW A MUST-HAVE SOLUTION
FOR ANY ORGANIZATION

20
2014 CHECK POINT ANNUAL SECURITY REPORT

22
 2014 CHECK POINT ANNUAL SECURITY REPORT

03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

03
THE DEVIL YOU KNOW:
MALWARE IN THE ENTERPRISE

Information security dominated the news in 2013, WE WORRIED FOR DECADES ABOUT WMDs—
from revelations about state-sponsored cyber sur- WEAPONS OF MASS DESTRUCTION. NOW IT
veillance programs and hacks on organizations such
IS TIME TO WORRY ABOUT A NEW KIND OF
as the Washington Post and Yahoo, to high-profile
malware outbreaks like CryptoLocker and breaches of WMDs—WEAPONS OF MASS DISRUPTION.
retail customer data on a scale that dwarfed anything John Mariotti26
previously reported.
In our research, we found that these trends not only
The past year made 2012 seem calm by compari- continued in 2013, but accelerated in almost every
son—and 2012 was not a quiet time for cyber attacks regard, from the frequency with which malware enters
by any stretch. That year was itself notable for the organizations to the extent and severity of bot infections.
quantity and scale of its cyber attacks, including surging
hacktivism, state-sponsored hacks on media and Faster is not always better
businesses, and data breaches at financial institutions If there is a single statistic from Check Point security
around the world. The top 2012 malware trends noted research in 2013 that best captures the malware chal-
in the Check Point 2013 Security Report27 were: lenges now confronting security administrators, it is the
• Democratization of advanced persistent threats rising frequency with which malware was downloaded
• Pervasiveness of botnets by the organizations we studied (Chart 3-1). In 2012,
• Increase in vulnerabilities expanding the attack surface almost half (43 percent) of the organizations we
analyzed experienced a user downloading malware at
a rate of less than one per day, and another 57 percent
experienced a malware download every 2 to 24 hours.

84 %
OF ORGANIZATIONS
DOWNLOADED A MALICIOUS FILE

23
2014 CHECK POINT ANNUAL SECURITY REPORT

03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

In 2013, by contrast, almost two-thirds (58 percent) of

organizations experienced a user downloading malware 58 PERCENT OF ORGANIZATIONS
every two hours or less. This acceleration in the pace EXPERIENCED A USER DOWNLOADING
of cyber attacks on organizations is reflected across
MALWARE EVERY TWO HOURS OR LESS
all of the statistics from our latest security research. In
this chapter, we explore the specifics of this shift and its
implications for security and managers, with a look that security administrators—already struggling with the
first at the changes in the vulnerabilities that create the introduction of mobile devices and consumer services
attack surface for malware writers and hackers. into the enterprise network—needed to defend.

But did 2013 truly represent a positive trend? In some

Malware Download Frequency respects, yes. Vulnerability defense typically involves
(% of organizations) two main approaches:
• Applying available vendor patches to vulnerabilities
58% in order to correct the issue. For client systems,
14% Up to 2 hours this is now often done automatically, with little
or no testing; for servers, additional testing is
13% often required in order to verify that patches carry no
19% 2–6 hours adverse effects.
• Deploying intrusion prevention systems (IPS) to
12% detect and, if desired, block attempts to exploit known
12% 6–12 hours vulnerabilities. This is sometimes done as a stopgap
measure until an update can be applied as part of
11% the normal patching cycle. In other cases, IPS is the
primary, long-term means of defense for systems
12% 12–24 hours
that cannot be patched for a variety of reasons.
7%
43% More than 1 Day Total Number of Common Vulnerabilities
2013 and Exposure
Chart 3-1 2012
Source: Check Point Software Technologies 2013 5,191

2012 5,297
Fewer vulnerabilities, or a false hope?
The only risk factor in the information security landscape 2011 4,155
that did not increase in 2013 was the number of reported
vulnerabilities. At first glance, this would seem to offer 2010 4,651
some relief after 2012 data that suggested that the recent
2009 5,736
downward trend in reported vulnerabilities had reversed,
as their numbers surged 27 percent over the 2011 count 2008 5,632
to 5,297, as tracked by the Common Vulnerabilities and
Exposures (CVE) database (Chart 3-2). Indeed, 2012 Chart 3-2
saw a vulnerability landscape that expanded the target
Source: Common Vulnerabilities and Exposures (CVE) database
opportunities for attackers, and also increased the area

24
 2014 CHECK POINT ANNUAL SECURITY REPORT

60
03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

EVERY SECONDS
A HOST ACCESSES A
MALICIOUS WEBSITE

The number of newly reported vulnerabilities tends But the story isn’t as black-and-white as it may
to have a direct positive correlation on the workload appear. While fewer vulnerabilities were reported,
of security and IT organizations. In this light, 2013 industry experts agree that an increasing number
certainly seems to have brought good news for of critical vulnerabilities are being siphoned off by
overworked security managers. The CVE data- the gray and black markets—a potentially more dire
base showed a decrease in the number of reported development (see inset: Zero-days, big dollars).
vulnerabilities to 5,191 for the year, a modest 2 percent
year-over-year decrease from 2012, and included a
9 percent decrease in the number of “critical”
vulnerabilities reported.

ZERO-DAYS, BIG DOLLARS

Despite an increase in bounty programs by vendors malware market serves black-hat hackers; here, prices
for vulnerabilities detected by researchers, the high for previously unreported vulnerabilities vary by target
market-value of true zero-day vulnerabilities is causing platform, ranging from $5,000 for Adobe Reader to up to
researchers to sell them to “gray-hat”28 government $250,000 for Apple iOS. The availability of zero-day exploits
agencies—those working with hackers to expand their to buyers puts advanced cyber attacks within reach of any
cyber defense capabilities—and professional penetration organization, regardless of their technical skills.
testing organizations. An even more lucrative underground

TARGET PLATFORM PRICE

Adobe Reader $5,000-$30,000
Mac OS X $20,000-$50,000
Android $30,000-$60,000
Flash or Java bro wser plug-ins $40,000-$100,000
Microsoft Word $50,000-$100,000
Microsoft Windows $60,000-$120,000
Firefox or Safari bro wsers $60,000-$150,000
Chrome or Internet Explorer bro wsers $80,000-$200,000
A pple iOS $100,000-$250,000

Source: Forbes

25
2014 CHECK POINT ANNUAL SECURITY REPORT

EVERY
A HOST DOWNLOADS MALWARE
10 MINUTES

Even as more new vulnerabilities drift “off the map” and client applications, thus presenting a large target
and potentially into the hands of malware writers, the opportunity for attackers. Microsoft, meanwhile, moved
distribution of reported vulnerabilities highlights another further down the list to fourth, with more reported
challenge facing security and IT managers (Chart 3-3). vulnerabilities in Cisco and IBM products, including
Oracle remained the top platform for reported large-scale server and network infrastructure compo-
vulnerabilities in 2013, many of which were found in nents that are not always covered by IPS protection
the Java products that are used widely in both server policies and monitoring.

Most organizations have well-defined processes for

2013 Top Vulnerabilities timely deployment of Microsoft patches. The same
and Exposures by Vendor does not apply to client applications such as Java
(number of vulnerabilities) and Adobe Reader, and this gap leaves them exposed
to browser-based attacks through spear phishing
496 Oracle (targeted phishing emails) and “watering hole” attacks,
in which an attacker compromises a popular website
433 Cisco and embeds malware in it that can infect any vulnerable
client that views that particular page.
394 IBM
Endpoints: Unpatched,
345 Microsoft unrestricted, and unprepared
Endpoint Security statistics from our 2013 research
192 Google confirm that keeping up with these patches remains
a major challenge, particularly for client systems
192 Apple (Chart 3-4). Despite the widespread adoption of
regular processes for applying Microsoft patches, 14
191 Redhat percent of the endpoints analyzed did not have the
latest Microsoft Windows service packs, which roll
190 Linux up all previously released patches and updates.
More importantly, 33 percent of enterprise endpoints
175 Sun did not have the current versions for client software
such as Adobe Reader, Adobe Flash Player, Java and
160 Mozilla Internet Explorer, leaving gaps that render these clients
vulnerable to many attacks.
Chart 3-3

Source: Common Vulnerabilities and Exposures (CVE) database

26
 2014 CHECK POINT ANNUAL SECURITY REPORT

03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

Far from offering hope to beleaguered security and IT

Enterprise Endpoint managers, then, the environment in 2013 turns out to
Vulnerabilities and Misconfigurations have been highly favorable for attackers:
(% of hosts) • More vulnerabilities on the black market, where
they remain unreported and unpatched
Hosts where user has local Administrator permissions • Widespread unprotected clients
38% • A shift in the number of vulnerabilities towards appli-
cations and platforms that are less regularly patched
Hosts that have at least one Bluetooth device installed
53%
Hosts that do not have updated AV signatures
18% Security Events by
Top Software Vendor
Hosts that do not have updated software versions*
(% of organizations)
33%
Hosts that do not have the latest Service Pack**
67% Microsoft
14%
Hosts not running desktop firewall
68%
23% Adobe 15%
* The following software was checked: Acrobat Reader,
Flash Player, Java, Internet Explorer
13%
** The Microsoft Windows platforms checked: Windows
XP, Windows 2003, Vista, 2008, 2008 R2, Windows 7
VideoLAN 10%
Chart 3-4 1%
Source: Check Point Software Technologies
Squid 4%
2%

The vulnerability of these systems is compounded 3Com 4%

by the fact that almost one-fifth (18 percent) of
hosts studied did not have the latest signatures for Oracle* 4%
their antivirus solution. The consequences of this
15%
lapse can be considerable; an attacker who succeeds
in gaining a toehold on a vulnerable client can gain a
CA Technologies 3%
solid platform for exploring the rest of the target
organization’s network. Of the enterprise endpoints
Novell 2%
analyzed, fully 38 percent configured the users with
local Administrator permissions, enabling malware 5%
2013
to run in the system (root) context when it executes,
rather than being limited to the user context. 2012 Chart 3-5
* Java+Oracle+Sun Solaris

Source: Check Point Software Technologies

27
 2014 CHECK POINT ANNUAL SECURITY REPORT

33 %
OF HOSTS DO NOT HAVE
UPDATED SOFTWARE VERSIONS

Servers are where the money is Top Attack Vectors

In 2013, Check Point research found that servers remain (% of Organizations)
a primary target of attacks detected by network-based
intrusion prevention systems (IPS) by almost 2-to-1 51% Code Execution
(Chart 3-7). Considering the weak state of client systems
described above, one wonders: Why attack servers when 47% Memory Corruption
they are more likely to be patched and closely guarded?
Buffer Overflow 36%
For much the same reason that Willie Sutton robbed
banks, as he purportedly put it: “Because that’s where the Denial of Service 23%
money is.”30 Application servers are network-facing and
sometimes even Internet-facing in a DMZ, and automated Information Disclosure 16%
attacks are well-suited to servers because they can exploit
vulnerabilities in services or applications without end-user Integer Overflow 12%
interaction. Servers can be port- and service-scanned
from outside the network or from a compromised inter-
Authentication Bypass 9%
nal client, and then targeted with attacks specific to the
Brute Force 2%
version of the applications or OS they are running. Thus,
there are many remote attacks that, if successful, will give an Stack Overflow 2%
attacker remote control of the system.
Privilege Escalation 1%
Security Events by Platform
2013 % of total Registration Spoofing 0.2%
nt

Chart 3-8
ie
Cl

32% Source: Check Point Software Technologies

68%
er
rv
Se

Chart 3-7
Source: Check Point Software Technologies

29
2014 CHECK POINT ANNUAL SECURITY REPORT

03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

The top attack vectors observed in our 2013 research public network. In addition to missing patches and
(Chart 3-8) lean heavily toward remote code execution service packs that fix known and easily targeted
(RCE)31, with the top three by incidence being code ex- services such as RPC32, clients are often left vulnera-
ecution, memory corruption and buffer overflows. Even ble by important protection capabilities that have been
Denial of Service (DoS) attacks can support a server disabled. For example, almost one quarter (23 per-
attack by serving as a smokescreen to distract from cent) of enterprise endpoints analyzed by Check Point
the much lower-profile server attack as it is happening. did not have a desktop firewall enabled, and more
By the time the smoke clears, the attack is complete than half (53 percent) had enabled Bluetooth, expos-
and the target server has been compromised. ing them to wireless attacks in public spaces.

Clients: Unpatched, Unrestricted and Unprepared Client systems also offer many other avenues for
Clients represent ready targets as well, especially compromise, primarily by exploiting user behavior with
for network-based attacks that attempt to propa- email or web browsing. In these areas, the data from
gate across an internal network or on an unprotected our 2013 analysis reflects both the acceleration in
malware activity and the shift to mass customization.

JOKE OF THE DAY:

END USERS ARE STILL A WEAK LINK

Email remains the favored propagation vector for malware. this “joke” by forwarding the email message to friends and
An example from 2013 shows that even today, end users co-workers. Further analysis found that this was exactly
remain unwary of simple attacks, creating a ready distribu- what happened, as the document was forwarded to at least
tion mechanism for malware among many organizations. three additional large French organizations.

In October 2013, a user working at a large manufacturer Fortunately for these organizations, this specific document
in France received an email message with the subject line did not carry a malicious payload and was not designed
“Blagounette du jour,” or “Joke of the day.”33 Attached to to cause any damage to the computers of the users who
the email message was a 6MB Microsoft Excel file. opened it. However, it included all the ingredients of a
targeted malware campaign. Users who opened this
Automated analysis of suspicious incoming documents document exposed their computers and their organiza-
within a virtual sandbox revealed that the Excel file extract- tions to a significant risk, one compounded by those
ed an image from the Excel application into the computer’s who forwarded it to co-workers and to friends working
file system, and changed the registry’s wallpaper key to the at other organizations, who became an additional vector
new image. Because the image was often perceived as hu- in the spread of a joke of the day that was really no
morous, the unsuspecting end user would be likely to share laughing matter.

30
 2014 CHECK POINT ANNUAL SECURITY REPORT

03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

Access to Malicious Sites by the entire organization with an easily detected phish-
Number of Hosts ing email, these attacks target one or two users in an
(% of organizations) organization, a more effective approach that yielded a
20 percent increase in hosts accessing a malicious site

st an
compared to 2012.

s
Ho th
st
s

s
st

st

st

Ho

1 6 o re
Ho

Ho

Ho

16

M
2

This trend also explains the 2013 surge in incidences

1–

3–

5–

9– of hosts downloading a malware, as 76 percent of

36% 20% 18% 12% 15% organizations analyzed had 1–4 hosts download
2013 malware, a 69 percent increase over 2012, while
incidences remained the same or decreased for all
31% 18% 20% 16% 15% other user counts (Chart 3-10).

2012 A small number of hosts accessing malicious sites

Chart 3-9 and downloading malware at a greater number of
organizations drove an overall acceleration of mal-
Source: Check Point Software Technologies
ware activity in 2013. On average, a host accesses a
malicious website every minute, and every ten minutes
In 2013, the incidence of hosts accessing a malicious a malware is downloaded.
site continued to increase. Our research shows that
on average, every 60 seconds a host accesses a mali-
cious website. With the exception of the “1–2 hosts”
range, Chart 3-9 shows that the distribution of the
number of hosts accessing malicious sites remained 49% OF ORGANIZATIONS HAD
relatively unchanged from 2012. This apparent good
7 OR MORE BOT-INFECTED HOSTS
news belies a deeper problem, as it is an effect of
spear-phishing campaigns that target a limited num-
ber of users within an organization and leverage social
media profiling to create an email that is more likely to
be opened by the recipients. Rather than blanketing

73 %
OF ORGANIZATIONS HAD AT LEAST ONE BOT
DETECTED, COMPARED WITH 63% IN 2012

31
2014 CHECK POINT ANNUAL SECURITY REPORT

CRYPTOLOCKER BLOCKER

CryptoLocker, a strain of malware known as “ransom- An important trait of CryptoLocker is that the malware agent
ware,” was first identified at the beginning of September needs to find and initiate communication with a command
2013. Like other forms of ransomware, CryptoLocker in- and control (C&C) server before it can begin the process
stalls itself on the victim computer and runs in the back- of encrypting the files. The most effective way to defeat
ground encrypting various user data files, unknown to CryptoLocker is therefore to detect and block the initial
the end user. communication attempt by the agent, before it can connect
with the C&C server and start the encryption process.
When the encryption phase is complete, CryptoLocker dis-
plays a prompt informing the user that their files have been CryptoLocker showed that bot detection, often regarded as
“taken hostage” and demanding the payment of a ransom a reactive measure, can also play a proactive, preventive
to the criminals to decrypt the files. The description states role in advanced malware defense. During the CryptoLock-
that if the user does not comply with this request within the er outbreak in late 2013, organizations that employed intel-
payment window (often less than four days), the private key ligent anti-bot solutions were able to mitigate the damage
needed for decryption will be deleted from their servers, from CryptoLocker infections in their networks by not only
rendering the victim’s data permanently unrecoverable. identifying infected clients, but also blocking that critical
initial C&C communication.
There is no currently known alternative method for
restoring access to encrypted files.

Number of Hosts that

Downloaded a Malware
(% of organizations)
ts

os 2
os

H –3
ts
H

17


3%
8
5–

12%
ON AVERAGE, A HOST ACCESSES A
MALICIOUS WEBSITE EVERY MINUTE,
AND EVERY TEN MINUTES
76% A MALWARE IS DOWNLOADED
5% 4%
ts
os

ts
ts

os
H

os

H
4

H
1–

33
16

an
9–

th

Chart 3-10
e
or
M

Source: Check Point Software Technologies

32
 2014 CHECK POINT ANNUAL SECURITY REPORT

03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

Bots extend their reach Number of Hosts

As would be expected from this increase in infiltration Infected with Bots
activity, Check Point research found a corresponding (% of organizations)
increase in bot infections and activity in 2013. If for
infiltration the theme was a lower volume of more
1–3 Hosts 38%
targeted attacks, for bots the converse was true: high
volume and high frequency. In 2013, organizations with 48%
22 or more bot-infected hosts increased almost 400
percent (Chart 3-11), while smaller bot infestations 4–6 Hosts 14%
actually decreased. 18%

This should not be taken to mean that bot infections 7–9 Hosts 8%
were decreasing overall, since more than one-third
10%
(38 percent) of organizations still had at least 1–3
bot-infected hosts.
10–21 Hosts 18%
Moreover, the stakes for bot infections are arguably 18%
getting higher with the advent of a new generation
of ransomware, exemplified by the outbreak of 22–35 Hosts 7%
CryptoLocker in late 2013 (see inset: CryptoLocker 0%
Blocker).
More than 35 Hosts 16%
Not only are organizations struggling with more ex- 6%
tensive bot infestations in their environments, but 2013
the bots are more active as well. Bot communication 2012
with C&C servers increased dramatically in frequency Chart 3-11
in 2013, with 47 percent of organizations detecting
Source: Check Point Software Technologies
C&C communication attempts at a rate of more than
one per hour, an 88 percent increase over 2012 (Chart
3-12). Averaged across our entire research sample, a
bot is attempting to communicate with its C&C server
every three minutes. Every one of these communication
attempts is an occasion for the bot to receive instruc-
tions and potentially exfiltrate sensitive data outside
the affected organization. This acceleration in C&C
communication frequency represents a serious threat to
organizations struggling to protect the security of their
data and systems.

33
2014 CHECK POINT ANNUAL SECURITY REPORT

77 %
OF BOTS ARE ACTIVE FOR
77% more than 4 weeks

less than 4 weeks 23%

MORE THAN 4 WEEKS

Source: Check Point Software Technologies

Frequency of Bots’ Bot defense becomes more vital,

Communication with Their and more challenging
Command and Control Center Increased frequency also presents an opportunity
(% of organizations) for security managers to detect, cut off and begin shut-
ting down bot infections in their networks. Detecting
bot communication is often the easier task; eradicat-
47% ing bots without re-imaging the infected system can
25% Up To 1 hour present a bigger challenge. Effectively blocking bot com-
munication is becoming the most difficult part of anti-bot
40% 1–2 hours warfare due to the newer, more sophisticated C&C
channels employed by DGA-based botnets to evade
45% traditional filtering and blocking tools (see inset: Not
Your Father’s Phishing Campaign)34.
3% 2–4 hours
6%

10% More than 4 hours

24% A BOT IS ATTEMPTING TO
2013 COMMUNICATE WITH ITS C&C
2012 SERVER EVERY THREE MINUTES
Chart 3-12
Source: Check Point Software Technologies

34
 2014 CHECK POINT ANNUAL SECURITY REPORT

NOT YOUR FATHER’S PHISHING CAMPAIGN

In 2013, phishing campaigns analyzed by the Check ing methods to evade existing defenses and reach their
Point Security and Malware Research Group highlighted targets. In their research findings for the second quarter
the increasingly sophisticated techniques that today’s of 2013, the Anti-Phishing Working Group (APWG)36 found
phishing attacks employ to evade the blacklists that are the that while the .com top-level domain (TLD)37 remained the
heart of most traditional defenses, including utilization of most commonly used in phishing campaigns (44 percent
some form of dynamic URL scheme that evades detection of total phishing, up from 42 percent in Q1), some coun-
by static blacklists. In the case of the phishing campaign tries TLDs are more common in phishing attacks than are
around the Nuclear exploit kit, this scheme also resists actually registered; for example, Brazil (.br) has only 1
analysis by malware researchers. percent of registered domains but accounts for 4 percent
of phishing email TLDs. Phishers and malware writers are
Analysis of CryptoLocker by our researchers revealed exploiting the sheer number of possible TLDs for countries
another aspect of this trend: as a Domain Generation alone to generate an immense number of unique domain
Algorithm (DGA) based botnet35, CryptoLocker employs names and URLs, and the controls that many assume are
dynamic, seemingly randomly generated domain names to in place to prevent this kind of abuse are not working.
establish communication between a bot and C&C server. APWG’s “Global Phishing Survey 1H2013: Trends and
The CryptoLocker bots generate 1,000 new domains every Domain Name Use”38 report explores the role of domain
day, while on the other end CryptoLocker’s managers reg- names in phishing attacks in greater detail and finds
ister the same 1,000 new domains and then discard them that the domain registrars are either asleep at the wheel or
after 24 hours. As a result, the malicious domains have actively abetting the phishers.
little chance of being detected and registered by the indus-
try resources that build and maintain blacklists of known This problem is only going to get worse. In 2013, Internet
malicious URLs and domains. Corporation for Assigned Names and Numbers (ICANN)39
announced plans to increase the number of top-level
Viewed as a whole, these recent malware campaigns domains from the current 22 to 1,400, including TLDs in
highlight the important role of dynamic URLs and domain non-Latin characters such as Arabic, Chinese and Cyrillic,
names in these attacks, specifically in evading the static among others. While the APWG notes that non-Latin charac-
blacklists that have traditionally been used to detect and ter TLDs have been available for years and have not shown
block phishing and bots. Dynamic URLs and DGA leverage signs of significant use among phishers, there is every
the infrastructure of the Internet itself to generate obscure reason to believe that attackers will look for ways to lever-
or single-use variants that confound a system of defens- age them as security vendors become more sophisticated
es based on looking for and blocking traffic from and to in stopping URLs and phishing domains that use Latin-based
addresses that have been previously detected on a global characters. These will test the limits of all blacklisting and
network and classified as malicious. URL filtering techniques that rely on lists—whether local or
cloud-based—of known malicious or suspicious URLs and
These observations reflect a much larger trend in the create a virtually infinite pool of single-use URLs that can be
malware industry. Attackers are exploiting weaknesses in employed for phishing emails, and domain names that can
the domain name system and traditional URL blacklist- be used for DGA-based botnets.

35
2014 CHECK POINT ANNUAL SECURITY REPORT

03 THE DEVIL YOU KNOW: MALWARE IN THE ENTERPRISE

Recommendations • Gateway and endpoint antivirus with URL

Check Point analysis of the security landscape in filtering—Organizations must be able to detect
2013 reveals that malware activity increased across all and block malware and attempts to connect sites
categories. This increase had three main aspects: that are known distributors of malware.
• Greater infiltration activity, in which users are • Gateway anti-bot—In addition to detecting mal-
exposed to malware through malicious websites, ware, these solutions should have the intelligence
emails and downloads to mitigate DGA-based botnet communications.
• Increased post-infection threats in the form of larger bot • Extended IPS protection—Beyond monitoring,
infections with more frequent C&C communication you should be able to enable blocking for critical
• More attacks on a wider range of platforms, target- severity attacks. The system should cover network,
ing vulnerabilities not just on servers and Windows server and IT infrastructure systems from Cisco
clients, but also network and server infrastructure and other vendors and platforms, not just Microsoft
and less-managed applications Windows.
• Comprehensive system and application mainte-
As a whole, this acceleration in cyber attack activity nance—Ensure that vulnerability management and
represents a daunting challenge for enterprise business patching processes are in place for all systems and
and security leaders who were already straining to meet applications, including Java and Adobe Reader, not
the malware challenges described in the Check Point just Microsoft Windows clients and servers.
2013 Security Report. The only way for organizations to • Best practices for client and server configura-
effectively manage this acceleration in malware activity, tion—These include restricting use of Administrator
and to fight the accelerated pace of attacks, infection privileges, disabling Java and other scripting, and
and exfiltration in their environment, is to automate and limiting applications that end users can install on
coordinate multiple layers of defense. Essential mea- their endpoints.
sures include:
In the next chapter, we will examine our 2013 research
findings regarding applications and the risks they pose
to enterprise data and end users.

36
2014 CHECK POINT ANNUAL SECURITY REPORT

38
 2014 CHECK POINT ANNUAL SECURITY REPORT

APP(ETITE) FOR DESTRUCTION:

04 HIGH-RISK APPLICATIONS
IN THE ENTERPRISE

Application control represents an internal challenge that

BUT IF WE’RE ONLINE,
complements and compounds the external challenges
posed by cyber attacks. Applications are essential to pro- THE WHOLE WORLD IS LOCAL.
ductivity and the routine operation of every organization, Neal Stephenson, Cryptonomicon40
but they also create degrees of vulnerability in its security
posture. From a security perspective, they resemble the
denizens of George Orwell’s Animal Farm41: all applications
are equal, but some are more equal than others.

High-risk applications epitomize these challenges. Un- of media and other files between users and comput-
like productivity applications like Microsoft Office and ers. High-risk applications often run on the fringes of
increasingly accepted Web 2.0 social media applica- officially sanctioned IT and solutions, if not altogether
tions such as Facebook, LinkedIn, Twitter, WebEx and outside them, and make up part of the growing shadow
YouTube, high-risk applications enable anonymous web IT of end user-driven applications, devices and services
surfing, cloud-based storage and sharing of files, re- that are operating within corporate networks with little
mote use of desktop applications and data, and sharing or no oversight.

86 %
OF ORGANIZATIONS HAVE AT LEAST
ONE HIGH-RISK APPLICATION*
* P2P File Sharing, Anonymizers and File Storage and Sharing

39
2014 CHECK POINT ANNUAL SECURITY REPORT

04 APP(ETITE) FOR DESTRUCTION: HIGH-RISK APPLICATIONS IN THE ENTERPRISE

EMEA*
TOP HIGH RISK Anonymizers
Tor · Hide My Ass! · OpenVPN
APPLICATIONS
P2P File Sharing
PER REGION BitTorrent Protocol · Soulseek ·
eDonkey Protocol

File Storage and Sharing

Dropbox · Windows Live Office ·
Hightail (formerly YouSendIt)

Remote Administration
RDP · TeamViewer · LogMeIn

Anonymizers
Tor · Ultrasurf · Hotspot Shield
APAC**
P2P File Sharing
BitTorrent Protocol · Soulseek · Box Cloud Anonymizers
Ultrasurf · Tor · Hide My Ass!
File Storage and Sharing
Dropbox · Windows Live Office · P2P File Sharing
Hightail (formerly YouSendIt) BitTorrent Protocol · Xunlei · Soulseek

Remote Administration File Storage and Sharing

RDP · LogMeIn · TeamViewer Dropbox · Windows Live Office ·
Hightail (formerly YouSendIt)
Americas
Chart 4-1 Remote Administration
* EMEA – Europe, Middle East and Africa TeamViewer · RDP · LogMeIn
** APAC – Asia Pacific and Japan

Source: Check Point Software Technologies

40
 2014 CHECK POINT ANNUAL SECURITY REPORT

04 APP(ETITE) FOR DESTRUCTION: HIGH-RISK APPLICATIONS IN THE ENTERPRISE

Percentage of Organizations Using High-Risk Applications

(% of organizations)

90% Remote Admin

81%

86% File Storage and Sharing

80%

75% P2P File Sharing

61%

56% Anonymizer
43%
2013

Chart 4-2 2012

Source: Check Point Software Technologies

In 2012, Check Point security research found that Danger in anonymity

high-risk Web 2.0 applications were pervasive through- Anonymizer applications are primarily associated with
out enterprise infrastructure and posed significant risks providing users a means to surf the Internet and view
for compromise and data leakage. Our analysis of websites while preserving their anonymity. They typically
enterprise network security in 2013 found that de- rely on creating an encrypted tunnel to a set of HTTP
spite their well-known risks, the incidence of high-risk proxy servers to allow users to bypass firewalls and
applications increased across all categories (Chart 4-2). content filtering restrictions. Some, such as Tor, employ
This chapter examines the findings for each category additional routing obfuscation techniques and even
and shares recommendations for mitigating this challenge. special software or browser plug-ins to enable users to
cover their tracks and evade employer, government or
other controls.

RESEARCH RECORDED AN OVERALL In 2013, Check Point research recorded an overall

INCREASE IN THE USE OF ANONYMIZERS increase in the use of anonymizers in enterprise
networks, with more than half (56 percent) of ana-
IN ENTERPRISE NETWORKS, WITH MORE
lyzed organizations registering at least one incident of
THAN HALF (56 PERCENT) OF ANALYZED anonymizer, a 13 percent increase over 2012.
ORGANIZATIONS REGISTERING AT LEAST
ONE INCIDENT OF ANONYMIZER

41
2014 CHECK POINT ANNUAL SECURITY REPORT

PORTAL TO THE DEEP WEB

Also known as The Onion Router, Tor42 was again the managers. While it provides anonymity and a marketplace for a
most widely detected anonymizer application in our 2013 vast underground, the Deep Web is also rife with malware and
research. Tor was already well known for its uses as a scams, and organizations are right to worry that employees
vehicle for anonymous browsing that also easily bypasses who use Tor to escape from real or perceived surveillance will
organizational security policies, but in 2013 it earned end up exposing their computers and the organization to a high
new notoriety as a portal to the Deep Web, the shadowy degree of risk. More recently, investigators have determined
underbelly of the open and searchable Internet, or “Surface that credit card data stolen from numerous retailers using the
Web”43. Characterized by inaccessibility from standard ChewBacca45 remote access Trojan were exfiltrated to server
search tools, the Deep Web gained attention in 2013 in drop-points using Tor.
response to heightened concerns in the U.S. and abroad
about surveillance and privacy, and to notoriety through the Free speech and anonymity are essential freedoms and must
Silk Road arrests44. be preserved for individuals. For security administrators in
enterprise environments, however, detecting and blocking
Other anonymizer applications pose a similar administrative use of Tor and other anonymizers on company systems and
challenge, but Tor’s role as a gateway to Onionland and other within corporate networks must be a top priority in 2014
areas of the Deep Web makes it a particular risk for security and beyond.

Most Popular Individual anonymizer applications saw uneven gains,

Anonymizer Applications however, with Tor actually detected in fewer organiza-
(% of organizations) tions than in 2012: 15 percent in 2013, compared to
23 percent in 2012 (Chart 4-3). This reflects increased
15% Tor attention to—and restriction of—Tor in enterprise se-
curity policies, and with good reason (see inset: Portal
23% to the Deep Web). However, it could also result in part
from employees engaging in anonymous browsing less
14% Ultrasurf
frequently from corporate systems and networks, or
8% from users switching to other anonymizer applications
that are less well-known and therefore less likely to be
12% Hide My Ass! blocked by corporate policies.
7%

10% OpenVPN
3%

10% CoralCDN

2013
Chart 4-3 2012
Source: Check Point Software Technologies

42
 2014 CHECK POINT ANNUAL SECURITY REPORT

04 APP(ETITE) FOR DESTRUCTION: HIGH-RISK APPLICATIONS IN THE ENTERPRISE

Touted by free-speech and privacy advocates, Top Remote

anonymizers have helped protect the secrecy— Administration Applications
and even the lives—of dissenters in countries (% of organizations)
undergoing periods of unrest. More recently, 2013
revelations about state-sponsored surveillance have RDP 71%
driven adoption by users in Europe and Asia as a
refuge from real or perceived cyber snooping. The 71% TeamViewer
regional differences in detected incidences of
anonymizer use in corporate networks attest to this LogMeIn 50%
factor, and also point to the relative success of security
administrators in the Americas at constraining the use VNC 21%
of this category of high-risk applications (Chart 4-4).
GoToAssist RemoteSupport 8%
Like the mythical hydra46, if administrators succeeded
in cutting off Tor in 2013, it was only to see six more Ammyy Admin 7%
anonymizers sprout to take its place. The incidence
of the remaining top ten anonymizer applications all
increased compared to 2012. Chart 4-5
Source: Check Point Software Technologies

Usage of Anonymizer
Applications by Region Who smells a RAT?
(% of organizations) The most widely detected category of high-risk
applications in our 2013 research was remote
54% administration applications. The best known is Micro-
soft Remote Desktop (RDP)47, but many others are in
49% Americas
wide use around the world, with TeamViewer surging in
popularity from 2012 (Chart 4-5). These applications do
58%
have legitimate uses, when they enable IT and
40% EMEA corporate Helpdesk teams to service and manage
employee desktops around the world (see inset: Remote
54% Admin Tools: The Good, the Bad and the Ugly).
35% APAC
However, many organizations have adopted these tools
haphazardly based on tactical needs, so that rather
2013 than standardizing on a single remote admin applica-
Chart 4-4 2012 tion, IT organizations instead employ three or more de-
pending on the platform, connection and task. In 2013,
remote admin applications were the only ones for which
Source: Check Point Software Technologies
the highest incidence of use was found in the industrial
vertical, with 90 percent of enterprises in this space re-
cording at least one detected incidence of these apps.

43
 2014 CHECK POINT ANNUAL SECURITY REPORT

REMOTE ADMIN TOOLS:

THE GOOD, THE BAD AND THE UGLY

Remote administration tools are sometimes confused with platforms. The remote administration tool TeamViewer
remote access tools due to their common acronym, “RAT.” is a good example of the trend in these tools. In 2013,
In practice, while remote administration tools carry signifi- TeamViewer’s presence on surveyed networks surged in
cant security and operational risks, these are different from popularity, driven by the end to the free version of the pop-
those associated remote access tools such as ChewBacca, ular LogMeIn and an expanding feature set that includes
Poison Ivy48, DarkComet and the famed Back Orifice49. extensive support for non-Windows platforms, conferenc-
Essentially Trojans in practice, remote access tools have ing and collaboration features, and solid performance over
no legitimate use in a corporate network, and as a ma- a variety of connections without having to make the firewall
jor threat their detection should generate a rapid response changes required by RDP.
for removal, remediation and forensic analysis of potential
data exposure. This comes at a price, because the features that make it
a new favorite for IT teams also make it attractive to end
The most well-known remote administration tools, on the users who want to remotely access their work computers
other hand, often proliferate in networks in response to the from their smartphone, tablet or even home PC, thus open-
needs of IT and corporate helpdesk teams as they attempt ing holes in the corporate network and putting the security
to resolve issues and provide application and data access of the organization at risk. In these cases, even a well-
across an ever-expanding range of end-user devices and intentioned employee can turn a good RAT into a dirty rat.

P2P file sharing: Not Safe for Work

Top P2P File Sharing Applications Peer-to-peer (P2P) file sharing applications are used
(% of organizations) to share files between users. Often used for distribut-
ing copyrighted material, legal and pirated software,
and other media, P2P file sharing is a favorite vehicle
BitTorrent Protocol 63%
for spreading malware, which can be embedded within
the shared files. In addition to distributing malware to
25% Soulseek
unsuspecting or unprepared users, P2P applications
can create a backdoor into corporate networks—one
14% eDonkey Protocol
that can allow attackers into a network and to leak
sensitive data outside the network.
13% Xunlei

Moreover, the frequent use of P2P applications such

10% Box Cloud
as BitTorrent for distributing copyrighted music and
film files exposes organizations to liability for ac-
Chart 4-6 tion from the Recording Industry Artists Association
(RIAA), who have become aggressive in working with
Source: Check Point Software Technologies
Internet Service Providers (ISPs) to identify and pursue
the sources for distribution of pirated or unlicensed
content (Chart 4-6). In 2013, BitTorrent remained the
most popular P2P file sharing application, its detected

44
 2014 CHECK POINT ANNUAL SECURITY REPORT

04 APP(ETITE) FOR DESTRUCTION: HIGH-RISK APPLICATIONS IN THE ENTERPRISE

Top File Storage File storage and sharing applications play an important
and Sharing Applications role in enabling this ability by making it easy for users
(% of organizations) to save content in a folder on one device and then
have it automatically replicate to the cloud and syn-
Dropbox 85% chronize across all of their other associated devices.
69% Extending this by sharing with other users is often as
easy as sending a link to the recipients, who can then
48% Windows Live Office access and even modify the shared files.

51% Obviously, this ease of sharing exposes an organization

to significant risk of “oversharing,” whether inadvertent or
26% Hightail (formerly YouSendIt) intentional, by users who synchronize sensitive corporate
22% data from a protected system at work to other, unprotect-
ed devices and even to folders shared with other users.
16% SugarSync
In 2013, Dropbox extended its lead as the most
13%
popular file storage and sharing application, detected
in 85 percent of analyzed networks, up from an
15% ImageVenue
incidence rate of 69 percent in 2012 (Chart 4-7).
9% This was in contrast to almost all of the other top file
storage & sharing applications, which fell in frequency
14% Mendeley compared to 2012, reflecting in part a consolida-
4% tion by enterprises on a single, company-sanctioned
2013 application, but also the continued popularity of
Dropbox among end users, who pull it into corporate
2012
Chart 4-7 environments as part of the “shadow IT”50 infrastructure.
Source: Check Point Software Technologies
Social creatures
incidences increasing from 40 percent of organizations Social media platforms are an integral feature of Web
in 2012 to 63 percent in 2013. Incidences of detected 2.0 and have gained broad, if sometimes grudging ac-
P2P file sharing applications increased consistently in ceptance in corporate IT environments. In the Check
all regions. Point 2013 Security Report, we described the ways in
which Facebook exposed employees to hacking and
File storage and oversharing social engineering, and recommended increased user
The ability to create and share content easily between education and defenses at the endpoint and network.
devices and users is a defining trait of Web 2.0 applications.

DROPBOX WAS FOUND IN

85 % OF ORGANIZATIONS

45
2014 CHECK POINT ANNUAL SECURITY REPORT

DROPBOX SMACKED

2013 was notable as the year in which attackers and one owned by the employee; once DropSmack is installed
researchers realized the potential for file storage and on one device, Dropbox’s automatic synchronization
sharing applications to serve as tools for infiltrating routines replicate it to the Dropbox folder on every
organizations and exfiltrating sensitive data. In March, it device associated with that account. DropSmack
was revealed that hackers had developed a mechanism to enables an attacker to bypass perimeter and even most
use Evernote to support the command and control (C&C) device-level defenses for infiltration, C&C, lateral movement
and exfiltration communications for bot networks. and exfiltration.

Soon afterwards, in April, a researcher detailed a The introduction of new security features in Dropbox such
mechanism for spreading malware into an organization as encryption and two-factor authentication was intended
using Dropbox‘s synchronization capabilities. Called to address the concerns of security managers, but as
DropSmack51, the attack involves embedding macro DropSmack shows, these applications still have great
commands in a file with a .doc extension and a legitimate potential for sharing malware and need to be monitored
header, and then placing this file in a Dropbox folder of closely in corporate environments, if they are to be allowed
a user from the targeted organization. It does not matter at all.
whether the computer is a company-managed device or

In 2013 these risks remained, and were exacerbated by profile tells the attacker valuable information such as
the increasing role of social media as an essential tool for websites and online shopping services common-
hackers in planning and carrying out targeted attacks. ly used by the employee, friends and associates
from whom they might expect to receive email, and
significant events that they have attended recently or
Social Media Profile will attend. Armed with this information, an attacker
can create a very legitimate looking, spear-phishing
email to the target employee with a high probability of
success. We only need to look back to the findings of
Social Media Profile
Target: Your Company
chapter 3 to see the effects of this profiling.
Multiple User: John Q Employee
other
stylized Among social media applications, Facebook remains
SM inputs the most popular, measured in terms of bandwidth
consumption in the enterprise environments we
analyzed for our 2013 research (Chart 4-9).

• Twitter and LinkedIn again rounded out the top three

Chart 4-8 social media applications, but all saw a decrease
in overall incidences compared to 2012. This likely
has less to do with decreased use by employees
Once attackers have targeted an organization and than with a shift from work PCs and access through
identified individuals within it who have access to the corporate network to using mobiles and wire-
the desired data, the attacker builds a social me- less data connections. While this shift may have the
dia profile of each target employee (Chart 4-8). This benefit of reducing the strain on corporate networks

46
 2014 CHECK POINT ANNUAL SECURITY REPORT

04 APP(ETITE) FOR DESTRUCTION: HIGH-RISK APPLICATIONS IN THE ENTERPRISE

Category-based application control—Administrators

Top Social Network need to be able to block entire families of applications
Bandwidth Utilization if they choose, rather than have to enable blocking for
(% of organizations) them one-by-one. This not only simplifies administration,
but it enables policy controls to be applied to new ap-
Facebook 47% plications as they are adopted by employees to replace
applications that have been blocked or restricted.
11% Twitter
Standardization on sanctioned applications—
10% LinkedIn Organizations that need remote administration tools to
support IT or business functions should standardize on
9% Flickr a single application, and then monitor their networks for
the presence of other remote admin tools. If blocking
8% Pinterest is not feasible, their presence should trigger a notifica-
tion and investigation process to determine who is using
Chart 4-9 them and how they are being used, and verify whether
these are valid exceptions to policy or tactical digres-
Source: Check Point Software Technologies
sions that should be brought in line with policy. Moreover,
monitoring and enforcement should be tied to specific,
and decreasing the immediate malware threat to authorized users or user groups, in order to ensure that
company-owned PCs, the widespread use of file only those employees with a valid business need are able
storage and sharing applications such as Dropbox to use them. A similar approach can be used for file stor-
means that an infection on a user’s personal Mac- age and sharing tools; IT should implement a secure,
Book or tablet can easily jump to their corporate enterprise-grade service or solution to meet this need.
system (see inset: Dropbox Smacked). Otherwise, users will inevitably turn to shadow IT apps to
enable the file sharing and cross-device synchronization
Recommendations their work requires.
High-risk applications of all kinds continue to pose a
rising threat in the enterprise, even as the specific tools End-user education—Given the impracticality or un-
favored by end users change over time. While some desirability of entirely blocking certain categories of ap-
of these, especially anonymizers and P2P networks, plications, IT and security managers should develop
have no legitimate business use and should be eradi- comprehensive ongoing programs to inform end users
cated entirely, tools for remote administration and file of the risks posed by high-risk applications. Employees
sharing and storage can address legitimate needs for need to understand the specific risks posed by differ-
users and IT, posing a more complex challenge. Even ent types of applications; how to avoid spear phishing,
commonly accepted social media platforms such as copyright violations and other threats; and how they
Facebook, LinkedIn and YouTube, which can play an can address legitimate business and productivity needs
important role in social media marketing and content through more secure, IT-sanctioned tools and practices.
marketing strategies, can present an attractive vector
for spear-phishing attacks. While malware protection It doesn’t always take malware or an inappropriately
can focus on comprehensive detection, prevention used application to expose your organization to risk.
and eradication as its guiding principles, applications While malicious software does play a role in many data
call for a more nuanced approach. This should include: loss incidents, all too often a key factor comes down
to simple human error. The next chapter will explore
major incidents and trends in data loss in 2013.

47
2014 CHECK POINT ANNUAL SECURITY REPORT

48
2014 CHECK POINT ANNUAL SECURITY REPORT

50
 2014 CHECK POINT ANNUAL SECURITY REPORT

05
DATA LOSS PREVENTION:
THE BIG COMEBACK

Data loss incidents gained new prominence in 2013

as Adobe Systems, Target, Neiman Marcus and SOCIAL SECURITY, BANK ACCOUNT,
other high-profile organizations suffered high-profile AND CREDIT CARD NUMBERS AREN’T JUST
breaches involving millions of consumers. DATA. IN THE WRONG HANDS THEY CAN WIPE
OUT SOMEONE’S LIFE SAVINGS, WRECK THEIR
Data has long been a prime target for hackers, includ-
ing financial information, intellectual property, insider
CREDIT AND CAUSE FINANCIAL RUIN.
business information and authentication credentials. Melissa Bean52
Now there are more ways than ever for data to fall into
the wrong hands as mobile devices and shadow IT
apps open new attack vectors and increase the risk of
loss or exfiltration. The Internet of Things exacerbates Hackers are not the only threat to enterprise data.
the situation as devices communicate directly with Many breaches occur inadvertently, as users email
each other to exchange information on home energy the wrong file to the right recipient, or the right file to
consumption, vehicle location and status, package the wrong recipient—or simply leave an unsecured
tracking, personal health and more. As more data flows laptop in the wrong place. Employee error played a
in more ways, it becomes ever more difficult to control key role in many of the past year’s data loss incidents,
and secure. but intentional or not, the result can be the same:
sensitive data exposed to risk, angry customers,
damaged reputations, fines for non-compliance and
serious business disruptions.

IN 2013 88 %
OF ORGANIZATIONS EXPERIENCED AT LEAST
ONE POTENTIAL DATA LOSS INCIDENT

51
2014 CHECK POINT ANNUAL SECURITY REPORT

THINK YOU’RE NOT AT RISK OF DATA LOSS?

GUESS AGAIN…

Many organizations continue to neglect implementing spreadsheets containing the personal information of
robust data protection policies and controls because they 2,375 residents, including health history, on the public
think that they are not at risk for data breaches. The pain- website of a housing agency54.
ful reality is that hackers do not target only big banks and
retailers, and that every organization has sensitive data Rotech Healthcare reported the accidental exposure
that can be exposed by an errant email or a lost laptop. of personal and health information for up to 3,500
These are just a few of the examples from 2013: employees by a former Human Resources employee who
was permitted to keep her personal computer when she
Personal information, including Social Security num- left the firm55.
bers, for 3,500 patients was stolen from the Florida
Department of Health by employees who passed the data The UK Information Commissioner’s office cited over sixty
on to a relative for use in filing fraudulent tax returns53. violations of the Data Protection Act by the Anglesey
(Wales) council related to improper access to personal
The council government of Islington (London) was fined data of residents, including inadvertent posting on
BP70,000 after an internal team inadvertently published public websites and via email56.

The retail sector may have been the highest profile Check Point research found that 88 percent of
industry to suffer data breaches in 2013, but companies we analyzed experienced at least one
according to Check Point research, organizations potential data loss event, meaning a piece of
across all industries are losing control of sensitive sensitive data was sent outside the organization via
data, and they are doing it at a faster rate than in 2012 email or uploaded via a web browser. This was a
(Chart 5-1). dramatic increase over the already-high figure of 54
percent that we observed in 2012, and highlights the
It would be easy for a small organization to consider ongoing struggle of organizations to secure sensitive
itself too small to have to worry about data loss, but data from accidental or intentional exposure.
nothing could be further from the truth (see inset: Think
you’re not at risk of data loss? Guess again...). One
of the largest breaches in history targeted Heartland
Payments57, a 700-person company, when thieves EVERY DAY AN ORGANIZATION
stole the digital information encoded onto the EXPERIENCES 29 EVENTS OF
magnetic stripe built into the backs of credit and debit
POTENTIAL EXPOSURE OF
cards. Every organization in the information supply
chain is at risk of attack, and even a relatively small
SENSITIVE DATA
theft can yield worthwhile results for hackers.

52
 2014 CHECK POINT ANNUAL SECURITY REPORT

05 DATA LOSS PREVENTION: THE BIG COMEBACK

Percentage of Organizations with at

Least One Potential Data Loss Event, EVERY 49 MINUTES SENSITIVE DATA IS
by Industry (% of organizations) SENT OUTSIDE THE ORGANIZATION

88%
50% Industrial Source code, business data records and other trade
secrets are estimated to represent the majority of
88% assets of American companies, and they are under
61% Finance constant attack. Economic espionage is estimated
to cost American businesses alone as much as $250
87% –$500 billion every year. While banks and health
care companies have long faced the pressure of
70% Government
external regulations for the protection of customer and
patient data, companies in sectors such as manu-
79%
facturing, energy infrastructure, shipping, extractive
45% Telco industries and even entertainment have not always
taken a proactive approach to data security. These
2013 are the organizations that are increasingly targeted in
Chart 5-1 campaigns that use mass-customized malware as well
2012
as more focused targeted attacks.
Source: Check Point Software Technologies
Regulations adapt as well
Despite the numerous high-profile credit card data
breaches that took place in 2013, Check Point research
Put another way, every 49 minutes sensitive data is sent found that the incidence of PCI data loss events in
outside the organization. Every day, an organization financial organizations slightly reduced to 33%,
experiences 29 events of potential exposure of sensi- compared with 36% found in 2012. Within the health-
tive data. This is a serious rate of data leakage for any care and insurance organizations was under our
organization in any industry, and it highlights the need research, there was an increase from 16% of organi-
for more aggressive controls around sensitive data. zations in 2012 to 25% in 2013 in events related to
HIPAA regulation.
By industry, the most dramatic increases were in the
Industrial and Consulting sectors. These increases
make more sense in the context of the data types that
were attacked in 2013. (Chart 5-2) Our research found
that source code was the most most popular data type
sent outside the organization in 2013, jumping almost
50 percent from 2012.

53
2014 CHECK POINT ANNUAL SECURITY REPORT

05 DATA LOSS PREVENTION: THE BIG COMEBACK

DATA SENT OUTSIDE THE

ORGANIZATION BY EMPLOYEES
(% of organizations)

2013
Bank Account Numbers 4% 3%
2012
Confidential Outlook Message 5%
7%
Password Protected File 10%

Salary Information 14% 14%

Network Information 14%

13%
Credit Card Data 29%
35% 21%
Sensitive
29% Personal
Information

21%
6% Business Data
24% Source Code Records

Chart 5-2 Source: Check Point Software Technologies

IN 33 %
OF FINANCIAL INSTITUTIONS SCANNED,
CREDIT CARD INFORMATION WAS SENT
OUTSIDE OF THE ORGANIZATION
54
 2014 CHECK POINT ANNUAL SECURITY REPORT

05 DATA LOSS PREVENTION: THE BIG COMEBACK

2013 saw the publication of Payment Card Industry Recommendations

Data Security Standards 3.0, (PCI-DSS 3.0)58, which The rash of large-scale, highly publicized data breach-
included numerous—and timely—new requirements es throughout 2013—affecting some of the world’s
regarding: best-known brands as well as many smaller organi-
• Security practices for non-end user systems, such zations—show that much work needs to be done
as point-of-sale (POS) and other terminals. to protect personal and business information. This
• Increased user education around potential attacks challenge will only grow in scope as trends such as
(phishing, USB, etc.) and responsible handling of mobility and the Internet of Things expose data to theft or
sensitive data. accidental exposure in new ways. Human error plays an
• Penetration testing of controls and protections especially central role in many data loss incidents, and
that define segmentation between cardholder data it will take a truly comprehensive, holistic approach
and other parts of the network. to ensure that data is not exposed to risk or left
• Credentials used by service providers for remote vulnerable to theft.
access to the environments of customers who are
subject to PCI-DSS. In today’s world of increasing data losses, organi-
zations must take action to protect sensitive data.
Overall, the revised DSS requirements emphasize The best way to prevent unintentional data loss is to
“education, awareness and security as a shared implement an automated corporate policy that catches
responsibility.” The 3.0 standards took effect on January such incidents before the data leaves the organization.
1, 2014, and events of 2013 have created a new sense of Such policies can best be enforced through a Data
urgency behind the adoption of these new requirements. Loss Prevention (DLP) solution. Content-aware DLP
products have a broad set of capabilities and present
Looking ahead to 2014, organizations will have organizations with multiple deployment options.
new compliance and data protection regulations and re-
quirements to contend with, including PCI-DSS 3.0, with Before deploying the DLP solution, organizations
its expanded requirements around protection of POS need to develop a clear DLP strategy based on clearly
systems as well as a new emphasis on user education. defined considerations such as: What is considered
to be confidential information? Who can send it?
In Europe, the European Union’s new Data Privacy Where, how and on what types of devices can it be
Directive, the General Data Protection Regulation used? With this policy framework in place, you can
(GDPR)59, takes effect in 2014 as well, creating more optimally implement and configure the solution to
stringent requirements for protection of citizen and support your organization’s unique business, security
customer data both within countries and across and user productivity requirements. For effective data
national and EU boundaries. Organizations will be loss prevention, your solution should encompass the
required to continue evolving their security policies and following measures and capabilities.
practices to comply with the new regulations or risk
significant financial sanctions.

55
2014 CHECK POINT ANNUAL SECURITY REPORT

DOES PCI COMPLIANCE CREATE

A FALSE SENSE OF SECURITY?

The massive credit card data breaches of late 2013 suffered a data breach, point to a core problem in the way that
re-energized a running debate about the relation between security is often practiced: namely, that it is not a product,
PCI-DSS and security, and specifically whether a company but a process.
certified as “PCI compliant” is truly secure from hacking.
Bob Russo, Chairman of the PCI Security Standards
Some argue that PCI compliance certification fosters a Council, underscored that PCI compliance certification is a
false sense of security among retailers and the public. Data “snapshot in time” when he observed to Computerworld,
breaches at compliant companies and actions such as the “You can be in compliance today and totally out of compli-
retroactive revocation of PCI compliance status are bound ance tomorrow.”60
to engender cynicism, while the continual evolution of the
standard can create the sense that it is a moving target. Standards are valuable tools for measuring and compar-
ing security posture against common metrics. The danger
In the face of these concerns, the PCI organization of compliance certification is more in the risk that the or-
and practitioners correctly point out that instances where ganization will think that they are “done” with security, and
PCI-compliant companies like Target which were known not engage in the continual process of reassessment and
to follow sound security processes, yet nonetheless adaptation as their environments and data practices change.

Data classification—High accuracy in identifying User-driven incident remediation—Traditional DLP

sensitive data is a critical component of a DLP solu- solutions can detect, classify and even recognize
tion. The DLP solution must be able to detect person- specific documents and various file types, but they
ally identifiable information (PII), compliance-related cannot capture the user’s intent behind the sharing of
data (e.g., HIPAA, SOX, PCI data, etc.), and confi- sensitive information. Technology alone is inadequate
dential business data, including both out-of-the-box because it cannot identify this intention and respond
data types and your own custom-defined data types. to it accordingly. Hence, a quality DLP solution must
As data moves through the organization and beyond, engage users in order to achieve optimal results. One
the solution should inspect content flows and enforce approach is to empower users to remediate incidents
policies in the most widely used TCP protocols, includ- in real-time. In other words, the DLP solution should
ing SMTP, FTP, HTTP, HTTPS and webmail, using pat- inform the user that his/her action may result in a
tern matching and file classification to identify content potential data leak incident, and then empower the
types regardless of the file extension or compression user to decide whether to discard the message or to
format. The DLP solution must be able to recognize continue with sending it. This methodology improves
and protect sensitive forms based on predefined security by elevating data storage policy awareness
templates and file/form matching. and alerting users of potential mistakes in real—

56
 2014 CHECK POINT ANNUAL SECURITY REPORT

05 DATA LOSS PREVENTION: THE BIG COMEBACK

time, and reduces user impact by allowing for quick Data protection for removable media—Employees
self-authorization of legitimate communications. As a often mix personal files such as music, pictures and
result, security management is simplified because documents with business files such as finance or hu-
the administrator can track DLP events for analysis man resource files on USB storage devices and other
without having to personally attend to each external removable media. This makes corporate data even
data send request as it happens. more challenging to control. By encrypting removable
storage and preventing unauthorized access for these
Protection against internal data breaches— devices, you can minimize security breaches in the
Another important DLP capability is the ability to not event that they are lost or stolen.
only control sensitive data from leaving the compa-
ny, but also inspect and control sensitive emails sent Document protection—Business documents are
between departments within the same company. routinely uploaded to the web by file storage and
Policies can be defined to prevent confidential data sharing applications, sent to personal smartphones,
from accidental interdepartmental leakage—for exam- copied to removable media devices, and shared
ple, compensation plans, confidential human resource externally with business partners. Each of these
documents, mergers and acquisitions documents or actions places sensitive data at risk of being lost or used
medical forms. inappropriately. In order to secure corporate docu-
ments, a security solution must be able to enforce
Data protection for endpoint hard drives— a document encryption policy and grant access
Companies must secure laptop data as part of a exclusively to authorized individuals.
comprehensive security policy in order to prevent
outsiders from obtaining valuable information through
lost or stolen computers. You can prevent unauthor-
ized users from accessing information by encrypt-
ing the data on all endpoint hard drives, including
user data, operating system files, and temporary and
erased files.

IN 25 %
OF HEALTHCARE AND INSURANCE
INSTITUTIONS EXAMINED, HIPAA-PROTECTED
HEALTH INFORMATION WAS SENT
OUTSIDE OF THE ORGANIZATION
57
2014 CHECK POINT ANNUAL SECURITY REPORT

LEARNING FROM POINT-OF-SALE ATTACKS

While hacking point-of-sale (POS) terminals in order to • Ability to circumvent application control and other
steal credit card data has long been technically possible, system lockdown measures, for example by infecting
for many years attackers found the servers storing this data an update server
to be much easier targets. Improvements in the security of • Use of encryption, common protocols and normal
the servers storing credit card and customer data forced network traffic patterns to hide the data as it is
attackers to shift their focus to the source of the data, and being exfiltrated
2013 marked a watershed year for POS hacking. While the • On many networks, direct Internet access from
scope and scale of these retail data breaches was shocking the POS device itself, often because this was how the
to many, equally interesting to security professionals was actual billing is performed
the variety in this category of malware.
Tackling these issues in isolation will not solve the problem
POS malware itself ranges in sophistication from the mem- because it does not solve the root cause: weak or non-
ory scraping of the generic ChewBacca and Dexter61, to the existent segmentation of POS and production networks.
complex BlackPOS62 and even more highly targeted POS Retail networks highlight the importance of developing and
malware discovered at Neiman Marcus63. However, they implementing a best-practices segmentation strategy that
share several characteristics that enable the attackers to enables organizations to enforce containment policies for
infiltrate POS systems and steal large amounts of credit compromised hosts and define intra-segment interactions
card data: that can be monitored and enforced automatically. For
• Reliance by POS systems on outdated operating example, monitoring enforcement of traffic direction and
systems that often remain unpatched for months even types for segments containing POS devices would restrict
if a patch becomes available opportunities for malware to propagate and exfiltrate data.
• Gaining entry to the POS systems by way of an In this regard, retailers will find themselves on the van-
infected client or server in the targeted retailer guard of a shift by all organizations to define and imple-
ment logical segmentation and policy-driven enforcement
across their IT environments.

Event management—In addition to defining DLP This gives the security administrator a clear and broad
rules to meet your organization’s data usage policies view of the information being sent externally and their
and implementing technologies to support and enforce sources, and it also provides the organization with the
them, a complete data loss prevention strategy must ability to respond in real-time if necessary.
include robust monitoring and reporting capabilities.
Your security solution should enable monitoring and The next chapter presents a comprehensive high-level
analysis of both real-time and historical DLP events. blueprint for effective security today.

58
2014 CHECK POINT ANNUAL SECURITY REPORT

60
 2014 CHECK POINT ANNUAL SECURITY REPORT

06
THE SECURITY ARCHITECTURE
FOR TOMORROW’S THREATS:
SOFTWARE-DEFINED PROTECTION

The Check Point 2014 Security Report presents the A NEW PARADIGM IS
results of our in-depth analysis of security threats NEEDED TO PROTECT
and trends in 2013. This report can help security and
ORGANIZATIONS PROACTIVELY
business decision-makers understand the range of
threats facing their organizations and consider new
actions to improve the protection of their IT environment. and the Internet of Things compound the data protec-
tion challenge, organizations need a better control over
The highlights of our research are: the flow and usage of information.
• The use of unknown malware exploded, driven by
the trend of malware “mass customization.” But facing the evolving threat landscape is not the only
• Malware exposure and infections increased across challenge in the IT environment. Businesses today are
the board, reflecting the increasing success of becoming more and more driven by free-flowing informa-
targeted malware campaigns. tion, causing corporate networks to no longer have clear
• Every category of high-risk application increased boundaries. Corporate data travels through the cloud
their presence in enterprises worldwide. and mobile devices and radiates through ideas and
• Data loss incidents increased across industries posts in social networks. Bring your own device (BYOD),
and data types. mobility and cloud computing have revolutionized static
IT environments, introducing the need for dynamic
Facing the challenges networks and infrastructures.
The findings of this report clearly indicate that the threat
landscape continues to evolve while the security strate- In our world of complex IT infrastructures and networks,
gies and technologies employed at many organizations where perimeters are no longer well defined, and where
are inadequate in the face of increasingly sophisticat- threats grow more intelligent every day, we need to de-
ed and damaging attacks. The explosion of unknown fine the right way to protect enterprises.
malware is quickly rendering detection-only solutions
obsolete. Known malware is overwhelming existing Today, there is a wide proliferation of point security
defenses and striking a wider range of platforms. High- products; however, these products tend to be reactive
risk applications—as well as Web 2.0, file storage and tactical in nature rather than architecturally orient-
and sharing, and remote administration tools with ed. Today’s corporations need a single architecture that
legitimate business uses—continue to proliferate, combines high performance network security devices
opening new threat vectors as they spread. As both with real-time proactive protections.
malicious and unintentional data loss incidents
cause unprecedented damage to organizations of all A new paradigm is needed to protect organizations
sizes across sectors, and as mobility, consumerization proactively.

61
2014 CHECK POINT ANNUAL SECURITY REPORT

06 THE SECURITY ARCHITECTURE FOR TOMORROW’S THREATS: SOFTWARE-DEFINED PROTECTION

Software-Defined Protection Security Architecture

In order to meet today’s needs to protect against the
evolving security threats while supporting complex

ty
ri
la
u
d

ty
o

r
ili

e
IT infrastructures, Check Point introduces Software-

n
ib

y
o
ti

La
is

a
V

t
to

n
e
u
A

m
Defined Protection.64 It is a new, pragmatic security archi-

e
g
a
n
a
M
tecture and methodology that offers an infrastructure that t
rea e
Th enc
el lig
is modular, agile and most importantly, SECURE. Int

By implementing Software-Defined Protection architec-

rity

n t
n
ve a

o
e re
cu

ti
Pr Th
ture, organizations of all sizes and at any location are Se licy
Po

r
e
y
La
tio n
protected: headquarters networks, branch offices,

n
te a
Pr ot ec

o
o at
ti

l
c

o
Pr D

tr
n
o
n ss

C
o e

l
o
C cc
roaming through smartphones or mobile devices, or when

tr
A
Enfo
rce

using cloud environments.

Pro Po men
tec int t
tio
n Enfo
rce
Po men
int t

r
e
y
Enfo

La
rce

t
Po men

n
Based on Software-Defined Protection architecture,
int t

e
m
e
Enfo

rc
rce

fo
Po men

En
int t

protections are automatically adapted to the threat

landscape without the need for security administrators
to follow up manually on thousands of advisories and Software-Defined Protection Layers
recommendations. These protections integrate seam-
lessly into the larger IT environment, and the architec-
ture provides a defensive posture that collaboratively Implementing Security Blueprint in Your Organization
leverages both internal and external intelligent sources. One of SDP’s key benefits is that it offers a simple
security blueprint implementation methodology. Check
The Software-Defined Protection (SDP) architecture Point Software-Defined Protection—Enterprise Security
partitions the security infrastructure into three intercon- Blueprint describes in detail the SDP architecture, its
nected layers: benefits and a clear implementation methodology. It is
• An Enforcement Layer that is based on physical, available online for free at checkpoint.com/sdp.
virtual and host-based security enforcement points
and that segments the network as well as executes The following section describes in high level, layer by
the protection logic in high-demand environments. layer, how SDP can be integrated in your organization
• A Control Layer that analyzes different sources of to protect against the threats presented in this report.
threat information and generates protections and
policies to be executed by the Enforcement Layer. Enforcement Layer
• A Management Layer that orchestrates the infra- Starting with the Enforcement Layer, designed to be
structure and brings the highest degree of agility to reliable, fast and simple, it consists of both network
the entire architecture. security gateways and host-based software that
function as the enterprise network enforcement points.
By combining the high performance Enforcement These enforcement points can be implemented as
Layer with the fast-evolving and dynamic software- either physical, virtual or as endpoint host components
based Control Layer, the SDP architecture provides not in the enterprise network or in the cloud.
only operational resilience, but also proactive incident
prevention for an ever-changing threat landscape.

62
 2014 CHECK POINT ANNUAL SECURITY REPORT

06 THE SECURITY ARCHITECTURE FOR TOMORROW’S THREATS: SOFTWARE-DEFINED PROTECTION

Where to deploy these enforcement points in our net- It is being done by Threat Prevention, the second
work? When networks were simple, we could enforce part of the control layer. Here, the threat protections
protections on the perimeter alone. But when perim- are being updated in real-time, and automatically
eters are not well defined, where should enforcement protected by the enforcement points so there is no
points be deployed? need to define any specific policy here but rather only
enable the Threat Prevention mechanism.
Segmentation is the answer. It is the new perimeter.
By dividing a complex environment into small seg- The key for effective threat prevention is intelligence.
ments based on security profiles, and deploying an en- Threat intelligence should be built from as many re-
forcement point at the boundary of each segment, the sources as possible, processed and translated into
environment is secure! new security protections, and fed to all enforcement
points in real-time.
Control Layer
The next element of SDP architecture is the control lay- Management Layer
er. It is where protections are generated and security The third layer is the management layer, which brings
policies are pushed to the enforcement points. Using the SDP architecture to life and is crucial for managing
access control and data protection policies, adminis- the entire architecture. The management layer has 3 key
trators define rule-based policies to control interactions characteristics: modularity, automation and visibility.
between users, assets, data and applications. This is
basically a firewall and next generation firewall. Modularity provides a layered policy with the
ability to segregate administrative duties for optimum
This is where policies are defined to control access to management flexibility. Automation and openness
high-risk applications described in chapter 4 such as allow integration with 3rd party systems creating
Anonymizers, P2P File Sharing, File Storage and even policies and protection in real-time. And finally,
Remote Admin applications. These policies are also visibility, the ability to collect security information from
controlling the flow of data in motion and at rest and all enforcement points, providing a global view of the
protect against data leakages such the ones described security posture of the organization.
in chapter 5.
Software-Defined Protection delivers a modular and
Access control and data protection policies are not dynamic infrastructure that adapts quickly to evolving
enough; there is also a need to protect organiza- threats and IT environments.
tions against the bad guys and the evolving threats. In
order to accomplish this goal as well, we need to imple-
ment protections that can identify known and unknown
attacks such as the ones described in chapters 2 and 3.

63
2014 CHECK POINT ANNUAL SECURITY REPORT

64
 2014 CHECK POINT ANNUAL SECURITY REPORT

07
ABOUT
CHECK POINT
SOFTWARE
TECHNOLOGIES

65
2014 CHECK POINT ANNUAL SECURITY REPORT

66
 2014 CHECK POINT ANNUAL SECURITY REPORT

07
ABOUT
CHECK POINT
SOFTWARE TECHNOLOGIES

For 20 years, the mission of Check Point has been to Check Point offers a wide range of enforcement points,
secure the Internet. From inventing the firewall to now including: high-performance network security applianc-
leading the network security industry, Check Point es, virtual gateways, endpoint host software and mobile
focuses on developing the technologies needed to device applications. It can be deployed at the enterprise
secure enterprises as the Internet continues to evolve. network or in the cloud.

Today the Internet is not only a legitimate platform for In terms of Control Layer, Check Point has the most
businesses; it’s also a green field for cyber criminals. advanced next generation firewall in the market and
Given this environment, Check Point has developed our ThreatCloud is the largest open big data, real-time
an architecture to enable the deployment of multi-layer threat knowledge that feeds our enforcement points in
threat prevention that provides maximum protection real-time.
against all threats including zero-day attacks.
And finally, Check Point architecture is managed from a
Check Point SDP unified security console that is modular, highly scalable
Check Point defined and embraced the SDP architec- and open for 3rd party systems.
ture and provides the flexibility needed to cope with new
threats and embrace new technologies. Check Point provides the security architecture organiza-
tions need today to protect against tomorrow’s threats.

For more information go to: www.checkpoint.com/sdp

Check Point combines this holistic approach to

security with its innovative technology solutions to
address today’s threat challenges and to redefine
security as a business enabler.

Consistently identified by analysts as a market leader in

network security, Check Point Software has provided
customers with innovative, enterprise-class security
solutions and best practices for the past 20 years.
Check Point customers include more than 100,000
organizations of all sizes, including all Fortune 100 and
Global 100 companies.
Check Point SDP

67
 REFERENCES

1
Stoll, Cliff. (2005). The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. New York, NY: Pocket Books.
2
http://resources.infosecinstitute.com/hacktivism-means-and-motivations-what-else/
3
http://www.entrepreneur.com/article/231886
4
http://www.darkreading.com/advanced-threats/mass-customized-attacks-show-malware-mat/240154997
5
http://www.checkpoint.com/campaigns/securitycheckup/index.html
6
http://www.checkpoint.com/products/threat-emulation/
7
http://www.checkpoint.com/threatcloud-central/index.html
8
https://supportcenter.checkpoint.com/supportcenter/portal/role/supportcenterUser/page/default.psml/media-type/html?action=portlets.DCFileAction&eventSubmit_
doGetdcdetails=&fileid=20602
9
https://www.checkpoint.com/products/softwareblades/architecture/
10
http://www.checkpoint.com/products/index.html#gateways
11
Huxley, Thomas Henry (1887). On the Reception of the Origin of Species, http://www.todayinsci.com/H/Huxley_Thomas/HuxleyThomas-Quotations.htm
12
http://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf
13
http://usa.kaspersky.com/
14
http://msdn.microsoft.com/en-us/magazine/cc164055.aspx
15
http://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon
16
http://news.cnet.com/Code-Red-worm-claims-12,000-servers/2100-1001_3-270170.html
17
http://www.cnn.com/2004/TECH/internet/05/03/sasser.worm/
18
http://support.microsoft.com/kb/2664258
19
http://www.pcmag.com/article2/0,2817,2370016,00.asp
20
https://www.virustotal.com/
21
http://www.av-test.org/en/home/
22
http://www.checkpoint.com/threatcloud-central/downloads/10001-427-19-01-2014-ThreatCloud-TE-Thwarts-DarkComet.pdf
23
http://contextis.com/research/blog/malware-analysis-dark-comet-rat/
24
http://www.princeton.edu/~achaney/tmve/wiki100k/docs/Portable_Executable.html
25
http://blog.malwarebytes.org/intelligence/2013/10/cryptolocker-ransomware-what-you-need-to-know/
26
Mariotti, John. (2010). The Chinese Conspiracy. Bloomington, IN: iUniverse.com
27
http://www.checkpoint.com/campaigns/security-report/download.html?source=google-ngfw-us-sitelink-report&gclid=CIfK-JuOhrwCFZFxQgodsBYA_w
28
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Security_Guide/ch-risk.html
29
Anderson, Chris. (2006). The Long Tail: Why the Future of Business is Selling Less of More. New York, NY: Hyperion.
30
http://www.fbi.gov/about-us/history/famous-cases/willie-sutton
31
http://searchwindowsserver.techtarget.com/definition/remote-code-execution-RCE
32
http://searchsoa.techtarget.com/definition/Remote-Procedure-Call

68
 REFERENCES Cont.

33
https://www.checkpoint.com/threatcloud-central/articles/2013-11-25-te-joke-of-the-day.html
34
http://www.checkpoint.com/threatcloud-central/articles/2013-12-03-new-wave-url-domain-malware.html
35
http://www.checkpoint.com/threatcloud-central/articles/2013-11-14-defeating-cryptocker.html
36
http://www.apwg.org/
37
http://www.checkpoint.com/threatcloud-central/articles/2013-12-03-new-wave-url-domain-malware.html
38
http://docs.apwg.org/reports/APWG_GlobalPhishingSurvey_1H2013.pdf
39
http://newgtlds.icann.org/en/program-status/delegated-strings
40
Stephenson, Neal. (2002). Cryptonomicon. New York, NY: Avon.
41
Orwell, George. (1956). Animal Farm. New York, NY: Signet Books.
42
https://www.torproject.org/
43
http://www.pcworld.com/article/2046227/meet-darknet-the-hidden-anonymous-underbelly-of-the-searchable-web.html
44
http://www.huffingtonpost.com/tag/silk-road-arrest
45
http://www.pcworld.com/article/2093200/torenabled-malware-stole-credit-card-data-from-pos-systems-at-dozens-of-retailers.html
46
http://www.britannica.com/EBchecked/topic/278114/Hydra
47
http://msdn.microsoft.com/en-us/library/aa383015(v=vs.85).aspx
48
http://www.securityweek.com/poison-ivy-kit-enables-easy-malware-customization-attackers
49
http://www.checkpoint.com/defense/advisories/public/2005/cpai-20-Decf.html
50
http://www.emea.symantec.com/web/ShadowIT-enduser/
51
http://www.techrepublic.com/blog/it-security/dropsmack-using-dropbox-to-steal-files-and-deliver-malware/
52
http://vote-il.org/politicianissue.aspx?state=il&id=ilbeanmelissa&issue=buscrime
53
http://www.scmagazine.com/florida-health-department-employees-stole-data-committed-tax-fraud/article/318843/
54
http://www.islingtongazette.co.uk/news/data_leak_lands_islington_council_with_70_000_fine_1_2369477
55
http://healthitsecurity.com/2013/11/12/rotech-healthcare-reports-three-year-old-patient-data-breach/
56
http://www.dailypost.co.uk/news/north-wales-news/anglesey-council-under-fire-over-6330304
57
http://www.informationweek.com/attacks/heartland-payment-systems-hit-by-data-security-breach/d/d-id/1075770
58
https://www.pcisecuritystandards.org/documents/DSS_and_PA-DSS_Change_Highlights.pdf
59
http://ec.europa.eu/justice/newsroom/data-protection/news/130206_en.htm
60
http://www.computerworld.com/s/article/9245984/Despite_Target_data_breach_PCI_security_standard_remains_solid_chief_says
61
http://www.csoonline.com/article/723630/dexter-malware-infects-point-of-sale-systems-worldwide-researchers-say
62
http://www.darkreading.com/vulnerabilities---threats/securestate-releases-black-pos-malware-scanning-tool/d/d-id/1141216
63
http://www.businessweek.com/articles/2014-02-21/neiman-marcus-hackers-set-off-60-000-alerts-while-bagging-credit-card-data
64
http://www.checkpoint.com/sdp

69
70
71
 www.checkpoint.com

WORLDWIDE HEADQUARTERS U.S. HEADQUARTERS

5 HA’SOLELIM STREET, TEL AVIV 67897, ISRAEL 959 SKYWAY ROAD, SUITE 300, SAN CARLOS, CA 94070
TEL: 972-3-753-4555 | FAX: 972-3-624-1100 TEL: 800-429-4391; 650-628-2000 | FAX: 650-654-4233
EMAIL: INFO@CHECKPOINT.COM
©2014 Check Point Software Technologies Ltd. [Protected] – All rights reserved.