On Friday September 5, Salesforce.com sent an email to administrative users of the CRM provider notifying them of a vulnerability to malware infection. Specific Salesforce.com users who have been compromised have not been identified yet. Salesforce.com’s rapid response and notification of customers are commendable and is an example for other companies who experience breaches.
“On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce.com users. We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.”
The banking trojan attack vector uses a phishing email to lure users to click on a link to a fake Salesforce.com website, which then performs a Man-in-the-Middle attack, intercepting data and log-in credentials.
Salesforce.com advises IT professionals to:
• Activate IP Range Restrictions to allow users to access Salesforce.com only from your corporate network or VPN
• Use SMS Identity Confirmation to add an extra layer of login protection when Salesforce.com credentials are used from an unknown source
• Implement Salesforce.com#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
• Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.
The only way the trojan can be launched is with permission from a user. All it takes is one person in an organization to click on a link in a bad email message to unleash crime ware that can cause significant security and financial devastation. That’s why implementing a continuous vulnerability assessment cycle into your cyber security plan is so critical.
Vulnerability Assessment is one of the key elements of a Military-Grade approach to cyber operations. In my prior role ensuring the cyber security readiness for the US Navy, I implemented a continuous assessment cycle using a number of methods including “Red Teaming” which simulated cyber adversaries attempting to penetrate Navy networks. Red Teaming ensures the highest standards of network defense and end user behavior. Now, at EdgeWave, I’m bringing a similar capability to the civilian sector with the EdgeWave EPIC2 Vulnerability Evaluation Tool™(VET).
The VET directs malicious emails, already caught by the EdgeWave EPIC2 advanced threat capability, to a target email account, recording the number of malicious messages that successfully penetrate the existing email security system. EdgeWave has tested the VET against a number of widely used security systems with compelling results. Test results against McAfee, Proofpoint, Barracuda, Google Apps and Office 365, resulted in 60% penetration rates. In other words, 60% of malicious email messages caught by EPIC2 advanced threat capability penetrated some of the most renowned email security systems. This is the sort of real-time data that IT and Security & Risk Managers can use to fill gaps in their existing cyber security systems.
Every day we continue to see fraudulent emails penetrating systems commonly thought to be strong enough to identify and block Internet threats. Put EdgeWave’s EPIC2 Vulnerability Evaluation Tool™ to work in your organization. Remember the “Rule of 1’s”; It only takes 1 bad email containing 1 bad link, clicked on by 1 unsuspecting employee to execute malware that can cause serious damage to your Company’s operations and reputation.
Mike Walls is Managing Director, Security and Operations and Analysis at EdgeWave. While on Active Duty in the U.S. Navy, Mike served as Commander Task Force 1030 reporting directly to the Navy’s Fleet Cyber Command, and was responsible for Cyber readiness of over 400,000 people, 300 ships, and 4,000 aircraft.