1©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. This document and the contents therein are the sole property of CYREN and may not be transmitted or reproduced without CYREN’s express written permission.

CYREN CyberThreat ReportQ3 2015Avi Turiel

2©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Web Security in the Modern Workplace• Malware and other Ghosts• Scam Spotting • The worst day of the week is…

Agenda

3©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential. 3©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

About CYREN

THE BEST KEPT SECRET IN INFORMATION SECURITY FOR MORE THAN A DECADEFounded in 1991, CYREN (NASDAQ and TASE: CYRN) is a long-time innovator of cyber intelligence solutions. CYREN provides web, email, endpoint, and roaming cybersecurity solutions that are relied upon by the world’s largest IT companies to protect them and the billions of customers they serve from today’s advanced threats. CYREN collects threat data and delivers cyber intelligence through a unique global network of over 500,000 points of presence that processes 17 billion daily transactions and protects 600 million users.

3©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

4©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

CYREN Powers the World’s Security

Our Cyber Intelligence forms the security backbone of many of the world’s largest and most influential information technology and Internet security brands.

5©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

6©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Research Goal: • To understand the challenges in delivering Web security today• Gauge receptivity to deployment of cloud-based web security

solutions.

• Target: Respondents were filtered as follows:• Organizations with between 500 and 9,999 employees.• Must have an IT job title. CIOs/CTOs were excluded in order to focus

on the “implementer” role.• All respondents must have involvement in implementing/maintaining

web security solutions at their organizations.

Research background

6

7©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Respondents: Industry

26%

74%

Public sector/Nonprofit (including governmentand education)

11%9%9%7%7%

4%4%4%4%4%

2%2%2%

7%

Healthcare

Hardware/Software/Network

Technology

Banking & Financial Services

Business/Professional Services

High tech and electronics

Information, Media & Entertainment

Insurance

Manufacturing (Industrial)

Chemicals/Energy/Utilities

Aerospace/Defense

Automotive

Distribution

Other

8©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Top Challenges to Web security

48%45%

43%39%39%

38%36%36%

32%30%

27%25%

21%4%

Multiple devices creating numerous “entry points” (laptops, tablets, …

Lack of the continuous visibility needed to detect advanced attacks

Lack of resources to implement new security solutions

Difficulty assessing your organization’s level of risk/ threat profile

No clear or uniform strategy for "incident response" (response is ad-…

Existing blocking and prevention solutions are insufficient to protect against…

Lack of access to real-time intelligence around the latest web security threats

Web security solutions are costly and difficult to integrate

Conventional security solutions don’t work well in cloud/hybrid environments

Movement towards cloud infrastructure and “anytime” data access from any …

Lack of support from the business for new security investments

Data and applications are moving to the Cloud

Lack of scalable security solutions (consistent through peak activity times…

Other

9©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Rate Your Current Web Security Solution

11%

16%

13%

7%

34%

27%

21%

27%

39%

43%

46%

36%

11%

11%

14%

18%

5%

4%

5%

13%

Continuous monitoring

Attack prevention

Attack detection

Protection speed (how fast zero-hourvulnerabilities are blocked)

Extremely effective Very effective Somewhat effective Not very effective Not at all effective

45%

43%

% Extremely/ Very Effective

34%

34%

Those who indicate their organizations are using a cloud-based web security solution are significantly less likely to assign low effectiveness ratings to current solutions in the area of protection speed.

10©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Cloud as a Viable Solution for Web SecurityWhat is holding your organization back from

considering a cloud-based web security model?Of those that do not see cloud as a viable solution for addressing Web security

67% of respondents either already use, or would consider, a cloud-based solution for Web security. Among those who are hesitant, lack of trust in cloud-based security is the top obstacle.

Yes, we don’t currently use but would investigate or consider a

cloud-based Web security solution

21%

46%32%

61%

39%

28%

28%

22%

17%

17%

28%

Don’t trust cloud-based …

Our current equipment does…

Our security mindset is…

Staff doesn’t have training, …

Timing, recently invested in…

Switching costs are too high

Never heard of cloud-based…

OtherYes, we have a cloud-based Web security solution in use today

No

11©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Aside from Web security, what other security solution do you see the most need for?• Email security (including email anti-malware)• Breach detection (based on network traffic)• Detection of APTs• Anti-malware (locally installed on any device)

(Choose one)

Poll Question #1

12©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Cloud-based secure web gateway• Innovative detection technologies

• Custom sandbox arrays used on a global basis• Automatically investigates IPs, domains, hosts, and files associated

with suspicious behavior and maintains risk scores• Inline antimalware and URL filtering

• Comprehensive protection for business users – whether office-based, remote, or roaming

• Also protects users of Guest WiFi or Public WiFi services

CYREN WebSecurity

13©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

JavaZero-DayMalware

14©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Packaged into 39 different Android apps• Installation of adware, unwanted homescreen

links, and further malware• Based on the code and app signatures, CYREN

believes the source of the malware to be China• Beware of apps that require enabling the

“Unknown Sources” check box

Ghostpush

15©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Ghostpush flowDownload (infected)

popular app Infected app downloads

“Rootmaster” apk

Rootmaster roots device and installs “cameraupdate.apk”cameraupdate.apk installs

“monkeytest” service

monkeytest service installs other adware/malware

“cameraupdate” is installed in the “system/priv-app” directory and runs every time the device is restarted so that it can reinstall malware if deleted

Device pops up unwanted ads and links added to homescreen

16©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• SEOHide• Injects code into compromised

websites to boost page rankings by hiding hyperlinks to them throughout the infected sites

• “Black Hat SEO”

• Faceliker• Hijacks mouse clicks to force users to

"like" a particular Facebook page

Web Malware

17©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• VBS only supported by Internet Explorer • Script stores a hex-encoded string on the victim's computer

• Then decodes the string into svchost.exe• Then saves it in the temp directory, then executes

VBS/DropDownld.B

• Variant of worm/infector Ramnit• Disables Windows security, prevents

Windows Update from operating, stops install of AV

• Collects online services account information—financial, banking, social, and professional

18©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Spyware launched in August 2015• Found on compromised WordPress, Drupal, and Joomla

• JavaScript code contains an iframe that redirects to a malicious server • Gathers information such as the operating system, timestamp, timezone,

and existence of certain legitimate applications like Adobe Flash Player

JS/IFrame.VJ.gen

• Series of redirects to fake sites follow, that look identical to or closely resemble Flash upgrade sites, Google Chrome plugins, or other fake application sites

19©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Which is more secure?• Android • iOS• Both equally secure – as long as you stick to the official app store• Both equally vulnerable – even if you stick to the official app store

(Choose one)

Poll Question #2

20©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Phishing targeting business

21©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• “Impact Team” announcement /threat in July

• Customer data (~37 million users)

• Source code• Internal data

• Followed by release in Aug• Released details used by other

criminals (or not)

Ashley Madison breach

22©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Ashley Madison extortion emails

USD 3,850

23©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• Common phishing attack based on “shared Google doc”• Phishing aims for multiple email credentials• HTML code is duplicated in thousands of compromised sites• CYREN detection of code:

• HTML/Phish.AM• 20,000+ sites in last few weeks

Detecting Phishing with antimalware tools

24©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

• .doc attached malware

• Macro or RTF vulnerability

• Email includes “request” from recipient

More social engineering

25©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

How do you spot scam phishing emails/websites?• Look at the URL• Any email I wasn’t expecting is probably phishing/scam• Browser warnings• Email properties (to, from, headers…)• Poor English

(Pick more than one)

Poll Question #3

26©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

27©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Applied Cyber Intelligence

28©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Q3 Android Threats

29©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Q3 Phishing

30©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Q3 Spam

5.4%

31©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Q3 Worst day of the week for spam and malware

32©2014. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

You can also find us here:

www.CYREN.com

twitter.com/cyreninc

linkedin.com/company/cyren

©2015. CYREN Ltd. All Rights Reserved. Proprietary and Confidential.

Thank You. Any Questions or Thoughts?