In its annual review of the worst security problems spotted for the year, the SANS Institute recently cited zero-day attacks and human gullibility in falling victim to phishing scams or other social engineering tricks as among the most dismal trends of 2006.
The annual SANS “Top 20 Internet Security Vulnerabilities,” this year called the “Top 20 Attack Targets,” were highlighted by SANS Institute representatives in an appearance Nov. 13 at Britain’s security agency, the National Infrastructure Security Coordination Centre, in London. The SANS Institute listed one of the worst problems this year as zero-day vulnerabilities and attacks that have gone beyond Microsoft Internet Explorer.
According to SANS, a zero-day vulnerability is a known flaw in software that does not have a patch available. SANS said 45 “serious and critical vulnerabilities were discovered in Microsoft Office products alone” and among them, nine were zero-day vulnerabilities in which an exploit or worm was actively making use of the flaw and no patch was available, the SANS report notes.
But it’s not just Microsoft products at stake, says Rohit Dhamankar, editor of the SANS Top 20 report and senior manager of security research at TippingPoint, a division of 3Com. “The rise of zero-day attacks, at least 20 of them this year, also included Apple’s Safari browser and wireless driver.” But according to SANS, the focus of most zero-day attacks remains on Microsoft products, particularly Internet Explorer.
The SANS report claims that many zero-day attacks that target Microsoft products are initiated in China.
“There are various theories about why China is such a hotbed for zero-day attacks, but most likely it is the fact that much of Microsoft’s source code is available there with little intellectual property rights restriction on distribution, the culture supports reverse-engineering of proprietary code and research into exploiting code vulnerabilities, and there are few enforcement investigations into the crews launching the attacks against targets in other countries,” the SANS report states.
Other attack trends spotted by SANS this past year include growth in targeted attacks, such as “spear phishing” where an e-mail-based scam is perpetrated against an organization or individual.
“For the first time this year we’re citing the human factor,” said Dhamankar. “It might be a secretary out front who gets ‘spear-phished’ with mail that looks like it comes from the CIO or the security office but it doesn’t. It’s an attack to get sensitive information.”
When it comes to spear-phishing, however, SANS also has some controversial advice for computer security professionals looking to lock down their networks: spear-phish your employees.
That’s what the U.S. Military Academy at West Point did in 2004 to a group of 512 cadets, selected at random for a test called the Carronade. The cadets were sent a bogus e-mail that looked like it came from a fictional colonel named Robert Melvillle, who claimed to be with the academy’s Office of the Commandant (The real Robert Melville helped invent a short range naval cannon called the Carronade nearly 250 years ago).
“There was a problem with your last grade report,” Melville wrote, before telling the cadets to click on a Web page and “follow the instructions to make sure your information is correct.”
More than 80 per cent of the cadets clicked on the link, according to a report on the experiment. Worse still, even after hours of computer security instruction, 90 per cent of freshmen cadets still clicked on the link.
Spear-phishing attacks contain this kind of targeted information in order to seem more credible, but their goal is the same as a regular phish: Trick the user into doing something he shouldn’t, like giving up sensitive information.
Because these attacks rely on cooperation from their victims, it’s hard to prevent them, said Alan Paller, director of research with SANS. “The only defense against spear-phishing is to run experiments on your employees and embarrass them,” he said.
Other threats SANS is highlighting for 2006 include VoIP attacks, including the type to “make money by reselling minutes and potentially injecting misleading messages and even creating massive outages in the old phone network.”
“The VoIP servers are interfacing with the traditional networks,” Dhamankar points out. Attackers can get to circuit-switched networks via VoIP servers that could have vulnerabilities.
“By compromising a VoIP server, an attacker now has the ability to inject bad messages in the phone network,” Dhamankar says, adding that the most disastrous consequence can be bringing down the old phone network.
Sidebar 1
2010: A security odyssey
Today’s enterprises are not spending their security dollars wisely, often shelling out vast sums to protect their least-sensitive digital information while ignoring common risks like insider threats and paper theft — a situation that security experts insist is likely to get worse over the next four years.
Recent research conducted by analyst firm Forrester indicates that organizations are spending millions on security, but not in the areas where the risk is greatest.
“There has been a lot of spending on network security, but the perception is there is not a lot of risk in that area,” says Forrester senior analyst Tim Sheedy. “But there is very little spending around insider abuse, social engineering or even paper theft, which are major risks to the organization.”
Sheedy claims that in a few years, IT security will be measured much like other business metrics. Businesses will be able to factor in the actual information security risk, based on factors such as employee behaviour, system readiness and the financial ramifications of employees who expose an organization’s most sensitive information, either willingly or by accident.
“Putting actual metrics — and particularly financial metrics — around security is going to be a major trend,” Sheedy said. For example, Sheedy suggests firms will be able to gauge the financial implications of employees who are not trained in certain security protocols.
“You could state that because 20 per cent of employees operate in an [insecure] way, they represent a US$300,000 risk to the organization,” he said.
Mark Pullen, country manager of RSA Security, said enterprises are not ready for the security threats of the future. By 2010, says Pullen, industries like retail, construction and finished goods will have to deal with the same online nasties that plague online banking today, and most won’t be ready.
“It will take bankruptcy for many organizations to take security seriously,” Pullen says.
“In 37 months time I think there will be a public company either forced into chapter 11 (US bankruptcy code) because of a security breach that either resulted in goods being stolen from them or an incident with such an impact that a company is forced to shut down,” he said. “People are not ready for these threats.”
According to Pullen, when it comes to threats like phishing and malware, the enterprise’s greatest enemy is time, usually that between when an e-mail is sent out and when online fraud is committed. “If you can cut down that time and shut down an attack, it massively reduces the ability for phishers to steal money,” Pullen said.
“The security skills shortage will eventually drive the adoption of modern technology to do the basics of security that people will need to do.”
Ben Guthrie, Trend Micro’s product and marketing manager, thinks the biggest challenge to information security in 2010 will be how to address threats over Web traffic. He said protecting the flow of information over both HTTP and FTP is crucial, since these protocols are used for the majority of spyware and similar types of attacks.
Sidebar 2
Rootkits, ID theft leave their ugly mark
Research analysts at Gartner Inc. are predicting a sticky web of security hazards for IT professionals over the next two years, ranging from targeted financial attacks to spyware to rootkits.
Gartner released the list of threats during its recent IT Security Summit in London, part of the company’s “hype cycle” reports that track technology trends. The threats, Gartner said, have a “potential to inflict significant damage” on businesses. The threats are:
? Cyber attacks with a financial motive: Criminals may try to steal customer data or information to hurt a company’s reputation. Gartner suggests that corporations run more penetration tests to detect network holes and employ more aggressive intrusion detection systems, along with the usual signature-based anti-malware software.
? Identity theft: While the number of victims has remained steady, Gartner said defense is still poor against these attacks, which seek to assemble enough personal information to, for example, open a bank account in someone else’s name. Companies can defend themselves with stronger authentication methods, encryption, better access control and database monitoring.
? Spyware: This insidious form of software often transparently infects computers, recording actions such as keystrokes. Over the next two years, 20 per cent to 50 per cent of companies will get infected with spyware, Gartner said. Include antivirus and anti-spam functions in anti-spyware software.
? Social engineering: Clever tricks by cybercriminals can dupe users into revealing sensitive network information. A user, for example, could be tricked into downloading a malicious software program if they think it came from a co-worker. Gartner recommends writing clear and consistent security policies to prevent users from making mistakes such as sending confidential information to a competitor.
? Viruses: This perennial problem remains. Companies should deploy security software that uses updated signatures, which detect new variations of malware, to stop infections. IT administrators should also improve patching and vulnerability detection techniques, Gartner said.
? Rootkits: Gartner predicts more trouble with rootkits over the next five to 10 years. These modified system files can bury themselves deeply within an OS and can be difficult to find. From there, rootkits could offer an attacker the same control as the computer’s administrator.