COLUMN

Annual security reports offer some hope

By Ron Condon 04 Jan 2010 | SearchSecurity.co.UK Security UK News Digg This!     StumbleUpon     Del.icio.us

Most of the security companies have a stab at predicting events around this time of year, and reading their end-of-year reports can have the same effect as reading a medical dictionary -- you may end up imagining all sorts of symptoms that don't exist. And, of course, the companies have no interest in playing down the dangers -- they want you to buy their products.

Nevertheless, it is possible to extract some good news from the reports this year. As Kaspersky Lab's research experts admit: "If no serious [software] vulnerabilities are detected, 2010 may well prove to be one of the quietest years for some time."

That is a big 'if', of course, and software patching is still going to take up far too much time and effort. But the fact is: for the well-managed company practising good basic security, things could get a bit easier in 2010.

The criminals, always more interested in hitting soft targets, are finding it easier to hit consumers rather than try to penetrate well-protected organisations. For that reason, they will continue to target social networking sites and peer-to-peer file-sharing sites to spread their malware, knowing that many users have little regard to their own security. Smartphones, too, will also become a target, but that may be limited to iPhones and Android devices which are not (as of yet) in widespread business use.

On the other hand, the rapid uptake of cloud-based services will inevitably make them a target for the cybercriminals, according to security company M86 Security Inc. With so much information from multiple clients held in a single place, cloud service suppliers will need to have immaculate security practices to avoid becoming a victim of some kind of attack -- whether a data theft or a denial of service.

It is worth bearing in mind that cybercriminals on the whole are thieves interested only in stealing money or information that they can sell, with the least effort involved. In other words, their methods are dictated by some kind of return-on-investment calculation.

For more information Read Cisco's annual security report.

In its end-of-year report, Cisco Systems Inc. makes use of this fact to plot the different types of attacks, which it calls the Cybercrime Return on Investment Matrix. The matrix ranks many different attack techniques against their success rate and their money-making potential.

In the diagram, Cisco singles out "Rising Stars," methods with the greatest success rate and money-making potential. These include the Zeus banking Trojan and Web exploits. Below them, with money-making potential but a dwindling success rate, are what Cisco calls the "Cash Cows" -- such as 419 scams, pharma spam and click fraud -- which continue to generate money without too much effort.

While most security firms expect current attacks to continue, certain new trends are worth special mention:

Web threats and other vulnerabilities
Several factors make the Web so attractive for malware authors and distributors. First, according to Cisco Systems Inc., online criminals favour the Java programming language when creating malware because Java-based malware will run regardless of the device or platform being used, and because it is difficult for antivirus programs to detect Java code.

The complexity of modern websites also allows the malware writers to avoid detection. A typical webpage may pull in content from as many as 150 sources, and it is hard for the site owner to check on every one of them. This has become a big problem for sites where advertising is generated on the fly. So although the site itself may be legitimate, ads may contain links to malware.

How to protect different channels of communications In this series of tips, Michael Cobb reviews how to secure four common communication outlets, including smartphones.

Cisco cites one example in its end-of-year security report: "In September 2009, a major news publication announced that a homepage online advertisement, served up by one of the newspaper's ad networks, was delivering malware to people who clicked on it. The advertiser initially claimed to represent Vonage, the telecommunications company; however, once posted, the ad was switched to a computer virus warning that offered "antivirus" software. Unsuspecting users who installed the fake software appear to have also installed malware."

This is likely to be an ongoing problem for online businesses.

Banking Trojans
According to the same Cisco report, "Online criminals show every sign of continuing their campaign to steal lucrative financial login information -- and they're growing ever smarter and more sophisticated with their tactics."

One of the most effective attacks of 2009 was the Zeus Trojan, which Cisco estimates had infected more than 3.6 million computers by October. Infection occurs via email phishing attacks or by drive-by downloads when the user visits an infected webpage. Once installed, Zeus sits waiting for the user to enter usernames and passwords, which are then transmitted to the central controller of the Zeus botnet. Cisco expects the rate of infection to grow over 2010, especially since the Zeus Trojan is now available for sale on the Internet as a toolkit. Priced around $700, the toolkit creates new variants of the Trojan, providing each new version with a unique signature that enables it to evade detection by antivirus programs.

A newer contender, the Clampi Trojan, works like Zeus and has already infected hundreds of thousands of machines.

Spam
Spam is regularly written off as a menace, and last year, we certainly saw the rise of Web-based threats while email seemed less of a problem. But according to antivirus maker BitDefender, spam is making yet another comeback, using big news events (such as the death of Michael Jackson) to get people to click on a message, which might either carry ads for sexual enhancement drugs or ads for rogue security software or malware. In one case cited by a BitDefender report, a message asked the user to click on a link to see the "secret photographs" of Michael Jackson's killer. In this case, the attached file was a Trojan variant, which, once installed, added the compromised computer to the Zeus Botnet, and then transformed it into a spam relay.

How to protect different channels of communications In this series of tips, Michael Cobb reviews how to secure four common communication outlets, including smartphones.

Smartphones
Until recently, there were few genuine attacks against mobile phones, but that is set to change. Websense Inc. promises "more dedicated targeting of smartphones in 2010" and reports that at the end of 2009 it detected four iPhone exploits in a span of a few weeks -- "representing the first major attacks on the iPhone platform and the first iPhone data-stealing malware with bot functionality."

Websense notes that smartphones, such as the iPhone and Android, are essentially small computers and therefore face the same threats as other computing devices. However, they are usually not as well controlled as traditional computers, and tend to attract a lot of third-party applications that may be vulnerable to attack.

Windows 7
While several companies note that the Macintosh platform is no longer a safe harbour from attack -- Apple released six major security updates during 2009 -- Microsoft Windows and Internet Explorer will still provide criminals with their most fertile hunting ground.

Websense notes that Windows 7 is particularly vulnerable because Microsoft has removed many of the heavy-handed security features that had annoyed users of Windows Vista. But reaching the right balance between security and usability is proving tricky, as evidenced by the Patch Tuesday cycle in October 2009, where there were five updates for Windows 7 -- even before it was released to the general public.

Staying safe
Despite the predictions of doom for 2010, companies can still protect themselves against most threats by adopting good basic security practices, keeping patches up to date, and ensuring that users are kept aware of the need for security.

Most criminals will go for the low-hanging fruit -- the easiest targets -- and for the moment careless users of social networks and smartphones present a lucrative market for the criminals.

At the same time, the security industry has done well to keep pace with the criminals and to provide the tools with which to beat them. With a bit of luck, Kaspersky Labs might be right, and we may well have a quiet year in the corporate world.

But as Websense warns, businesses can never drop their guard. "The dynamic nature of Web 2.0 attacks, the use of email to drive users to malicious websites and tactics like SEO poisoning and rogue AV, all demonstrate the need for organizations to have a unified content security platform that protects against blended Web, email and data security threats."

Tags: Data Protection Solutions and Strategy,  Web Application Security,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data Protection Solutions and Strategy Enterprise data management: Prevent data loss and insider threats NSA, cryptoexperts jab at RSA Conference 2010 Cryptographers' Panel Make PCI DSS compliance easier by reducing scope, outsourcing data Data Protection Act fines likely limited, audit powers may expand Websense integrated security system aims to simplify security management Full disk encryption: Safer and easier than file and folder encryption No major PCI DSS revision expected in 2010 Data breach costs continue to rise in 2009, Ponemon study finds Chinese hacker attacks target Google Gmail accounts, top tech firms Creating and enforcing a clear-desk policy Web Application Security Social networking risks, benefits for enterprises weighed by RSA panel How to prevent Adobe hacks from affecting your organisation Securing Web applications with Web application firewalls CISOs take measured steps to reduce social media risks Google to pay for Chrome browser vulnerabilities Facebook, McAfee partner to fix social network security issues PDF attack code complicates security analysis, skirts detection Firefox, Opera, Safari browsers top list of high risk software Active PDF attacks target Reader, Acrobat zero-day vulnerability Using unique device identification for bank website security Threat and Vulnerability Management Zeus botnet temporarily disrupted, but back in full force Considering two-factor authentication? Do cost, risk analysis Clientless SSL VPN vulnerability and Web browser protection Microsoft's Charney details new botnet protection, IdM technology at RSA Look into SIEM services to cut costs, comply with PCI DSS, HIPAA Cloud security issues, targeted attacks to be hot-button topics at RSA Zeus Trojan continues reign infecting 74,000 PCs in global botnet How to use Google Webmaster tools to help protect your site New Community Security Policy aims to reduce computer misuse The value of booting from a VHD in Windows 7

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary