Beware 2006: Exploits Increase, Impact Gets More Serious
But thieves who can't get in one door will try another.
Security experts such as Gartner analysts John Pescatore and Neil MacDonald increasingly worry about targeted attacks, perpetrated by organized groups of cybercriminals, replacing publicity-seeking intrusions by vandals and small-time crooks. Last month, a half-dozen defendants who had been charged with being part of an organized credit-card and identify-theft ringknown as the Shadowcrewpleaded guilty in federal court in Newark, N.J., to conspiracy to commit credit-card, bank-card and ID-document fraud.
Also coming to light in recent months are new forms of attacks. Instead of writing spyware to capture credit-card numbers from random consumers, some authors of malicious software have turned to writing Trojan horse programs to steal secrets from specific companies, as in a case that cropped up this past year in Israel. Like the legendary Greek gift to Troy of a wooden horse with soldiers hidden inside, Trojan software contains a hidden payload that attacks the recipient.
There are a variety of ways for malicious software to slip past firewalls and other perimeter defenses. It can be carried on a laptop or stored on a keychain backup drive and delivered when those devices are attached to a network. Business users also increasingly expect to be able to access corporate applications from anywhere via a Web application or a virtual private network connection, effectively extending the network to include home computers and public kiosks that may be insecure.
Still, some of the greatest embarrassments companies suffered in the past year over inadequate data security were more the result of carelessness than targeted hacks. The Nigerian identity thieves who breached ChoicePoint didn't have to break into the company's systems because they were able to represent themselves as legitimate corporate customers and sign up for an account with the data services vendor, which maintains records on millions of citizens. As a result of a California law that requires companies to disclose incidents that compromise consumer privacy, ChoicePoint was forced to admit letting 145,000 records slip through its hands this way. The same law forced Bank of America and Citigroup to disclose that magnetic backup tapes containing consumer data had been lost during shipping.
"Years ago, if you lost a skid of tapes, you weren't required to tell anyone," notes Carl Branco, a first vice president in charge of internal auditing at TD Waterhouse who has also overseen information security at several banking and financial services institutions.
And to some extent, all public companies are feeling greater regulatory pressure to improve information security because of the Sarbanes-Oxley Act, which includes control over data security as one of the audit criteria for proper corporate governance.
"It puts a new twist on the whole I.T. security thing," says Howard Israel, an information security consultant. Rather than being treated as a technical issue, it's becoming a basic issue of corporate management, often approached from the perspective of risk management, according to Israel. That means looking for ways to mitigate or compensate for risks that cannot be eliminated, he says.
While information security professionals may to some extent welcome the attention brought by laws like Sarbanes-Oxley, Gartner's Pescatore says they also worry about "regulatory distraction." Overzealous auditors seeking to justify their fees have sometimes offered misguided security recommendations such as making users change their passwords on a quarterly schedule, he says, "which we know actually decreases security." Users faced with overly strict rules often subvert themfor example, by writing down passwords because they can't remember them.
Some of those excesses are starting to subside, Pescatore says, but it's important to focus information security efforts on real improvements, not symbolic gestures.
So, as we head into the new year, what should be the starting point for chief information officers, chief security officers and other executives charged with safeguarding vital information resources? Based on interviews with information security experts and corporate security officers, Baseline has compiled a list of the top five security concerns for 2006, followed by some basic steps every company should take to safeguard their systems.
1 - Targeted Attacks
By definition, malicious software that's targeted at your organization, rather than the entire Internet, is not widely distributed. As a result, your antivirus and anti-spyware vendors may not be able to protect you against it because they haven't seen this specific attack elsewhere.
While computer security experts say incidents of this sort are often handled quietly, one that made the news in Israel occurred when telecommunications and media firms allegedly paid hackers to create customized Trojan horse software to spy on their competitors. Although arrests were made after the scheme was uncovered in May, this custom bit of spyware apparently went undetected at some of the targeted organizations for 12 to 18 months, according to Gartner's MacDonald.
Gartner says other, less publicized incidents include attacks on financial institutions and viruses written specifically to attack design software used in the aerospace industry.
The problem with combating such targeted attacks is that they can't be stopped by the traditional antivirus approach of identifying a "signature"some recognizable feature of the malicious software, such as the file names or computer memory structures it employsthat is distributed to each user of the antivirus software. When the protective software recognizes that signature, it removes the offending program or, better yet, stops it from being installed in the first place. When malicious software is distributed widely, the antivirus vendors can find sample copies, which they use to identify signatures and develop antidotes. On the other hand, if a custom bit of malicious software is placed within one company only, it won't be spotted by signature-based antivirus or anti-spyware systems.
So, protecting your organization against such targeted attacks will require a more generic and adaptable approach to spotting suspicious activity on your network and each PC or server in your enterprise. "The signature-based approaches are still necessary, but not sufficient," MacDonald says.
The security software market has responded with various types of intrusion prevention products, which are less dependent on attack signatures because they work by blocking suspicious behavior, particularly if it seems to be directed against known network or system vulnerabilitiesfor example, detecting and shutting down external network connections that are probing for weaknesses in a Web server. Intrusion prevention vendors include Internet Security Systems and 3Com's TippingPoint division, as well as other security software vendors such as McAfee.
The most mature products of this type are installed around the network perimeter like firewalls, scanning and blocking suspicious incoming traffic, or at the connections between local and wide area networks.
But as the ways for attacks to sneak around the network perimeter multiply, another form of intrusion prevention, known as host-based intrusion prevention, is becoming more important. In contrast with network-based intrusion prevention at the firewall or network switch, host-based intrusion prevention software is placed on individual computers.
So far, the best protection is available for servers. Because of the variety of software installed on desktop and laptop computers, separating legitimate from suspect activity in that environment is a tougher challenge for the intrusion prevention software vendors. MacDonald has identified nine competing strategies for host-based intrusion prevention, ranging from inspecting incoming packets of network traffic to bleeding-edge technologies for examining the behavior of software as it executes.
Some approaches to intrusion prevention depend on probabilistic analysis that can lead to false positives, meaning that the intrusion prevention software could stop legitimate software from running because it "looks suspicious." Other approaches, such as "hardening" the operating system by blocking access to all interfaces hackers might exploit, are practical for some single-function computers, such as airport kiosks, but not for the typical business laptop, MacDonald says.
Even with these challenges, Gartner is recommending that enterprises begin deploying host-based intrusion prevention where appropriate in 2006. Vendors offering products in this category include Symantec, McAfee, Panda Software, Internet Security Systems and Check Point.
2 - Unauthorized Network Access
Another protective strategy that's becoming increasingly important is known as network access controlprotecting the network from the computers that connect to it, even (or maybe especially) if they are connecting from inside the firewall.
Here the idea is to check the integrity of each computer, particularly in terms of whether it has been cleansed of viruses and patched for known vulnerabilities. For example, a salesman who returns from months of travel bearing a laptop that is missing critical security updates and infected with a nasty virus, might be "quarantined" from the rest of the networkallowed to access only a minimal subset of network services, such as security update servers required to repair the laptop, and prevented from contaminating other computers.
Corporate network managers increasingly worry about remote access from home computers or library and airport Internet access terminals. Applications such as Web-based access to corporate e-mail may be "secure" in the sense of using HTTPS, the secure version of the Web's HyperText Transport Protocol (HTTP). But just because the network transmission of data is encrypted doesn't mean that the computer being used for Web access is secured against spyware or keyboard-logging software designed to steal passwords and other confidential information. So, you may need to employ additional security mechanisms, such as requiring the user to download a Java applet or other software that can be activated on the fly to protect against hackers capturing passwords or stealing other information.
The presence on the corporate network of non-company-owned computers and other devices, such as cell phones with data networking capabilities, is only expected to increase, according to Gartner, so network managers are going to have to learn to cope with it.
3 - Poor Identity Management
Organizations of all sorts need to put more effort into improving the quality of the identity data they maintain on users of their systems, according to information security consultant John Dubiel. ChoicePoint's data breach dramatized this problem because the company essentially allowed identity thieves to come in through the front door, establishing themselves as customers of its database services. "They should never have gotten access for who they were," Dubiel says.
Many organizations suffer from more subtle breakdowns in user identity management, such as assigning new system access rights to users who change jobs but forgetting to drop their access to systems related to their old jobs. For example, Dubiel recalls having an airline employee who worked in the operations department show off how he could still access the systems for reservations, where he used to work, and offer to get Dubiel a better seat on his flight home. Narrowing access rights to only the systems that users need to do their jobs is not necessarily a steep technological challenge but requires better coordination between human resources and information security, he says.
4 - Exploitable Code
Web applications that connect to a database can easily contain flaws that, for example, allow hackers to inject their own database programming code into a transaction. The result: A Web form meant to allow customers to look up their own purchase records can be hijacked to access other customers' recordsor even to delete or alter records.
One way for companies to reduce their overall risk is to make sure any programmers they employ, particularly if they develop software that will be exposed to customers or partners over the Internet, get training in how to write secure software, Israel says.
Security flaws in vendor-produced software tend to attract more publicity, particularly when the vendor is Microsoft and the software is widely distributed. "But the exact same flaws exist internally, in homegrown applicationsprobably worse ones, because there's less scrutiny," Israel explains.
Security officers should be pushing both internal and external developers to reduce the number of flaws in software to be deployed on the corporate network by at least 50%, Gartner recommends.
"If we could get them to remove just the stupid bad programming tricks, we could reduce configuration management cost by 75%," Pescatore says. The classic example of a programming flaw with consequences for security is a "buffer overflow" error, which allows one program to overwrite the area of memory it rightfully occupies. Attackers can exploit this flaw to take control of the computer on which the vulnerable program is running. Programmers create a vulnerability of this sort when they allow users to enter data without making the software check for illegal input.
Just as manufacturers can improve the quality of their products and control costs by requiring higher quality from their suppliers, information managers can put pressure on their software vendors to deliver more secure code, and on their Internet vendors to deliver "clean bits" with spam and known attack code removed, the analysts say.
5 - Backup Tape Losses
At the most basic level, recent publicity about the loss of tapes containing consumer data focuses attention on the need to physically transport tapes to a backup location or credit bureau in a safe and secure manner.
By using encryption, companies can also make the data encoded on tapes safe from prying eyes, even if the tapes are lost or stolen.
However, encrypting large volumes of data can take hours, bogging down system operations. A successful encryption strategy requires careful management of the mathematical keys used to scramble the data, or else it won't be possible to unscramble it when it's really neededperhaps when the backup tapes must be decrypted to restore the operations of a business in the wake of a disaster. In some cases, specialized computer appliances for encryption and decryption from vendors like nCipher are helping businesses accelerate encryption processing and make it more practical.
Particularly in retail industries that handle a lot of consumer data, information managers are giving more consideration to encrypting that data wherever it is stored, or "at rest" in industry jargon, as opposed to encrypting transmissions over a network.
granted, computer security is expensive. Information security spending has been growing at 16% a year for the past couple of years, while overall information-technology spending has only been growing 4% a year, according to Gartner. As a percentage of revenue, corporations are already spending about as much on information security as they are on more traditional ways of managing risk, such as property and casualty insurance, MacDonald says.
But after several years of increasing spending on information security, chief information officers and security officers are going to have to turn their attention to getting more security for less money, according to Pescatore and MacDonald. "We don't believe you have to spend more to be more secure. That's the track that we've been on, but it's not sustainable," MacDonald says.
Controlling costs will require aggressively "operationalizing" the routine aspects of information security by shifting responsibility for those tasks "to people who are good at doing repetitive tasks well," MacDonald says. In other words, you might begin outsourcing management of established security technologies, such as firewalls, and use experienced professionals to figure out, say, which intrusion prevention technologies to deploy.
Security software vendors can also be pressured to reduce costs by combining separate products, such as antivirus, anti-spyware and intrusion prevention, into "converged security platforms," according to the Gartner analysts. Instead of paying $20 to $25 each for antivirus, personal firewall, anti-spyware and other protections, a converged platform will deliver all of this functionality in 2006 for approximately $40 to $50 per machine, Gartner predicts.
So very simple, right? Just protect your company from financial losses, espionage and public ridicule, and do it in the face of new, perhaps more sinister threatsand do it for less.6 to do's for '06
- Protect against targeted attacks with more advanced intrusion prevention.
- Tighten network access control, both inside and outside the firewall.
- Make sure you know who your users are.
- Deploy more secure software.
- Reexamine how you handle backup tapes and data storage in general.
- Do more with less.