Meet The Experts

Latest Security Trends
By Patricia Bennett

What will 2007 be like in the network security arena? In the computer security realm, the desire to conquer old issues is spurring new security measures; however, cyber criminals also want to begin the year afresh, seeking new angles of cyber attack while continuing to capitalize on known vulnerabilities. As we all know, deviousness is not a limited commodity in today’s world; and hacking into network systems has become, not just a way to gain notoriety or augment income, but a means of livelihood for many. In fact, recent attacks have been linked to organized crime and drug financing and have proven to be much more insidious and strategic than ever before. This article will discuss some cyber attacks that have recently occurred as well as some new security strategies to combat looming threats.

Cyber Attack Trends

The Silent Attack Initiative

One recent attack trend is the targeting of medical data, particularly the data of cancer or AIDS patients. Medical records are being targeted because there are so many medical charges inherent in the treatment of these illnesses, making it easy to add additional charges to the extensive list of legitimate ones. This under-the-radar approach to diverting funds is becoming common and has wide-ranging negative effects for victims, even affecting their future medical care because their treatment history has been falsified. For these reasons, it is imperative that patients conscientiously review their medical files.

As we see, computer crimes are no longer ego-driven, rife with bells and whistles that draw attention to the genius of the hacker. Rather, the trend has shifted toward non-disruptive criminal attacks, driven by the desire for monetary gain rather than personal glory. The zero-day exploit is a modern threat trend that follows the silent attack initiative. It capitalizes on vulnerabilities within a software product before a vendor patch is implemented, sometimes before the vendor is even aware of the vulnerability.

The SANS Institute recently listed the top 20 security vulnerabilities, one of the major ones being zero-day vulnerabilities found in both Mac OS/X and Windows products, and even more increasingly in Internet Explorer. MOAB group decided to ring in 2007 with a bug-finding expedition, publicly reporting the bugs uncovered within Apple’s Mac OS/X.
In the past, the standard protocol was to first notify the vendors of these vulnerabilities before publicly announcing the exploit. MOAB’s atypical approach is rife with dangers because it enables the public to know of an exploit before the vendor can patch it. Unfortunately, there are no laws against pointing out vulnerabilities on the Internet or writing programs that exploit these known vulnerabilities.
A recent InformationWeek article, entitled “The Hacker Economy,” explains that there is a thriving black market business for zero-day exploits. In this “exploits-as-a-service” industry, spam distributors can buy exploit code from managed exploit providers; some paying as much as $20,000 to $30,000 for each exploit. By 2008, it is predicted that 90 percent of all attacks will be malware ones that exploit application vulnerabilities.

Client-Side Attacks: Low-hanging Fruit for Cyber Criminals

We see that the motives of today’s cyber criminals are shifting to a methodical, low-key approach, seeking the best possible return on investment. Because of this trend, client-side attacks have proven fruitful for cyber criminals. Clients are an easier target than servers. Servers are more highly secured than desktop applications, so these client-side attacks offer the low-hanging fruit that hackers are seeking. By targeting end-users, hackers gain easier access to a larger number of computers, thereby producing the greatest yield with the least amount of effort.

The trail of low-hanging-fruit has led many thieves to target mobile data, such as laptops. In this fast-paced world, a person’s attention is pulled in multiple directions at once, and cyber criminals are capitalizing on this. Just as pocketbooks and wallets are easily stolen because of human distraction, laptops are suffering the same fate.

According to a Ponemon Institute survey, 81 percent of companies who participated in the survey reported that they had lost one or more laptops over the course of a year, and these laptops did not just harbor personal data, such as social security numbers, but also confidential data. This type of client-side attack yields much gain for cyber criminals, and it shows no signs of declining. The U.S. Department of Veterans’ Affairs is well aware of this growing issue since one of its laptops was recently stolen, compromising the sensitive data of more than 26.5 million veterans.

Phishing is another client-side attack that is becoming prevalent. Some common phishing expeditions lure unsuspecting users to Web sites, where they acquire or are fed malicious code. This malicious code can turn PCs into software bots or zombies that are used by the cyber criminal to spread spam. Thus, the attack shifts from an external one to an internal one via the zombie computer, which has internal system access and can freely attack the internal network. In fact, 88 to 90 percent of spam comes from bot-infected computers.

The Web has literally proven to be an entangling, web-like snare, woven by crafty cyber criminals. Recently, scammers used the legitimate Web site, Wikipedia, to initiate their attack. They added a page to the Wikipedia Web site, directing users to download a virus remover for a new variant of the Blaster virus. The supposed “virus remover” was actually the virus.

Preying on end-users is often like shooting fish in a barrel for these so-called social engineers. According to a recent Gartner Group report, scammers are following three main trends: identifying higher-income targets, relocating their phishing sites more frequently, and varying the businesses they impersonate. As mentioned before, cyber criminals are becoming more strategic and surreptitious in their attack approaches, making them even more difficult to detect.
Are Your Unsecured Network Devices Aiding Cyber Criminals?

Another trend is that many businesses are moving away from closed circuit TV video surveillance and toward IP-based cameras. Unfortunately, when these systems are not installed properly and do not follow effective security protocols, they actually become a tool for thieves and sexual predators, allowing them to view live images via the Internet.

These cyber criminals can manipulate camera angles through the camera’s pan, tilt, zoom (PTZ) features, enabling them to target a specific area or person. Thieves will zone in on a particular physical location and devise a break-in strategy. Also, they can use PTZ features to zoom in on customer credit card or pin numbers. Voyeurs can use PTZ features to zoom in on individuals, such as people in changing rooms.

Along with thieves and voyeurs, hackers are also using these unsecured IP cameras as useful tools. Through an unsecured IP-based camera, they can uncover IP address information, which gives them an entry point into the network system. With this information, they can develop exploits against the network, potentially gaining access to user names, passwords, confidential files, and personal information.

How Can You Defend Yourself?

Unified Threat Management

What are some ways to counter hacker trends? The resounding outcry today from a number of security analysts is for a unified threat management approach. Paul Brettle, a business security manager for Stonesoft who coordinates sites in the UK and Ireland, speaks of combating client-side attacks by implementing a unified platform of security, networking, and end-to-end availability. By doing this, the raw data of what happens in the network becomes understandable to the technical specialists who have configured and designed this network. Being able to collect well-organized data and decipher its meaning allows technical specialists to make the right decisions at the right time.

Wireless networks have been considered an open invitation for outside attack; however, as Brettle brings out, wireless networking has undergone years of standards development. The weak link is not wireless networks, but rather the skill set of those implementing them. In Brettle’s words, “It’s more a matter of whether administrators are really doing it thoroughly enough, and setting up their networks meticulously, so that they are safe.”

SANS Institute is also seeing the need for a unified threat management approach. For an upcoming summit, SANS touts the importance of interdisciplinary training for IT professionals in the areas of auditing, legal, management, operations, and security. Rather than focusing on expensive security products to solve security issues, today’s enterprises are realizing that, though quality products are important, it is equally important to have highly skilled technical personnel who can design a well-configured network, based on sound security practices.

An Intelligently Designed Network is Key

These sound security practices must govern all decisions regarding the hardware and software introduced to the network. For example, the downloading of patches has to be effectively managed. Patch management involves having the security intelligence to recognize a vulnerability, finding a suitable patch, and knowing precisely what the patch will affect. The technical staff must ensure that the patch is deployed on the proper machines, that it does not conflict with in-house or off-the-shelf applications, and that it successfully installs. Though there is a trend toward automated patch management, an automated system is only as effective as it is programmed to be, so intelligent design is key.

Another key aspect to this intelligent design is to ensure that the network is not cluttered with unneeded data or equipment. A recent trend in security policies is data minimization. Data minimization involves three steps: determining what information is enterprise-critical and only maintaining that information, minimizing the number of data storage locations, and purging information once it is no longer needed.

As one security analyst noted, information can be a liability if it is not properly handled. The minimalist tactic streamlines data management, which ultimately makes it safer. Thus, this leaner, meaner approach is essential, but it must also be coupled with a greater focus on educating employees, from the corporate level down, on how to protect themselves from cyber threats.

The Importance of Security Policies and Education

Just as the technical staff needs to be well educated in the security arena, non-technical personnel also need to be trained on security practices to minimize client-side attacks. Therefore, end-user security education has proven to be another important management priority. It is essential for every enterprise to develop enforceable security standards that are clearly documented in corporate policies and procedures. These security standards need to be updated regularly, in light of ever-emerging cyber threats.

For example, end-users must be educated on current cyber snares, such as opening attachments from unrecognized e-mail sources, downloading unknown files, or following suspicious links received in e-mails. Because cyber attacks are becoming more sophisticated, end-users need to know that they can be exposed to spyware by simply visiting a Web site. Contests are a common way to lure end-users to an infected site.

By educating end-users on corporate security policies, they will be better able to avoid cyber lures. Also, end-users need to know the penalties for violating policies so that they have an even greater incentive to adopt these security practices. However, network security remains the responsibility of those who manage the enterprise—technical and organizational leaders must stay abreast of employee Internet activities and enforce all corporate policies. One area of security that is becoming a topic of interest is mobile data security, which needs to be implemented by laptop users.

As we mentioned earlier, laptops are being targeted by cyber criminals. So, it’s important for laptop users to be aware of the threat and always vigilant; however, laptop theft does not show any signs of declining. The question becomes: What can be done to protect laptop information from being compromised?

Several options are available. The safest option is to store data remotely on a network storage device, rather than on the laptop. However, if data is stored on the laptop, it is essential to recover the laptop as soon as possible. One method of doing this is by installing tracking hardware within the laptop, enabling its location to be sent to a central tracking computer via the cell phone network or GPS. Another method is through user identification, which has a wide-array of protective layers, ranging from passwords to the advanced biometric strategies of voice and fingerprint recognition.

A Multilayered Security Approach

Thus, we move to another important trend, multilayered security protection. Some feel that having multiple password protection is sufficient; but this has proven to be a weak solution. It needs to be layered with other protective measures, which include authentication, encryption, and automation. Authentication prevents unauthorized users from gaining access to stored data. If a person were to gain access to the data, encryption makes the accessed data unreadable. However, as one security breach at Boeing illustrated, encryption should be automated because individuals may forget to encrypt downloaded data.

The U.S. Department of Veterans’ Affairs knows how important it is to use layered security, especially since it suffered the loss of a laptop containing sensitive data. Spurred by that event, the Bush administration is making laptop security its primary focus, installing encryption software on agency-owned laptops, desktop computers, and portable storage media (e.g., flash drives and CDs). VA supervisor, Robert Howard, said that his highest priority is to develop a “living document that will guide our work” and to implement it--so far, they have a 322-item action plan in place. Also, they have installed tools to manage and restrict the use of USB storage devices, making it mandatory that information transfer be done through the secure network.

Network security is an ever-developing and evolving process. A well-designed network with layers of protection is essential for today’s enterprises, which are exposed to a multitude of cyber threats. By applying several protective systems at strategic network locations, a hacker’s progress is slowed, giving the network security team time to detect a breach before the final layer of defense is penetrated.

Because various network devices, such as IP-based cameras, expose a network to cyber exploits, enterprises need to have highly skilled technical staff who can implement multilayered security. Implementing a combination of firewalls/routers and an intrusion protection system (IPS), coupled with a virtual private network (VPN), provides a unified threat management approach that strengthens the network.

Segmentation is Crucial to Network Security

Another important aspect of network security is network segmentation. This involves placing firewalls/routers between distinct system areas to control the flow of data. For example, an effectively segmented system will place the public Internet Web server in a separate segment from the internal Web server. This helps to shield the network from outside attack; however, since client-side attacks are increasing, the focus is not only upon perimeter defense but on a very granular level of internal network segmentation.
The importance of internal network security becomes clear when a laptop user contracts a virus at a customer site and connects the infected laptop to the internal network. By doing this, the laptop user circumvents perimeter defenses and exposes the internal network to the virus. However, with a segmented internal network in place, a computer that has been exposed to a virus will not be able to uncontrollably spread the virus throughout all network systems. An internally segmented network prevents the unauthorized communication between hosts, thereby limiting the scope and impact of the virus to just a limited network segment. Also, data can be segmented onto different network-attached storage devices, which further limits the uncontrollable spread of viruses and malicious code.

The Bottom Line

A unified threat management approach, which involves multilayered network security, is critical to the success of today’s enterprises. It involves:

Having well trained, highly skilled technical specialists who know how to design a secure, multilayered network.
Developing up-to-date security practices that are documented in corporate policies and procedures, educating all employees on these security practices, and enforcing these policies.
Staying abreast of cyber threat trends, and adding protective layers to the network (e.g., firewalls, IPS, VPNs), enabling the network to change and grow as new threats emerge.
Segmenting the network, both externally and internally, to make hacker access more difficult and to prevent the uncontrolled spread of viruses and malicious code.

About the Author

Patricia L. Bennett, FBCI, is the president of the Patricia Bennett Group, Inc., located in Bellmawr, New Jersey. For the past ten years, the Patricia Bennett Group has provided both government and commercial clients with a variety of contingency and network security solutions. You can contact Patricia at pbennett@bennettgrp.com, by visiting www.bennettgrp.com or by calling 856-931-1604, x112.