WASHINGTON—The SINET security technology conference that convened Nov. 3 and 4 at the National Press Club here is one of those quiet little meetings that you rarely hear about, but which includes some of the top security thinkers and analysts in the world.
This is mainly due to the fact that the conference is sponsored by the cyber-security folks at the Department of Homeland Security, which has a significant presence at the event.
While it’s easy to sit back and let the companies taking part in this event pitch the latest information about their products, the fact is that there’s a lot more going on below the surface than that.
Perhaps the most useful information comes from security researchers who keep their hands on the pulse of the current threats. These are the folks who know what’s about to happen, and have the best idea about where to look for it.
For a couple of years, the primary thrust for cyber-attacks moved to the server and away from endpoints. The reasoning was simple. After all, the richest data sources sought by criminals and state-supported hackers resided there and presented the greatest potential return for their effort. This is why they went after the business critical data stored in servers.
But that’s changing. The primary reason for the change is that servers are comparatively easy to protect. After seeing fiascos such as the Target breach, segmentation became more common, companies began encrypting their data and data was divided into areas with more access control.
While this hasn’t eliminated all server-oriented attacks, it has made them less attractive. Now with fewer exceptions, cyber-attacks are moving back to the endpoint, not because it’s more efficient, but because the chances of success are much greater, security experts here said.
“Now outsiders are using insiders to get what they want,” said Dtex Systems CEO Mohan Koo. “The gaping hole is on the inside.” Koo, whose company specializes on blocking insider threats, said that the attacks include the use of hijacked credentials, malicious actions by insiders and of course what he aptly describes as “silly mistakes.”
He said that a significant factor in the end user attacks boils down to the attackers getting better at social engineering. Other experts I talked to at the conference said that the social engineering is getting good enough that it’s very difficult for the recipient of an email to know for sure whether it was sent by the person who seems to have sent it, or whether their address was spoofed.
In fact, the attackers are getting so good that they’re able to put together information designed specifically to fool the recipient. Yoel Knoll, marketing director of Secure Islands, a company that works with email security, said that many times the spoofing was so good that the recipients would believe that the sender had to be who they said they were because of details they were able to provide.
Malware Threat Comes Full Circle to Focus Again on End Users
But what’s actually happening is that the cyber-criminals have done careful research and they’ve accumulated the information they need to convincingly pretend that they’re someone else.
“We’re seeing more end user attacks,” said Engin Kirda, chief architect at Lastline and professor of computer science at Northeastern University in Boston, who said that people need to be more suspicious about the things they click on in emails.
He also said that he was disappointed that education didn’t work as well as it should and that the only thing that seemed to work was after people had been the victims of an attack. This means that companies need to perform more realistic training, he said.
Kirda also noted that it was important for companies to have more innovative defenses. He noted that much of the more recently developed malware is able to detect when it was being sent to a sandbox, which is a secure area which seems to the software as if it’s a real computer when it’s not.
Cyber-criminals are also good at writing malware that is able to mask its malicious purpose, he observed, although the most advanced security systems are able detect to when malware is trying to cloak its it’s behavior.
But even with all of the talk about the rising tide of attacks on endpoints, there is one place where protection is so limited and the target so vulnerable, that attacks on servers continue to have a high rate of success. That target is the widely-used SAP software that is mission critical to many Fortune 500 companies.
“SAP is the most overlooked problem in the enterprise,” said Mariano Nunez, CEO of Onapsis. The company has developed security software for SAP systems, but he said that the problem goes far beyond anything his company, or any company, can solve.
The problem he said is that many SAP installations have been unpatched for years and the networks that host them are so complex that the companies that run SAP applications of have little effective means of fixing the problem.
He said that exploits on SAP systems go on for years because they’re unpatched. Worse, he said that the IT departments are given so little time to perform management tasks that they can make little headway against the malware.. Most of the attackers are nation-states, he said, with other cyber criminals being major players as well. “The vulnerabilities are well known,” he said.
What all of this really proves is that the cyber-attacks go after the easiest target. Today those targets are gravitating toward end users because they resist training. But attacks continue to hit vulnerable enterprise software installations because the host companies that use it resist the need to follow proper security management practices. Both problems are preventable, but technology isn’t the only answer. There also has to be the desire to solve the problem.