2011 was a momentous year in many aspects for the security industry, with high profile cyber-attacks and data breaches, but also a year in which many of the incidents evoked a sense of d??Â«j??Ã vu amongst industry observers.
“2011 was the Year of the Hack,” Harry Sverdlove, CTO of Bit9, told eWEEK.
There was an “unprecedented rise” in targeted attacks, and while some were very sophisticated, others employed crude, yet effective, methods, according to Sverdlove.
The breach against RSA Security was an example of how sophisticated attackers have become when it comes to stealing intellectual property. The attackers managed to breach one of the foremost security companies in the world by combining social engineering with a zero-day vulnerability embedded in an Excel spreadsheet.
Simply by sending an email with a malicious attachment to recruiters and staff members in the RSA Human Resources department, attackers walked off with information relating to the SecurID two-factor authentication technology used by major government agencies and large corporations to secure their networks.
Sony was an example of how organizations that hadn’t paid attention to security were suddenly faced with a high price tag and brand damage after a data breach. Under the cover of a distributed denial-of-service attack, adversaries managed to breach Sony’s online systems and stole more than 100 million user records. Subsequent reports highlighted numerous security issues that Sony neglected to address.
Organizations realized that there is no such thing as being too big or too small to be safe from cyber-attacks and data breaches. Operation Night Dragon was a coordinated and wide-scale attack on several petroleum and energy companies, and the Nitro campaign targeted at least 48 companies within the chemical and defense industries. Operation Shady RAT targeted over 70 organizations using the same command and control server.
Experts have been predicting attacks against critical infrastructure for almost a decade, and in 2011, people started paying attention. The White House outlined its proposal on how best to secure critical infrastructure such as power grids and public utilities, as well as chemical, gas, oil and energy plants.
The proposal named the Department of Homeland Security as the agency in charge of coordinating the efforts. In the second half of 2011, the Duqu Trojan revived worries of the new generation of Stuxnet-style malware capable of manipulating industrial process control software used in many industries to damage critical industrial and utility infrastructures.
Daily Targeted Attacks Increase Fourfold
Symantec researchers found that the number of daily targeted attacks has increased almost fourfold compared with the beginning of the year. In the same report, Symantec identified the public sector as the most frequently targeted industry, with approximately 20.5 targeted attacks blocked each day.
Hacktivists highlighted how effectively they could embarrass corporations by using SQL injection and cross-site scripting to steal and publicize potentially sensitive data. Hacktivist collective Anonymous famously breached HBGary Federal’s email servers and leaked personal emails belonging to CEO Aaron Barr and other executives.
They also used distributed denial-of-service attacks as a form of protest. This included attacks on repressive governments in the Middle East and companies that cut ties with the WikiLeaks sites that circulated stolen government and corporate documents. Along with the effectiveness of their attack methods, these hackers also showed how effectively they could organize using social media tools such as Twitter and Pastebin.
“Thousands of different companies around the world were attacked in 2011, with no stone left unturned,” said Sverdlove.
However, very few enterprises disclose breaches publicly and, when forced to do so because of legal and government regulations, refuse to discuss the methods used in the attacks, according to Anup Ghosh, founder and CEO of Invincea. This makes it hard to share information or to get a proper view of existing threats.
“The truth is we’re all victims of cyber-exploits. It’s time to remove the stigma and disclose what’s going on if we are to ever going to force change in the industry,” Ghosh said.
Organized crime dominated cyber-exploits in 2011 as criminals figured out how much easier it is to steal money online. Law enforcement authorities were busy in 2011, breaking up cyber-criminal rings, including Operation Ghost Click in which six individuals netted over $14 million and shutting down botnet operations.
McAfee reported more than 80,000 new variants of malware were generated each day in 2011, a 400 percent increase in the rate of malware production since 2007. Malware developers increasingly took advantage of vulnerabilities in Web browsers, as the number of Java-based browser exploits grew significantly. Invincea researchers also noticed an increase in threat-injection attacks against operating system services, Ghosh said. These browser exploits evaded most antivirus and application whitelisting techniques as they never hit the disk drive, according to Ghosh.
Mobile Malware Emerging as Significant Threat
While mobile malware accounted for a tiny portion of the overall malware volumes, there was a significant surge of malicious applications. Criminals discovered how easy it was to take existing Android apps and insert several lines of malicious code before repackaging them for online distribution. Apple’s iOS platform wasn’t immune as security researcher Charlie Miller discovered a way to bypass the process that allowed only signed apps from the iTunes App Store to be installed and run on the iPhone and iPad.
As cloud computing and related services exploded in popularity, enterprises also began considering the risks of using those services. Companies like Dropbox and Box.net make it easier for enterprises to share data, but IT departments still have to remember that “bad stuff happens” even in the cloud, Geoff Webb, director of product marketing at Credant Technologies, told eWEEK.
A problem with the authentication system used by Dropbox essentially allowed all users to access any files, without the need for an authenticated username and password, which caused organizations to think about encryption and how secure cloud storage really was, Webb said.
The “sobering lesson” of 2011 was that the cloud, despite its advantages, is “neither immune from problems nor does it offer a sanctuary from security and privacy concerns,” Webb said, before adding, “Cloud users should tread very, very carefully.”
Ghosh said the security industry continued to fail to do its job in 2011. End users were still held accountable for the security of the organization, and IT departments continued to buy “reactive” security technology despite the fact that they are not effective in addressing the growing threat landscape, according to Ghosh. The industry won’t change or innovate to develop proactive and more effective products as long as customers renew their subscriptions, Ghosh said.
“As long as we continue to design systems that depend on users to make correct security decisions, we will continue to blame users and wonder why our networks get compromised,” Ghosh said.
Users were duped by social engineering attacks over social networking sites and email into clicking on malicious links and opening questionable attachments. These social engineering attempts were accompanied by the tendency to blame the user for infections and compromises. Users were targeted because “they are improperly put in the position of making security decisions, decisions they are not equipped to make,” Ghosh said.