Security challenges for organizations are tougher than ever. Old scourges such as malware are taking on new potency as penetration tools and exploit kits are becoming more of a commercial affair, as attack sophistication is increasing through years of the ever-escalating battle of security researcher versus cyber-criminal and as more employees and customers are interacting with the omnipresent Internet in more ways.
What’s worse, the strained economy is putting more pressure on organizations to cut back on the scope of and spending on their security infrastructures. PricewaterhouseCoopers’ 2010 report, “Trial by Fire,” based on its Global State of Information Security Survey (with CIO Magazine and CSO Magazine) of more than 7,200 CEOs, CIOs, chief information security officers, chief financial officers “and other executives responsible for their organization’s IT and security investments in 130 countries,” points to reductions in scope and delayed implementation as the predominant current methods of cost control for security projects.
Unsurprisingly, 2009 was the first year of the past four in which the percentage of respondents indicating that security “spending will increase” decreased notably-by 6 percent-yet over 50 percent of respondents said they were “concerned about cost reduction efforts that make adequate security more difficult to achieve.” They also said they believe that “threats to the security of their business assets have increased.”
Given the increased threats and the spending pressures, IT admins have their work cut out for them, not only to fend off the attacks (the tools and strategies for which should be pretty familiar by now) but to effectively make a case to the financial folks in their organizations for the investments that need to be made. In corporate America, unlike governmental America, leaders are no longer willing to shell out big bucks simply to feel safe. CISOs now need to not only demonstrate that corporate assets are secure, but also provide numbers indicating the value of this safety.
Increased collaboration between business and IT security leaders is of major strategic importance. Fewer resources are being devoted to dedicated security functions during the economic downturn, and business leaders frequently require cohesive and convincing plans in advance of security expenditure. It’s rapidly becoming unacceptable to implement new or upgrade existing security measures without a clear statement of objectives and a reliable method of measuring success.
This is true down the line from management to security practitioners in the trenches. Communication, in the form of alerts and reports, is essential not only for the security apparatus to act efficiently but also to document that the apparatus is effective. In many ways, increased attention as a result of governance, risk and compliance initiatives is driving IT security departments toward greater transparency. It starts with well-designed and integrated security approaches that can be centrally provisioned and administered, such as anti-malware, DLP (data loss prevention), vulnerability assessment and software patching. The ability to manage threats and combine reports across solutions logs is becoming more and more important.
Protecting Data from Organized Crimeware
Attacks, whether from internal or external sources, are nothing new. However, there have been many reports (from Panda Security, PricewaterhouseCoopers and M86 Security, for example) over the past year or so indicating that the state of the economy is to blame for the recent increase in computer crime, as it gives malicious parties more motivation to steal. It’s as hard to argue with this common-sense argument as it is to figure out why these companies think this is innovative research. (Come on, people. Is it really noteworthy that when times are tough more people steal? Ask Jean Valjean if this is something new.)
New or not, data theft is getting more and more attention from c-level executives. The PricewaterhouseCoopers report mentioned earlier also stated that “protecting data elements is now a top priority at-arguably-the most critical time.” The proportion of surveyed organizations reporting that they have a DLP strategy in place has increased from 29 percent in 2008 to 44 percent in 2009. Many survey respondents indicated that “their organization continuously prioritizes data and information security assets according to their risk level.”
Today’s information security battle is about money. International crime syndicates rent time on botnets and later help low-level criminals launder money stolen by banking Trojans such as the Zeus and Silentbanker families. It used to take a skilled programmer to indulge in cyber-crime, but now even script kiddies can cash in as exploit kits built on Mpack and Gpack are widely available for download. Most kits come with a warranty, technical support and software version updates. The malware battle has spun so far out of control that, as M86 Security mentioned in its April report, “Web Exploits: There’s an App for That,” we’re starting to see the evolution of an international service economy in which some are beginning to offer “crimeware as a service.”
This obviously puts malware at the top of the list of security concerns for everyone, from consumers to CISOs. In the past year, we’ve seen a dramatic increase in the number of variants of a single exploit (relegating signature-based anti-malware to the graveyard) and in the percentage of legitimate Websites that were exploited and used to plant malware on unsuspecting visitors (relegating Web content filtering solutions that rely on domain as the unit of analysis to a shallow grave next to signature-based anti-malware). Targeted attacks are also on the rise. McAfee, in its “2010 Threat Predictions” report from December 2009, described the widespread problem and delved into the example of GhostNet, “a network of at least 1,295 compromised computers in 103 countries.”
Patching systems to update software has become a critical function in many enterprises. In 2009, just about everyone (Symantec, McAfee, IBM Internet Security Systems …) reported a rise in the number of attacks against applications. McAfee noted, “The favorite vector among attackers is Adobe [Systems] products, primarily Flash and Acrobat Reader.” Security researchers find that many of the most common exploits are of vulnerabilities that were announced and patched five or more years ago. This threat could be mitigated simply by patching on a regular basis. However, patching is tedious and time-consuming.
Caught in the Social Web
The rise of Web 2.0 is assisting computer crime in a multitude of ways. User-contributed content is a major source of malware. IBM ISS reported late in 2009 that more malware was found on legitimate sites (like PlayStation.com) than on suspicious sites. Free blogging services are being used to host porn links that direct users to drive-by downloads of malware. Social networking sites such as Facebook and Twitter create a false sense of trust between users and provide excellent vectors of attack. The explosion of useless toys called apps on Facebook, Google and the iPhone greatly contributes to users violating their own security.
Sadly, the effects of Web 2.0 as a threat vector will undoubtedly get worse before they get better. We’ve already helped criminals out by taking all of our personal information and interests and consolidating them on single servers online and out of our control. It is well known that an identity thief’s job is half done after 5 minutes reading social networking sites. URL-shortening services such as Bit.ly and TinyURL.com are not only convenient but also do a great job of obfuscating the real URL and making it difficult for human and machine alike to judge the safety of a link.
HTML5 is right around the corner and will bring with it a whole new series of attacks. Once the distinction between Web applications and desktop applications fades, attackers will move right in and take advantage of the situation. Corporate security leaders should deeply evaluate HTML5 and the next Google Chrome OS to determine whether the rewards outweigh the risks. Early on this transparent merging of local and Internet resources will not hold many rewards and companies will be cautious, but then there will be some silly consumer app that your CEO orders you to support, so your security, desktop and Web development teams must prepare.
The other side of the coin is the need to protect your own Web 2.0 servers. Not only could you suffer from an attack, but so could your employees, customers and business partners. Every company has a responsibility to Internet society to protect its servers from being used to attack others. Build security checks into your site design and quality assurance process. Run a Web application firewall and an IPS (intrusion prevention system). Vulnerabilities to look for include cross-site scripting, improper iFrames and poor validation of forms resulting in SQL injection attacks.
Today’s threats aren’t terribly different from those of yesterday; they’re just becoming easier for criminals to exploit. And at the same time, companies are doing everything they can to control security costs. The upshot is that the only way to keep corporate networks and data safe is through well-planned security initiatives and strong lines of communication between business and security leaders.