As we begin a new decade, battle lines are firmly drawn with UK Organisations squaring up to Cyber Criminals. Imperva, the Data Security leader, predicts five key security trends to watch for over the next ten years:
The industrialisation of hacking - Clear definitions of roles are developing within the hacking community forming a supply chain that starkly resembles that of drug cartels. The weapons of choice will be automated tools applied through botnets. Imperva recently tracked and analysed a compromise that affected hundreds of servers. The scale of this attack, and others like it, is enormous and would not be achievable without total automation.
A move from application to data security as cyber-criminals look for new ways to bypass existing security measures and focus on obtaining valuable information.
Increasing attacks through social network sites where vulnerable and less technically savvy populations are susceptible to phishing attacks and malware infection.
An increase in credential theft/grabbing attacks. As the face value of individual credit card records and personal identity records decreases (due to massive data breaches) attackers look at more profitable targets. Obtaining application credentials presents an up sell opportunity as they provide a greater immediate value to stolen data consumers up the food chain.
A move from reactive to proactive security as organisations move from sitting back and waiting to be breached, to actively seeking holes and plugging them as well as trying to anticipate attacks before they come to realization.
Amichai Shulman, Impervas Chief Technology Officer, advises application owners to get their act together and tackle these trends head on. His key recommendations for focus come January 1, 2010 are: Organisations serious about protecting data will need to address not only the application level but also at the source of data. This will mean introducing of new technologies including a Database Firewalls, File Activity Monitoring, and the next generation of DLP products. These tools should also be combined together with other technologies such as Web Application Firewalls and classic DLP solutions to allow organization to keep track of dataflow across the enterprise from source to sink. I see the automation of hacking as a major issue and technical measures will be needed to combat this trend. Organisations must look to integrate their protection tools with proactive security measures, admittedly not readily available today, however the security community is currently developing solutions and these will become widely available over the next few years. The next decade must see the IT security industry rise up and stand shoulder to shoulder if it is to win the fight against cyber-criminals.
So, what is facing UK organisations?
1. The Industrialisation of Hacking
There is a clear definition of roles within the hacking community developing, forming a supply chain that starkly resembles that of drug cartels:
Botnet growers / cultivators whose sole concern is maintaining and increasing botnet communities
Attackers who purchase botnets for attacks aimed at extracting sensitive information (or other more specialized tasks)
Cyber criminals who acquire sensitive information for the sole purpose of committing fraudulent transactions
As with any industrialisation process, automation is the key factor for success. Indeed we see more and more automated tools being used at all stages of the hacking process. Proactive search for potential victims relies today on search engine bots rather than random scanning of the network. Massive attack campaigns rely on zombies sending a predefined set of attack vectors to a list of designated victims. Attack coordination is done through servers that host a list of commands and targets. SQL Injection attacks, Remote File Include and other application level attacks, once considered the cutting edge techniques manually applied by savvy hackers are now bundled into software tools available for download and use by the new breed of industrial hackers. Search engines (like Google) are becoming an increasingly vital piece in every attack campaign starting from the search for potential victims, the promotion of infected pages and even as a vehicle for launching the attack vectors themselves.
In the last few days, Imperva tracked and analysed a compromise that affected hundreds of servers injecting malicious code into web pages, these were cross referenced with keywords that scored highly in Google search engine generating traffic and thus creating drive by attacks. The scale of this attack, and others like it, is enormous and would not be achievable without total automation at all stages of the process.
Organisations must realize that this growing trend leaves no web application out of reach for hackers. Attack campaigns are constantly launched not only against high profile applications but rather against any available target. An application may be attacked for the value of the information it stores or for the purpose of turning it into yet another attack platform. Protecting web applications using application level security solutions will become a must for larger and smaller organisations alike. End users who want to protect their own personal data and avoid becoming part of a botnet must learn to rely on automatic OS updates and anti-malware software.
2: A Move from Application to Data Security
The effectiveness of network layer attacks has decreased dramatically in this past decade largely due better network layer defences. This gave raise to application level attacks such as SQL Injection, Cross Site Scripting and Cross Site Request Forgery. As these are being gradually addressed by the use of web application firewalls, attackers will turn their attention to more sophisticated attacks either from the outside (business logic attacks) or from the inside (direct attacks against the database). Together with the fast growth in the number of applications that access enterprise data pools these will drive the evolution of data-centric security.
While organisations invest in protecting their major applications using application level tools, many of the smaller applications are still unprotected. Additionally, we see no apparent decrease on the part of internal threats. Disgruntled employees, dubious individuals with internal network access and attackers who control (through Trojans) internal workstations all present a direct threat on enterprise data pools.
It becomes apparent to organisations that controls must be put not only around applications accessing the data but also around the data itself. This holds true to data in its structured format within relational databases as well as unstructured data stored in files on organisational file servers.
To protect these vital assets, Organisations must have a complete change of mindset focusing on protecting data at its source, regardless of the application accessing it, if necessary utilising a combination of technologies such as a data based firewall, data and file activity monitoring and the next generation of DLP products.
3: Mainstream Social Networks and Associated Applications
Previously attracting student communities, the growing popularity of social networking sites, such as Facebook, Twitter and LinkedIn is fast infiltrating mainstream populations with practically every man, and his dog, now on Facebook. As a consequence, large populations not previously exposed to online attackers can now be targeted by massive campaigns. Elderly people as well as younger children, people who did not grow up with an inherent distrust in web content may find it very difficult to distinguish between messages of true social nature and widespread attack campaigns. Attackers will also take advantage of the social networking information made accessible by social platforms to create more credible campaigns (e.g. make sure you get your Phishing email from your grandchildren). The capabilities offered by the social platform and their growing outreach into other applications (webmail, online games) allow attacker to launch huge campaigns with a viral nature and at the same time pinpoint specific individuals.
Impervas team was able to demonstrate that specific ads carrying attack vectors could be presented to named individuals at an attackers will. This in turn allows attackers to easily get their foothold inside specific organisations by targeting individuals within those organisations. Much like searching through the Google search engine for potentials target applications, attackers will scan social networks (using automated tools) for susceptible individuals, further increasing the effectiveness of their attack campaigns.
As social platforms grow at an exponential rate I find this problem to be one of the most challenging for us in the next decade. An entire set of tools that would allow us to evaluate and express personal trust in this virtual society are yet to be developed and put to use by platform owners and consumers. In the meantime, end users should rely on frequently updated anti-malware solutions as well as automatic security updates for their workstations. Organisations, who by now gave up on restricting the usage of social platforms from their enterprise networks, should emphasize the use of centrally managed anti-malware protection and secure surfing gateways. comments Shulman.
4. Password grabbing/password stealing attacks
Recent statistics show a surge in personal information leakage incidents as well as the compromise of huge amounts of credit card numbers. Leakage incidents were attributed to either media loss (or theft) or deliberate attacks such as SQL injection or sniffing on internal transaction processing networks.
As stolen personal information is increasingly available, the price it commands on the black market is falling, thereby forcing attackers to seek more profitable data. To this extent, the last few months has seen hackers target application credentials. Application credentials hold more value for certain types of attackers as they can be further used in automated schemes. While fraud schemes involving stolen personally identifiable information (PII) usually require manual procedures, an attack that makes use of valid credentials for an online banking system can be fully automated. Even when considering manually executed fraud, it is evident that having multiple sets of valid credentials for an online trading application makes it much more easier than having the personal data of account owners. Of particular interest to attackers are credentials for webmail applications as these may further allow compromise of other credential sets through the password recovery feature of applications. This feature usually sends the credentials of an online application to an email account designated by the owner upon registration. Taking control of the email account (e.g. a Gmail mailbox) allows an attacker to collect owner credentials from a plethora of other applications. Worthy of mentioning is also the assumption that credentials used by a person for one application will serve that person on other applications as well. This assumption considers the human nature and the limited ability to remember multiple credentials. Thus, it is not uncommon for people to have the same username and password used for their Facebook account as well as their Twitter account and their Airline Frequent Flyer account.
Attackers use many different techniques for obtaining application credentials these include Phishing campaigns, Trojans and KeyLoggers on the consumer side and SQL injection, directory traversal and sniffers on the application end. Earlier this year the media became aware of a partial list of Hotmail user credentials traded on the net. The list contained a few thousand records and was probably obtained through KeyLoggers. Last week our research team became aware of 32 million webmail credentials (Gmail, Yahoo! and Hotmail) grabbed from one application through SQL injection.
Shulman comments Consumers should protect themselves mainly from Trojan and KeyLogger threats by using the latest anti-malware software. Application owners can and should take many steps in order to protect credentials of their customers. Probably the most effective one is not storing clear-text passwords but rather their digested images. On top of that there are measures to protect the applications using web application firewalls and creating safer password recovery procedures.
5: Transition from Reactive To Proactive Security
To date the security concept has been largely reactive - waiting for a vulnerability to be disclosed; creating a signature (or some other security rule) then cross referencing requests against these attack methods, regardless of their context in time or source. As a consequence a lot of resources are invested in distinguishing bad requests from good requests based on request content alone a chore that is becoming more and more difficult due to advanced evasion techniques and sophisticated attack schemes. This in turn yields solutions that are forced to make difficult trade-offs between the rates of false detection and no detection.
Rather than waiting to be attacked, security teams must start to proactively look for attacker activity as it is being initialised over the network, identifying dangerous sources or malicious activity before it gets to attack a protected server and even establishing a defence against attacks before they become publicly disclosed by someone.
We are seeing different projects world-wide approaching this problem from different angles. Projects like DShield (www.dshield.org), ShadowServer (www.shadowserver.org), commercial companies like Cyveillance and others, all try to create their networks of cyber-intelligence sensors. They gather information that can be used to create a real-time threat map from which actionable security policies can be created automatically in real time. Our own research activities into this domain show a lot of interesting data. We can daily detect a list of applications that are soon to be targeted by attackers. New attack vectors show-up in early stages, before they are massively used through botnets and recently active source of attacks are being revealed. adds Shulman.
The online security community is in the early stages of digesting this information into actionable items. The future will reveal more offerings around IP reputation, early warning systems and other proactive tools. It will be at the hands of application owners and web application solution vendors to integrate with those tools to provide a proactive security suite for applications.
In conclusion, Amichai Shulman gives hope to those organisations daunted by the fight facing them Do I believe this is a war we can win? With due diligence and good technology the odds are in our favour.