In Security, Life’s Too Short To Play Catch-Up

It will come as no surprise that cyber-attacks are on the increase, if recent surveys are true. Around 90 percent of firms reported having been hit in the past year.

The report, conducted on behalf of Juniper Networks by Ponemon among 583 US respondents last June, has been followed by a report for Hewlett-Packard from the same research firm. In the latest report, the researchers found that cyber-attacks are becoming even more commonplace, if not chronic.

“The companies in our study experienced 72 successful attacks per week [in total] and more than one successful attack per company per week,” the Poneman report stated.

A Worsening Situation

The Second Annual Cost of Cyber Crime Study covers 50 multinationals based in the US. It is the second report for Arcsight, a company HP acquired just after the first report was published last year.

How far these figures transfer to large UK firms is open to debate but the story here is unlikely to be much different.

The most costly cyber-crimes are those caused by malicious code, denial of service, stolen devices and web-based attacks, rather than standard hacking. The cost racks up because mitigation requires implementation of technologies such as security information and event management (SIEM) and enterprise governance, risk management and compliance (GRC) measures.

Breaking down the figures, more than 50 percent in the latest survey believed that security breaches in their organisations have increased. Nearly 30 percent said they experienced a security breach by unauthorised internal access, while the remaining 20 percent responded that they had experienced an external breach.

Ripples In A Raging Sea

HP’s big splash at its Protect Your Universe conference, also inherited from Arcsight, is an expo-load of products appearing in HP Enterprise Security Solutions framework. Like many of the “new” products we have seen being rushed out to combat the “new” threats, it seems that it is a change of emphasis rather than anything radical.

Where DDoS attacks are concerned, bots can be downloaded for free and Chinese or Russian bot masters can be hired to stage an attack at very reasonable rates. These attacks are something we have to live with and prepare for but the authorities seem to be relatively powerless to stop them at source. A few token arrests have been made but with little effect.

The availability of sophisticated malware kits is what is really changing the scene. Once-valuable assets in the professional hacking market are now available for a few hundred dollars. Weapons like Zeus and SpyEye have been reverse engineered, packaged and are now on sale in the black-hat supermarkets of cyberspace.

The latest buzz word is APT (Advanced Persistent Threats) but in most cases this boils down to a targeted phishing attack (spear  phishing) aimed at a vulnerable employee or group of employees. These, often lowly, employees are tempted by poisoned spreadsheets that will in some way boost their income or standing in the employment stakes. Once opened, the spreadsheet infects the network and opens the door to malware of a more dangerous kind but rarely anything that hasn’t been seen before.

The fact that 30 percent of breaches are from unauthorised internal access is another worrying factor because it implies there are many workers who will happily “hack” their own companies’ systems. The truth is probably that they either find they have privileges beyond their role or that APTs are being mistaken for insider attacks. Whatever the reality may be, the fact is that there are employees who will take advantage of any loophole they find so how many more will do the initial planting of a backdoor or Trojan on behalf of the hacker for a handsome payment?

How To Tackle Stealth?

What is new is the stealth malware, called AET (Advanced Evasion Techniques) by Stonesoft. When I say new, I mean it is a work in progress. Stealth attacks have been known for years, and it is a year since Stonesoft started its AET campaign.

Combining APT and AET techniques brings in the concept of patience. In the past hackers used to blast potential vulnerabilities with fuzzing attacks – basically hitting the seemingly weak spot with all kinds of junk until something caused an effect. As subtle as a Ballmer at a Microsoft marketing convention.

Now the attacks are being steered towards a particular goal, inch by inch, and covering their tracks as they go. This requires a much more subtle approach from intrusion detection systems. In most cases, the tools and the evidence are there to be found but it is a very manual, time-consuming task. What is needed is some form of intelligent automation and that seems to be in its early days.

In the battle between the hackers and the security pros, the malware makers are winning. Whether HP has anything in its new toolbox to redress the balance is yet to be seen but, looking generally at recent product releases, we will probably be closing the doors on an empty barn after the Trojan has bolted.