The adoption of new technologies and platforms, such as cloud computing and social networking, opens new avenues for increasingly sophisticated attacks. Meanwhile, old methods of attacks are getting smarter.
The threats from increasingly professional cyber criminals, spies and hackers are evolving to address the adoption of new technologies and platforms by government and private-sector enterprises.
“Obviously, the same old stuff is still a problem,” said Patricia Titus, chief information security officer at Unisys Federal Systems and former CISO at the Transportation Security Administration. Botnets continue to proliferate, and known worms such as Zeus continue to bounce back. “Zeus 2.0 is getting ready to hit the streets,” she said.
Attackers are also becoming more sophisticated, doing a better job of covering their tracks, splitting exploits among multiple vulnerabilities to make detection more difficult, and using new platforms such as social networking not only as vectors for delivering malware but also as resources for targeting attacks at high-value victims.
“The bad guys are going to target where the people are, and millions of people are on the social networking sites,” Titus said.
Those sites also are rich sources of open intelligence for social engineering.
“They have to do some upfront reconnaissance to determine who to target and how to target them,” said Paul Woods, Message Labs senior analyst at Symantec Hosted Services. Social networking sites “are a useful resource for any potential bad guy.”
The growing dependence on online resources for delivering government services also opens new avenues for attacks through the proliferation of public-facing Web sites. And the rush to cloud computing can create new security concerns, although the critical distinction is not so much between traditional computing and cloud as it between a private cloud and public cloud, said Peder Ulander, chief marketing officer at Cloud.com.
“The same threats you face in traditional computing, you’re gong to face in cloud computing,” Ulander said. For secure computing, the user must ensure that security policies are pushed into the cloud along with the data and services.
In short, the bad guys are watching what people are doing online and are adapting their techniques accordingly.
NEXT: Not all threats are new
1. Oldies But Goodies
Despite the steady growth in the number and variety of attacks, the vulnerabilities being exploited have long lives. A report on trends for the first half of 2010 from M86 Security Labs found that of the 15 most-exploited vulnerabilities, four were in Adobe Reader and five were in Microsoft Internet Explorer, and most had been reported and patched more than a year ago. Only two of the exploits, both for Internet Explorer, were reported in 2010. Some of the top vulnerabilities had been reported and patched as long as four years ago.
What is new is how the exploits for vulnerabilities are being used. Criminals are working to get the most mileage out of each exploit by controlling its use, said Chris Larsen, senior malware researcher at Blue Coat. Increasingly, exploits are used initially in targeted, low-profile attacks in which they could go undiscovered and unpatched for an extended period of time. A number of the advanced persistent threats (APTs) that remain resident on an exploited system for long periods of time, such as those reported by Google in January, fall into the category of exploits that are being carefully husbanded.
When an exploit becomes widely known, it is likely to migrate into tool kits so that it can be used by less professional criminals, whom Larsen called bottom feeders. Those exploits typically are used in larger attacks, when attackers hope to find unpatched computers.
“There really is a huge need to stay current on your patches,” Larsen said.
APTs are getting a lot of attention lately because of high-profile incidents, such as the Google hacks, but they are not new, Titus said.
“I think that APTs have gotten a lot of hype, more hype than they probably need to get,” she said. “They’ve been around for a long time.”
APTs simply reflect the determination of an adversary who is motivated and well funded, she said. They existed during the Cold War in the form of sleeper agents, such as the cell of Russian spies recently discovered in the United States, and they now have moved into a Cold War in cyberspace.
2. Social Networks
More serious than APTs is the proliferation of social networking, an emerging platform for collaboration that Titus called both an awesome tool and potential risk.
There are legitimate uses for social networking in government, Titus said. The Federal Emergency Management Agency uses it for situational awareness, and the Homeland Security Department "has a great opportunity to use social media to communicate with the public,” she said. Many agencies are establishing Facebook sites for public outreach and awareness. The use of social networking services is likely to continue growing.
“I think we’re going to see a huge surge of social media and services,” she said. “We’re looking at a service offering at Unisys,” a program that is in the research stage. But rushing to implement social networking without considering the liabilities is risky. “Along with the use comes responsibility,” she said.
Risks include breaches and compromises of the third-party sites. Such breaches on public-facing sites probably would not expose sensitive information, but they can provide platforms for phishers and other fraudsters. Messages that appear to be from familiar sources engender a greater degree of trust in readers. Such sites also can be useful tools in crafting attacks aimed at a few high-value targets.
NEXT: Who's the target?
3. Personal Targets
Professional criminals and spies are more frequently using low-profile, selective attacks that rely heavily on social engineering, Wood said, and government is a primary target for such attacks.
Spam remains a high-profile problem, accounting for more than 80 percent of total e-mail traffic by most measures, and the number of targeted e-mails containing malicious attachments or links intended for a specific victim is growing. Five years ago, only one or two examples of specifically targeted e-mails were found in a week, Wood said. That grew to one or two a day, and now there are 50 to 60 malicious e-mails found each day that target high-value individuals.
“This type of attack is very rare in the grand scheme of things,” Wood said. In June, an average of one in 276 e-mails, less than half a percent, was found to contain malicious code. But for government, the figure was one in 124 e-mails. That still is less than 1 percent, but the danger is increased by the fact that government officials are being targeted, and these targeted attacks do not usually look like spam. “We all know that e-mail can be easily spoofed, but if it is dummied up enough that it doesn’t look like spam, you are more likely to open it.”
If an attacker has done enough research, the attacker can even piggyback on a target's legitimate correspondence, increasing the odds that the user will open the malicious package.
“It is becoming harder and harder to recognize this type of attack because the attackers go to great lengths to disguise them,” Wood said. “The amount of work they put into them is a lot greater, but the return is potentially enormous,” because individuals with access to proprietary, sensitive and other valuable information are the targets.
4. Caution on the Cloud
Another major shift that has both bright and dark sides is cloud computing.
“Everyone is rushing to the cloud,” Titus said. “But now you can hear the brakes going on.”
Cloud.com has developed a software platform for offering cloud services to service providers, so Ulander is not exactly a disinterested observer on this issue. But he said the cloud is appropriate for at least some government services.
For public-facing services and short-term projects that require computing capacity without capital expense, cloud computing makes sense, he said.
But for all the attention it is getting, the move to the cloud is going slowly. “Security is one of the biggest inhibitors,” Ulander said.
Cloud computing is not necessarily the disruptive transformation that its proponents tout, he said. “The reality is that cloud computing is an evolution of the way we do computing; it is not a replacement for everything.” There will continue to be a need for fully secured, privately controlled facilities for hosting critical applications and services. But for average, nonsensitive operations, “the cloud today is far more secure than it ever needs to be,” he said.
The choice for some agencies is between a private cloud and public cloud. Security considerations in a private cloud are no different from those in multiuser data centers used for server consolidation efforts, Ulander said. Using the public cloud puts operations more in the open.
However, every cloud has its silver lining, and the bright side is that cloud computing also can offer an added layer of security. Putting security operations in the cloud can allow security features to scale as utilities and provide visibility into network activity that is not available at lower levels.
“We see a lot of things that go on in the Internet,” said Tom Ruff, public-sector vice president at Akamai, a content delivery service provider.
Ruff called the company’s global network of servers, which put online content within one hop of 90 percent of Internet users, “the first cloud out there.” When distributed denial-of-service attacks began flooding seven government agencies with eight years' worth of traffic in just two days in July 2009, Akamai was able to keep its government customers operating with a kind of brute force defense, absorbing the malicious traffic on multiple servers. The Akamai network also was able to gather information in the attack, identifying more than 300,000 IP addresses as sources, and was able to cut off all Korean traffic at one agency’s request.
The use of a cloud service such as Akamai can help reduce an agency’s attack surface by reducing the amount of infrastructure needed.
“DHS has a small Web infrastructure,” Ruff said. “They publish to our network, and we do all the heavy lifting for them.”
Clouds will not eliminate the need for other security, he said. “We will never replace the firewall.” But they can extend an agency’s security policy into the Internet, providing an additional layer of security.
That security will only be as good as the service provided, Ruff said. “Government is going to have to start holding cloud vendors accountable.”
The cloud might not eliminate the need for firewalls, but it can provide security on a scale that enables providers to offer it as a utility. Cloud security company Zscaler recently announced the integration of e-mail security into its Web security offering, allowing filtering and policy enforcement well away from the enterprise perimeter.
Zscaler Chief Executive Officer Jay Chaudhry said some administrators are reluctant to give up local control of some security, but he added that “that’s more of a cultural thing,” outweighed by the advantages. A cloud-based service can scale beyond the capacity of an enterprise at a fraction of the cost of acquiring and maintaining point appliances, he said. “Why keep buying boxes?”
NEXT: What do attackers target?
5. The Risk of Gov 2.0
The Open Government Initiative, often referred to as Gov 2.0, has the disadvantage of possibly increasing the attack surface of government enterprises because more information and applications are being made available on public-facing servers.
If not adequately isolated from the enterprise, that can become another entry point for attacks, Ruff said. “You are courting cross-scripting and ways to infiltrate the Web infrastructure.”
“Adversaries can use the Web content as an entry point to back-office systems of any kind,” said Amichai Shulman, chief technology officer of Imperva. “You can work your way into the organization and the control systems.”
Increased reliance on online services also can make organizations more vulnerable to disruption, Shulman said. “The more we get used to these online services, the fewer nononline systems there will be.” People choose to file tax returns with the Internal Revenue Services either online or on paper. Eventually, the paper option will disappear, and a disruption of online services would cripple essential services.
But Shulman added that despite the proliferation of threats, defenses against Web attacks are improving.
“Web services only go back about 10 years,” he said. As recently as five years ago, “there weren’t that many tools to help us with attacks. But today we do have the knowledge and the tools to help us. To some extent, we have a better chance of winning this battle in the cyber world than in the real world.”
The cyber world provides better chances for a standardized environment with universal adoption of best security practices and policies, he said. “It is not 100 percent” security, he said. “Nothing is. Of course, it is still a cat-and-mouse game.”
6. Insider Botnets?
One of the mouse moves security experts are anticipating is the possible use of compromised computers that make up botnets in new ways to further increase their value to bot herders. They typically are used en masse to deliver spam, launch attacks, gather information and infect more bots, either by the botnet’s owner or someone who rents time on them. But Blue Coat’s Larsen said there is growing concern about the possibility of individually infected computers in organizations being rented as platforms for insider attacks.
“It’s logical,” he said. “I would expect it is happening, but I don’t know.”
Infected computers inside enterprises are more of a nuisance than a threat because they usually are used to mount attacks outside the enterprise. They can be cleaned up and forgotten. But a bot being used to gather information inside the enterprise is a real threat. “That’s the scariest thought I’ve come across in a long time,” Larsen said.
NEXT STORY: Another GSA monopoly issue?