Security threats paint a constantly evolving landscape, and there is no end in sight in terms of threats that keep appearing.
Enterprises have survived through extraordinary cycles of security threats, including the 2003 “summer of worms”; the 2004 proliferation of DDoS-based (distributed denial of service) cyber extortion of online betting sites; and the rise of botnets used for spam, targeted attacks and worse in 2005 and 2006.
With the new calendars freshly hung on the wall, an important question surfaces: What security threats are on the rise for 2007?
More Targeted Threats
Looking across the threat landscape, it appears that 2007 will bring more narrowly defined threats or “targeted threats,” which are different from what we’ve seen before. They are more focused on individual information as opposed to mass-mailing worms that are sent over the Internet to randomly infect victims. These attacks can extract personalized information to use later in attacking a single person or company.
Targeted threats can be so narrowly focused as to constitute industrial or even political espionage, trying to gain sensitive information from a single company or individual rather than the indiscriminate approach of letting a worm loose to randomly find victims wherever it may go.
In addition, targeted attacks combine malware technology with social engineering, where an individual is lured, fooled or tricked through subtle — and sometimes not-so-subtle — manipulation to take some action that will ultimately result in damage or loss to that individual, his company or organization, or to a third party.
Directly Luring Victims
Some attacks actually send the malware directly to the victim, perhaps as an e-mail message attachment, and lure the user into executing the malware which will subsequently steal information from the victim.
Other attacks lure or trick the victim to download a file, such as a video, which might contain additional code or script instructions that can be used to steal identity information. The recent MySpace.com “QuickTime worm” used this technique.
More sophisticated attacks get the user to do nothing more than click a hyperlink to a specially crafted Web site that knows how to install the malware on the victim’s PC without requiring any additional help from the victim to do so. In this case, the Web site contains an exploit of a security vulnerability that exists in some of the software being used by the victim.
Factors That Aid the Attacks
There are three factors pointing to the increased prevalence of targeted attacks in 2007:
1. Continued streams of security vulnerabilities from ISVs (independent software vendors) in 2007 will provide the attackers with plenty of vectors though which these more sophisticated attacks can install malware on the victim’s computer.
2. Malware itself is becoming more sophisticated, gaining the ability to remain undetected on an infected computer, extract more information about individuals and their personal information through keystroke logging, screen scraping and session watching, and deliver it back to a collection site without being detected.
3. Increased compromising of personal information from other security breaches can be subsequently used to create personalized or localized target lists for possible attack. For example, if a database of e-mail addresses and zip codes is compromised and finds its way into the hands of an attacker, he can create a social engineering lure or trick that is geographically oriented to the target victims.
The concept of targeted threats is easily illustrated in the spam and phishing threats.
I first heard the term “phishing” about 10 years ago, when teenage hackers browsed AOL profiles to determine screen names and then sent fake e-mail messages to the screen names to confirm password information. Once they had access to these AOL accounts, they’d perform “other” actions from the inappropriately accessed accounts, keeping their own identity masked.
Phishing today has evolved to a more targeted technique sometimes referred to as “spear phishing,” which is an analogy to the sport of fishing.
The term “phishing” makes reference to fishing in the open water, uncertain as to whether any victims are actually there; spearfishing is more focused on spearing fish in shallow waters. This is exactly how threats in 2007 will become increasingly dangerous. Instead of targeting an entire list of e-mail addresses, hackers will be able to target individuals and try to gain access through focused efforts.
Too Real to Be True
Contextually crafted e-mails that sound convincing will trap individuals to unsuspectingly download malware and infect their computer and networks.
For example, an e-mail will be sent to all e-mail addresses with the same last name in a particular area code and read: “Dear family, I’ve decided to do some cooking this weekend, and would like all of you to come to dinner at my house. I’ve created an online menu of what I’ll be serving. Check it out to see what kind of wine to bring.” Once the individual clicks on the attachment they are infected by targeted malware.
These targeted enticements cause users to click on a link that ends up downloading a bot, keystroke logger or screen scraper. We have seen some of this in 2006, but it will become much more common in 2007.
It has been recently announced that U.S. government and military agencies are using specialized tools to test their own employees’ resistance to these types of targeted attacks. The agency sends harmless phishing e-mails to their own employees and then — using a special software program — checks to see how many employees clicked on the malicious links.
Vulnerabilities Will Continue
Vulnerabilities in commercial software will continue to be discovered in the coming year. This doesn’t indicate that software is becoming less reliable but rather that there are new “tools” available to find these vulnerabilities.
New vulnerabilities in software and systems are found every day, and malicious attackers work quickly to infect computers on an organization’s network with malware.
The speed at which new threats emerge is well-documented, and companies must continuously assess the best methods to protect themselves.
Right Protections in the Right Place
Targeted threats can be stopped by a combination of user education and technology. Safe user habits when reading e-mail and clicking hyperlinks can significantly reduce the spread of malware.
Desktop security products can stop or at least detect the presence of many types of malware and network security products similar to how intrusion prevention systems and content filters can be used to further reduce the likelihood of targeted malware gaining access to organization’s infrastructure.
A good sign of the times is that many financial institutions are focusing on educating their customers in the safe use of online banking as an effective way to combat targeted malware. For example, banks are introducing symmetric authentication or customized pictures to reduce the likelihood that customers will become victims of phishing attacks.
The best strategy for protecting against exploits is to follow good security policies and employ a multi-layered approach to security. By installing and keeping antivirus software up to date, blocking file attachments to e-mails — which may be harmful — and keeping your systems patched against the vulnerabilities you are already aware of, you can secure your system or network against the majority of known threats.
To smartly battle the 2007 targeted threats, organizations should consider further education of their users, and additional technology solutions such as e-mail firewalls and intrusion prevention systems.
These examples are just a few of the numerous threat types that will impact organizations and individuals and garner more attention in 2007, as there are many more that will pop up as the year goes on. However, as we start the year, now is a good time for enterprises to take stock of their security infrastructure to properly plan for the year ahead — as threats will assuredly only get more sophisticated, creative and impactful.
Mike Paquette, chief strategy officer at Top Layer Networks, has more than 22 years of computer networking and security experience with an extensive background in the design and development of networking products.