Site iconSite icon IFSEC Insider | Security and Fire News and Resources

After the 2010 security Tsunami: tips on how to survive 2011

Next year, there’ll be an epiphany that critical infrastructure is under constant attack and that there’s a serious need to implement more comprehensive security software, security perimeters, data loss prevention and human assets to counter the existing and expanding security threats.

This will translate into a significant need for the modernisation of infrastructure and enhanced education in Human Resources to implement these systems.

As the WikiLeaks ‘security Tsunami’ shows us – the malignant insider is impossible to identify – you have to ensure that no-one has authority to access data they don’t need.

In the coming year, companies will start to understand that the insider threat is real and that their existing security culture of using weak passwords, sharing privileged passwords and never changing root passwords will lead to greater financial losses and damage to their reputations.

Segregation: an absolute requirement

IT will finally ‘get’ the fact that the concept of segregation of duties, controls and regulatory compliance is not a burden but an absolute requirement for a well-run organisation.

In 2011 we will also see a change in mindset for security from a series of checkboxes and point in time compliance to a new way of thinking: continuous compliance. This translates into organisations finally integrating all of their security systems to provide an holistic view.

We will also see a massive shift from Windows XP to Windows 7 as companies realise the impossibility of trying to secure XP against security threats. In this upcoming year, we shall witness many software companies discontinuing support of XP for their applications.

The realities of the ‘cloud’ will become clearer in 2011. We will see a migration of SME customers to more cloud-based solutions. This will be caused by small companies realising their inability to create secure, reliable and regulatory compliant solutions.

Revenue for support and upgrades

I expect that many large software companies will try to grab ever higher levels of revenue for support and upgrades in 2011. This will lead to the migration of companies from their existing (creaky and unreliable) platforms onto the cloud and competitor’s offerings.

The grab for more money will force the migration from legacy systems to those that support web services (SOA) where companies have a chance of some flexibility in mixing/matching solutions.

2011 will be a game changer for the channel with a massive wave of hardware upgrades to support modern and secure operating systems, new sales of cloud offerings as SMEs realise the advantages of the cloud and an enhanced understanding of insider threats (and the implementation of solutions to manage privileged accounts).

New major breaches of data are bound to occur. Maybe they won’t be in the order of magnitude of the WikiLeaks saga, but those organisations who don’t batten down the security hatches will likely find themselves on a very turbulent sea during the next 12 months.

Phil Lieberman is CEO at Lieberman Software

The Top Five Internet security holes

Meanwhile, German network security specialist Astaro Internet Security has identified what it believes to be the Top Five Internet security holes that can affect businesses in the UK.

Data theft and other online threats presently represent a significant danger. Compounding this problem is the economic downturn, which is leading many executives to cancel, defer or downsize security budgets.

Meantime, security threats are costing UK businesses a huge amount of money. On average, the total cost of security breaches (including lost business) in the UK last year was US$2,565,702.

Astaro has compiled the following list detailing the five most serious Internet security holes:

Browser vulnerabilities

No provider is immune to the security holes that keep appearing in web browsers. A recent example is the CSS bug that affected Internet Explorer versions 6, 7, and 8 (CVE-2010-3962).

This bug targets computers in a two-stage attack. First, the user follows an e-mail link to a web page containing malicious code. This code is then run without the user realising it, and automatically installs a Trojan on the computer.

The user doesn’t need to click the mouse: simply visiting the website is enough.

The only way companies can protect themselves fully from this is to refrain from using any browsers with current known security holes for as long as they remain unpatched.

Vulnerabilities in Adobe PDF Reader, Flash, Java

The ubiquity of tools and programs such as Adobe PDF Reader, Flash and Java makes them highly vulnerable to attack.

Although they do frequently show security holes, most providers are quick to provide patches. However, companies then have to make sure these patches are installed on all computers… which is where they often fall down.

Either the IT Departments are not aware of the patches, are unable to install them or bemoan the fact that the update failed. In this case, if an employee visits a page with embedded Flash videos that launch automatically, malicious code can then be run automatically in the background.

With the user being completely unaware of it, a Trojan will infiltrate the computer unnoticed, making it part of a Botnet. While there are only a few Windows exploits, for instance, there is a vast number in Adobe, Java, and Flash.

Flash and Java, in particular, have become veritable malware disseminators over the past few months, providing the perfect access point for Trojans lurking in the background of colorful websites, which then bypass all virus scanners to become permanently ensconced on the computer.

Private users should therefore never use these programs and companies should employ standard procedures or policies prohibiting their use. To prevent attacks via Flash, companies can use Flash blockers (a browser plug-in) to prevent videos from being played automatically.

Vulnerabilities in Web 2.0 applications

The latest web-based security holes of note tend to be new methods of attack, such as Cross-Site Scripting (XSS) or SQL Injection.

The cause of the vulnerability in this case is generally the inaccurate or incorrect implementation of AJAX, a method for exchanging data asynchronously between server and browser.

This type of vulnerability was exploited, for example, by the MySpace worm created by the hacker known as Samy. It was published around a year ago, and allowed the hacker to swiftly obtain and access the profiles of millions of MySpace contacts.

Another, more recent attack was the ‘on mouse over’ attack on Twitter. This attack was particularly sophisticated because its authors were able to embed malicious code that disseminated itself and directed users to websites containing malware in just 140 characters and without any clicking required.

All the user had to do was move the cursor over the Tweet.

There’s very little users of such applications can do to protect themselves against this other than to stop using the service as soon as a security problem is made public.

It’s therefore the manufacturers’ responsibility to ensure that their applications are well and securely programmed (or to take the precautionary measure of protecting the data of its users with a Web Application Firewall).

Mobile phone and smartphone data security holes

In the UK alone, there are currently more mobile phones than people. This very fact means that new data security risks are being discovered in this arena on a daily basis.

For instance, there’s a new generation of worms specifically targeted at smartphones (let’s call them ‘iWorms’).

In September, it was discovered that the ZeuS Botnet was specifically attacking cell phones. Using infected HTML forms on the victim’s browser, it would obtain their cell number and then send a text message containing the new malware SymbOS/Zitmo.A!tr (for ‘Zeus In The Mobile’) to this number. The malware, which was designed to intercept and divert banking transactions, would then install itself in the background.

Many Apple users wishing to circumvent SIM card restrictions to a specific network provider or to use applications that are unavailable through the Apple store perform a process known as jail-breaking to remove the usage and access limitations imposed by Apple. This process allows users to gain root access to the command line of their device’s operating system.

The risk inherent with jail-breaking is that it makes many of the devices more vulnerable to attack. For instance, the majority of users do not change the SSH password after performing a jail-break – this is a serious failing because Apple’s default root password ‘alpine’ is now widely known.

If the password isn’t changed, the device is then susceptible to unauthorised third party access.

Zero-day exploits in operating systems

‘Zero-day attack’ is the term given to a threat that uses vulnerabilities unknown to others and for which there is no patch.

In other words, the manufacturer of a system first becomes aware of the vulnerability on the actual day of the attack (or even later). This gives hackers the perfect opportunity to exploit holes.

This type of operating system attack is particularly dangerous because the cyber criminals have direct remote access to the affected systems. They require no additional tools such as browsers or Java: the only requirement is that the target computer is online.

There’s no way to protect against zero-day exploits because patches and First Aid measures can only be published retroactively. It’s not only Microsoft computers that are affected by this problem: the growing prevalence of Macs means that they’re also becoming a target for zero-day attacks.

Keep up with the access control market

The physical access control market is moving fast. Find out where you stand with the latest edition of IFSEC Insider's comprehensive 2022 State of Physical Access Control trend report, covering all the latest developments within the market. We assess the current technology in use, upgrade plans and challenges, and major trends on the horizon after receiving the views of over 1000 security, facilities and IT professionals.

Get your copy for free today.

Exit mobile version