Custom cyber attacks could be after your data

By Vawn Himmelsbach  April 2, 2007  

The rise in data theft and cyber attacks are becoming much more customized and targeted to specific consumers and enterprises. And the biggest target is government, according to the latest Symantec Internet Security Threat Report.

“We’re seeing a lot of coordinated activity between threats and different types of malicious code, Trojans, spam zombies, phishing sites and bot networks,” says Dean Turner, executive editor of the report. “It’s really targeting data that could lead to the theft of confidential information.”

Threats to consumers and enterprises have risen nearly 300 per cent since 2005, increasing 64 per cent in 2006 alone. There’s also been a dramatic rise in Zero Day exploits (which take advantage of a security vulnerability on the same day the vulnerability becomes generally known) — 12 in the past six months alone. “[Attackers] are taking advantage of Zero Day vulnerabilities and creating targeted, customized malicious code, most of it Trojans,” says Turner.

With data theft and leakage, government is the number-one targeted sector at 25 per cent, followed by the education sector at 20 per cent and the health-care sector at 14 per cent. The FBI, for example, has lost or had stolen on average just over three and a half laptops every month since 2002.

This information was gleaned from Privacy Rights Clearinghouse and attrition.org, both of which report breaches. The data tends to be biased toward the public sector, says Turner, because for the most part these institutions are required by law to disclose breaches, whereas the private sector is much more hesitant to publish information.

One reason for such high percentages of data theft and leakage is insecure policy ”“ something as simple as employees posting customer information on an internal Web site when they shouldn’t be.

Governments, educational institutions and health-care providers all store a lot of valuable information ”“ particularly governments that have aging operating systems with third-party applications. “What we’re seeing now is the vast number of vulnerabilities in software are in third-party applications, and the vast majority of those vulnerabilities are what we call medium severity,” says Turner. “So medium-severity vulnerabilities are becoming gateway attacks.”

These vulnerabilities stay un-patched for a longer period of time than those considered a high priority. But 68 per cent of all vulnerabilities are still un-patched, he says, because the majority of them are medium to low severity, and don’t have that same sense of urgency.

While Microsoft should be commended for building more security features into Vista, its new operating system, Turner said this is a solution to yesterday’s problems. “What the attackers have been going after for the past year are these third-party applications,” he says. “It takes a lot of work to find a vulnerability in the operating system these days.”

Attackers aren’t really interested in the operating system. Instead, they’re interested in the data that sits on it, and if they can get access to it by taking advantage of a hole in a third-party application, it’s game over. So organizations should make sure the third-party applications they choose to run on their networks are as secure as possible and approved by policy, says Turner. For example, look at their patch history and release time.

But patches aren’t the be-all end-all because a smart hacker can reverse-engineer a patch. “It allows the hackers to short-circuit the process by finding exactly where the vulnerability lies,” says Gary McIntyre, product manager of security consulting services and senior information security architect with IBM Global Services Canada. “It’s the Catch-22 of patching.”

While it’s important to use anti-malware tools, there have also been successful attacks against those tools. “The recent vulnerability with Symantec’s product was very dangerous in part because it was exploited so quickly,” he says. “It basically reminds everyone that these anti-malware tools are also sophisticated software suites and can easily be targeted for vulnerabilities.”

IBM is also seeing more targeted attacks, usually for the purpose of financial gain. It’s much more like pick-pocketing than shop-lifting, says McIntyre, where there’s an attempt not to call attention to the malware itself.

IBM takes a different approach to security than most security vendors by focusing on attack techniques rather than on the signatures associated with an attack (all botnets, for example, have similar signatures). “There are a limited number of ways to attack a system,” he says. “We’re focusing much more heavily on the attack heuristics than on specific vulnerabilities.”

So what’s an organization to do? Actionable best practices are the same for governments as for enterprises, said Turner. Use a multi-layered defence and apply patches in a timely fashion. Most importantly, have a security policy in place — and a way to enforce that policy.