Security Arms Race Heats Up, But IT Battles Back Against Attacks

We are in the midst of what is essentially a security arms race, with cybercriminals constantly seeking new and better ways to attack systems while organizations shore up their defenses. Successfully defending your assets requires a combination of technology, security policy with strong enforcement and user training.

“The number of fronts of risk and war, as some people call it, are definitely multiplying,” says Clinton McFadden, senior operations manager for IBM X-Force research and development, which just released the results of its X-Force 2012 Mid-Year Trend and Risk Report.

McFadden points to a sharp increase in browser-related exploits, increasingly sophisticated advanced persistent threats (APTs)—including APTs that are successfully targeting Macs—and rising concern around mobile devices and bring-your-own-device (BYOD) programs.

“We’ve seen an increase in the number of sophisticated and targeted attacks, specifically on Macs and exposed social network passwords,” he adds. “As long as these targets remain lucrative, the attacks will keep coming and, in response, organizations must take proactive approaches to better protect their enterprises and data.”

[Related: Three Steps to Avoid Getting Hacked Like Yahoo]

As an example of the arms race, the X-Force report points to an incident last year: “In one case, attackers bypassed two-factor authentication—commonly thought to be almost failsafe—simply by convincing a mobile phone provider to relocate a user’s voicemail, giving attackers the data they needed to reset a password.”

Connected Systems, Policy Enforcement and Humans Big Factors

In fact, as security technology raises the bar to penetrating systems, attackers are increasingly finding their way through cracks that exist at the interstices of systems, policy enforcement and humans, according to the report:

“As a security research organization, IBM X-Force has traditionally viewed security breaches with a technical focus. However, we have modified our view of attacks and breaches over time to encompass a greater business context. The overall breach trend continues into 2012, as several major high-profile businesses have had to deal with the fallout of leaked passwords and other personal data. The health care industry in particular seems to be hit hard. While security products and technology could have mitigated many of these unfortunate events, we are seeing more than ever how systems interconnectedness, poor policy enforcement and human error is far more influential than any single security vulnerability.”

“We’ve seen several headlines regarding cases where digital identities were decimated, not through malware, key loggers, password cracking or even through access of the victim’s computer or device. Instead, the bad guys accomplish their nefarious deeds by culling a small amount of personal data from public sources, using clever social engineering tricks and depending upon the loose policies of a handful of companies who we trust with our private data.”

SQL injection, a technique used to attack databases through a website, remains the most commonly exploited vulnerability. In fact, along with cross-site scripting, it is rapidly growing as a favored method of attack. Attackers are now combining different technologies together—like SQL injection, cross-site scripting and shell command injection—to create layered attacks that give them a greater chance of success while making the attacks more difficult to defend against. Criminals are also increasingly using encryption to hide their exploits, making it harder for network security systems to detect them.

[Why Law Enforcement Can’t Stop Hackers]

“We expect that the use of obfuscation techniques will continue as technologies that identify exploits, malware and data leakage improve,” the report says. “Additionally, as new applications are deployed, and as new technologies (cloud services, mobile applications and so on) emerge and influence how we communicate using the Internet, there will be more reason to hide potential attacks, raising the stakes each day.”

White Hats See Success

The picture isn’t all bleak, McFadden says. The high-profile takedowns of multiple botnets in 2011 (and the Grum botnet in July 2012) drastically reduced spam and phishing levels and they remain low. For now, organizations that have adopted IPv6 technology are seeing less malicious activity, though McFadden notes that may change as attackers adopt IPv6. While overall vulnerabilities are trending upward (possibly to an all-time high by year end), the X-Force data shows a decline in true exploits (“true exploits” being fully functional programs that can attack a computer as opposed to proof-of-concept code). X-Force says only 9.7 percent of all publically disclosed vulnerabilities are subject to true exploits.

“The good news is that the number of disclosures of SQL injection vulnerabilities is actually stabilizing,” McFadden says.

While the number of attacks leveraging SQL injection vulnerabilities are still increasing, McFadden says the decline in vulnerability disclosures is a sign that organizations are putting better controls in place to screen code for such vulnerabilities before they deploy it.

Mobile Malware Still Nascent Threat

On the mobile front, attackers are continuing to research how best to exploit mobile devices, but despite a growing number of vulnerabilities in applications and mobile operating systems they have yet to settle upon a way to leverage them.

“Though mobile is still a huge concern, we have not seen the uptick in mobile malware that we suspected,” McFadden says.

[Related: NSA Chief Asks Hackers At Defcon for Help Securing Cyberspace]

For now, the biggest threat from mobile seems to be premium SMS attacks, in which the attacker sets up a premium SMS service and then uses a phone’s internal applications to send messages to that premium SMS service, generating direct-to-pocket revenue for the attacker. Attacks that attempt to ferret out important intellectual property from mobile devices, for instance, have yet to manifest.

“We do expect that to shift as the sophistication of attackers increases,” McFadden warns. “The controls don’t appear to be properly being put in place by the enterprises that are allowing bring-your-own-device. At some point, this collision of the sophistication of malware, research by the bad guys and the lack of controls on mobile will come to a head.”

Sandboxing Technology Makes Documents Safer

In the meantime, though, there is one other bright spot: sandboxing. Sandboxes work by isolating an application from the rest of the system so that if the application is compromises, the attacker code running with the application is limited in what it can do or access. High-profile examples include Adobe, Google and Microsoft. Adobe has implemented sandboxes in Adobe Reader X and later versions as well as Adobe Flash Player 11.3 and later versions. Google has implemented sandboxes in the Chrome browser as well as Chrome’s built-in PDF viewer and Pepper Flash (Chrome’s built-in Flash viewer). Microsoft has implemented sandboxes in Internet Explorer 7 and later versions on Windows Vista and later versions. For documents it has added a sandbox to Microsoft Office 2010 (in Protected View mode).

“We’re seeing that the number of vulnerabilities, most notably in PDF, has really tailed off because of sandboxing to a point where people really are no longer targeting those platforms,” McFadden says. “It’s no longer fruitful. Now it takes two or three vulnerabilities to break out of the sandbox; it turns into an ordeal. This is something that software vendors can do to actually help their customers and make their products safer to use.”

Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Thor at tolavsrud@cio.com