Leading network security and unified threat management (UTM) solutions and provider, Fortinet has suggested the "Top 5 Security Trends for 2011". More cyber criminals entering the game by attempting to make money using recycled existing source code; a price increase for tomorrow’s crime services leading to increase in 64-bit attacks; increased criminal headcount and copy-n-paste malware are some of the trends hinted at.
1) Increased Global Collaborative Takedowns This year, we’ve seen examples of countries working together to bring syndicates such as the Conficker Working Group down. While there were other notable takedowns, these operations only focused on the most visible violators and sometimes only caused a temporary impact. For example, while authorities took down the massive Koobface botnet in November, the servers were reconfigured and back up and running at full capacity a week later.
In 2011, we predict authorities will consolidate global collaborative efforts and partner with security task forces to shut down cyber criminal operations that are growing in number. The Zeus takedown that occurred in 2010, leading to charges by authorities in both the US and United Kingdom, is a great example, and we believe foreshadows things to come.
2) Infected Machine Inflation Today, we’re seeing a territorial concern for criminals building their malware empire(s), since control over managed infections can lead to longer up times and greater cash flow. Features advertised as “bot killers” are being implemented into new bots to generically kill other threats that may lurk on the same system. For example, we’ve seen one bot enumerating process memory to look for commands used by resident IRC bots. Once it finds processes that use these commands, it will kill them since they are perceived as a territorial threat.
As attackers infect machines in 2011, the value of already infected machines will increase. As a result, we’re likely to see; a price increase for crime services, such as bot rentals that load malicious software on machines and malware that includes machine maintenance to maximize an infected machine’s uptime. To keep infections discrete, malware operators may turn to quality assurance services that would, say, refuse to load software that may crash a machine or otherwise impact their business. As part of the package, malware operators may also include leasing infection process time. When the lease is up, the malware would clean up after itself, reducing the amount of load/threats on a single machine.
3) 32- to 64-Bit Infections Security technologies such as address space layout randomization (ASLR), data execution prevention (DEP), virtualization, PatchGuard/kernel driver signing and sandboxing, a technique for creating confined execution environments, are becoming more commonplace, along with the 64-bit machines running them. This evolution has certainly restricted malware stomping grounds, which will drive demand in 2011 to break through these chains. In 2010, we saw JIT-spraying and return oriented programming (ROP) used to defeat ASLR/DEP with PDF/Flash exploits. In addition, we saw 64-bit rootkits such as Alureon, which bypassed PatchGuard and signing checks by infecting the master boot record to stage the attack.
Expect more 64-bit rootkits to follow in the quest to gain a foothold on newer machines and further, innovative attacks that circumvent defences like ASLR/DEP and sandboxing.
4) Cybercriminals Hang Out the “Help Wanted” Sign As money mules are taken off line in the coming year, there will be a need for immediate replacements. Additional jobs we see growing in demand include developers for custom packers and platforms, hosting services for data and drop-zones, CAPTCHA (challenge-response test used in computing to ensure that the response is not generated by a computer) breakers, quality assurance (anti-detection) and distributors (affiliates) to spread malicious code.
As demand grows for these resources in 2011, criminal operations will effectively expand head count. New affiliate programs will likely create the most head count by hiring people who sign up to distribute malicious code. Botnet operators have typically grown their botnets themselves, but, we believe more operators will begin delegating this task to affiliates (commissioned middle-men) in 2011. The Alureon and Hiloti botnets are two examples that have already grasped this concept by establishing affiliate programs for their own botnets; paying anyone who can help infect systems on the operator's behalf. By using an army of distributors, botnets will continue to thrive.
5) Spreading Source Malware today can appear under multiple names and aliases. Cross-detection between various security vendors is adding to the confusion as well. This is the result of a growing development community that is fuelled by available source code and libraries that are “borrowed” to create and sell new malware. Often, two pieces of malware we are evaluating are nearly identical in nature except for a small component inside of it that has changed. This type of “copy and paste” malware is an indication that multiple developers have adopted the same source code.
In 2011, we predict more cyber criminals will enter the game by attempting to make money using recycled existing source code. This trend will create more threat names/variants as they begin to circulate in the wild, which, in turn, will only create further confusion and dilute the meaning of these names. While public source code will continue to create problems on the security landscape, private source code will increase in value as will jobs for adept developers. We also expect to see new cases of leaked private source that are employed by new up-and-comers, thus continuing the vicious cycle.
5 Common Vulnerabilities that can Compromise your Network
We also provide below some hints to protect common data appliances like USB devices, notebooks and phones from vulnerabilities sourced from Derek Manky’s Fortinet Blog. http://blog.fortinet.com/
Today’s security appliances do a great job patrolling the network perimeter, but what do you do when the threat is coming from inside the building? Below are the most common ways a network can be compromised from inside the gateway and what to do to protect your company.
1) USB Devices USB drives are the most common way to infect a network from inside a firewall. They’re cheap, hold a lot of data and can be used between multiple computer types. The ubiquity of thumb drives has driven hackers to develop targeted malware, such as the notorious Conficker worm, that can automatically execute upon connecting with a live USB port. Beyond simple thumb drives, any USB device that’s capable of storing data is a potential threat. This includes external hard drives, digital cameras, MP3 players, printers, scanners and even digital picture frames. In 2008, Best Buy reported they found a virus in the Insignia picture frames they were selling at Christmas that came directly from the manufacturer.
What to do: Change the computer’s default autorun policies. You can find information on how to do that within Windows environments here: http://support.microsoft.com/kb/967715 . Implement and enforce asset control and policies around what devices can enter the environment and when. And then follow that up with frequent policy reminders. In 2008, the Department of Defense developed policies and banned USB and other removable media from entering/exiting their environments.
2) Laptop and Netbooks Laptops are discreet, portable, include full operating systems and come with a handy Ethernet port for tapping directly into a network. What’s more, the said notebook may already have malicious code running in the background that is tasked to scour the network and find additional systems to infect. This notebook could belong to an internal employee or guest who’s visiting and working from an open cube or office. It’s also important to think about the laptops themselves. All companies have some forms of sensitive information that absolutely cannot leave the walls of the building. It becomes very dangerous when that information is stored on an unsecured portable computer, as they are very easy to walk off with.
What to do: Implement an encrypted file system for sensitive data. There are a number of off-the-shelf and open source solutions out there that do this. Control over end points that enter and exit the internal system is also important. Sensitive information, such as VPN, DV and Wi-Fi access should not be stored persistently on devices such as laptops or netbooks.
3) Wireless Access Points (APs) Wireless APs provide immediate connectivity to any user within proximity of the network. Wireless attacks by Wardrivers (people in vehicles searching for unsecured Wi-Fi networks) are common. TJ Stores, owners of Marshalls and TJMaxx, was attacked using this method, and intruders escaped with store customer transactions including credit card, debit card, check and merchandise return transactions. This intrusion has ended up costing TJ Stores more than $500 million dollars. Wireless APs are naturally insecure, regardless if encryption is used or not. Protocols such as wireless encryption protocol (WEP) contain known vulnerabilities that are easily compromised with attack frameworks, such as Aircrack. More robust protocols such as wireless protected access (WPA) and WPA2 are still prone to dictionary attacks if strong keys are not used.
What to do: WPA2 Enterprise using RADIUS is recommended along with an AP that is capable of performing authentication and enforcing security measures. Strong, mixed passwords should be used and changed on a fairly frequent basis. Generally, wireless AP’s are connected for convenience, so it is usually not necessary to have them connected to a working environment.
4) Smart Phones and other digital devices
Today, phones are full-functioning computers, complete with Wi-Fi connectivity, multithreaded operating systems and high storage capacity. And they are starting to be given the green light in business environments. These new devices have the potential to pose the same threats we’ve seen with notebooks and thumb drives. What’s more, these devices have the potential to elude traditional DLP solutions.
What to do: The same rules for USB devices apply here. Implement and enforce asset control and policies around what devices can enter the environment and when.
5) Email Email is frequently used within businesses to send and receive data, however it’s often misused. Messages with confidential information can be forwarded to any external target. In addition, the emails themselves can carry nasty viruses. One targeted email could phish for access credentials from an employee. These stolen credentials would then be leveraged in a second-stage attack.
What to do: With email security, source identification is key. Identify the sender using technology such as PGP, or a simple array of questions before sending sensitive information. Access control to broad alias-based email addresses should be enforced. And policy and reminders should be sent out to employees.
Dec 14 2010