Security trends of 2009
- Article 77 of 77
- Information Age, December 2009
Unlike most of IT, where a new development rarely comes out of the blue, security almost never fails to come up with something new and unexpected each year. Old trends may continue, but with criminal gangs motivated by the attraction of thousands, if not millions of pounds if they can infiltrate the right systems, somebody, somewhere is always trying to come up with new ways of breaking security.
2009 has been no different, with a number of new threats presenting themselves right from the outset.
Although phishing and spam aren’t exactly new, the use of Facebook, Twitter and other social networking technologies to propagate attacks and malware has been one of the biggest trends of the year. Twitter and Facebook in particular have seen incredible popularity among both spammers and malware writers as ways of getting to unsuspecting Internet users. And with more and more enterprises either allowing employees access to social networking sites or actively using them for their own activities, the sites have become potential sources of entry for malware into the enterprise.
Sometimes, the attacks have come from the personal information Facebook and Twitter can provide, something that is partially responsible for the rise this year of ‘spear phishing’ – highly targeted attacks based on a particular user’s interests. Very rarely, however, have any of these exploits been hosted by social networking sites themselves. Instead, malware writers have exploited the sites’ ‘circle of trust’ between users. Users are more inclined to click on links and go to sites provided by their friends than by strangers. Malware writers have used this trust to create viruses that send messages from infected machines’ Facebook accounts to their friends, suggesting they visit particular sites – which turn out to be infected.
Twitter’s message-limit of 140 characters means that URL-shortening services have become very popular. However, where once someone might have avoided clicking on a link to a site they don’t know about, shortened URLs rarely offer clues about their destinations.
The related threat of “drive-by downloads” has also become one of the big problems of 2009. In 2008, for example, Symantec observed a total of 18 million drive-by download infection attempts; however, from just August to October of 2009 alone, Symantec spotted 17.4 million. Gangs have been targeting reputable sites, including the likes of paulmccartney.com, and adding exploits aimed at known vulnerabilities in browsers; if the user has stayed up to date with patches, they might be asked to install a plug-in to view a particular content type, but which will actually infect them with a Trojan.
Trojans themselves have seen considerable development, and one of the biggest developments of 2009 is the emergence of “Crime as a Service”. Gangs now specialise in particular aspects of the criminal exploitation of Trojans. Some will guarantee to infect a certain number of machines with a particular; others develop Trojans, selling them together with customisation kits; yet others will specialise in the laundering of the money acquired through Trojans. These gangs now meet in forums online and sell their services to each other.
"With the introduction of ‘Cloud Computing’ and ‘Software as a Service’, we have seen the inevitable introduction of ‘Hacking as a Service’ where not only the weaponised toolkit is for sale, but you can pay a criminal organisation to host and operate it for a low monthly fee,” says Dave Hartley, security consultant, Activity IM. “The processing power of distributed systems is used by criminals to perform distributed password cracking attacks and remote brute force and dictionary attacks against authenticated protocols and Internet applications such as ‘Wordpress’ blogging software. The compromised systems are then recruited into distributed attack platforms and used to launch further attacks against other systems.”
Trojan development, particularly with the likes of Zeus 2.0, has reached a level of sophistication at which traditional anti-virus software has become almost irrelevant. Criminals now have testing labs that download the latest anti-virus definitions, and run them against their Trojan. If the Trojan is detected, a new version can quickly be built that evades detection, and then sent to replace an installed Trojan using its built-in auto-update mechanisms.
While Trojans haven’t yet been used against enterprises directly, many laptops and other devices have become infected outside of company firewalls and then brought into enterprises. Trojans’ keyloggers have them passed on enterprise data to gangs, and there are signs that these gangs are starting to look at ways to exploit the information they’re gathering.
One of the key trends of 2009 has been a response to these new threats, and it isn’t just a trend in the security space, either. Security services based in the cloud are now being offered to prevent many of these issues. Cloud-based AV software can respond more quickly to threats; it can also process web sites on the fly, so that lists of infected sites are constantly up to date and sites themselves can be scanned before being passed on to end users to see if they contain malware.
“To effectively combat dynamic, web-based malware and attack methods, businesses will increasingly need a defence that can respond in real-time without updates,“ says Nigel Hawthorn, EMEA marketing VP for Blue Coat. “That is impossible to do with only an on-premise or client defence. Instead, cloud-based technologies will increasingly augment traditional defenscs so real-time inputs result in real-time outputs and protection for a large group of people versus a single person or business. With attacks that exist for as little as two hours, security needs to move rapidly. And, in 2010, the first place it is going is to the cloud.”
Data loss and prevention (DLP) isn’t a new concern for the enterprise, but it has become a serious concern over the last year. The Information Commissioner’s Office has seen 424 organisations report data security breaches in the past 12 months compared to 277 the year before. Employees and ex-employees have been responsible for some of this: fraud prevention service CIFAS says that the rate of dishonest employee actions increased by more than two thirds (69.5 percent) between the latter half of 2008 and the first half of 2009. To combat this, companies have started to look seriously at DLP solutions, such as ubiquitous encryption of all data.
Many of these trends are set to continue into 2010, but new ones are bound to emerge soon. Many predict that virtualised systems will be the next target for concerted attack. Whatever happens though, there are bound to be some big surprises.