Holistic Security

Security teams report grave concern over data breaches

In the wake of undiscovered data breaches and subsequent public exposure, a layered approach to security is becoming even more important for protecting a company’s critical assets.

Despite the increase in the number of data breaches via illicit means, internal controls are falling short of expectations and assurances that critical assets remain uncompromised. According to the Identity Theft Resource Center, 336 breaches have been reported in 2008 alone, putting the overall number at 69 percent greater than this time last year. This is a grave concern for security teams, especially given the fact that a lack of dedicated resources exist to combat and revert this trend.

Hidden Threats from Within
The variable of hidden and unidentified infections will almost certainly introduce a lack of awareness and degree of concern when it comes to the protection of sensitive information and adherence to regulations.

More malware on the market today is designed to target specific platforms and the users that interact with them. For example, Banker Trojans are an increasing concern for the financial and e-commerce communities because of the pervasive ways in which they obtain personal information. This type of malware targets specific payment or banking platforms, advertently stealing credentials and fueling a rise in financial and economic fraud.

According to a recent online fraud report by Cybersource, annual revenue loss due to online fraud in 2007 amounted to $3.6 billion and the trend is expected to be consistent beyond 2008. Online fraud and the use of targeted phishing campaigns have evolved in parallel and are expected to steadily increase as well. These tactics have become popular among the hacker elite, who have taken an evolutionary step forward in sophistication and complexity.

What’s more of a concern is when tailored malware is involved in a targeted attack against a corporation’s intellectual property. These threats will most often stay under the radar for extended periods of time, remaining undetected by resident security software until it’s too late. The No. 1 reason why these undiscovered or hidden threats exist is the limited distribution and complexities involved with the attack, such as always targeting a few key people, resulting in malcode that researchers never see nor analyze, and therefore, no signature defense is created.

Targeted Phishing Campaigns
Targeted phishing scams against corporate executives, also known as whale phishing, have recently been seen as a means of introducing malicious code into the environment. As the target is often intellectual property, financial records and personal employee data, these attacks are well thought out to ensure the highest possible success rate.

According to MessageLabs’s recent quarterly phishing and spam report, an increasing number of smaller state-level banks and credit unions continue to receive attention from hackers. In addition, targeted attacks have gone from what used to be two per day to more than 900 in less than a 24-hour period.

These attacks are using a wide variety of social engineering tactics that consist of fake subpoenas, tax complaints and many other types of bait used to lure victims into executing an attached Trojan. Spear phishing tactics have begun to replace generic forms of phishing as users recognize that they are not legitimate. When targeting a company, hackers will develop a phishing campaign designed specifically for that company. They will research and obtain information concerning their targets to ensure that the message sent appears credible. In this case, even the most educated user may not realize the message is phony and should be deleted, making the chances for success much higher.

Subsequently, the payload delivered via these messages will look for confidential information and will leak it to an external third party through an encrypted back channel to a crime-ware server hosted by a cyber-gang.

Anti Virus Cloaking Techniques
To further disguise their attacks, hackers have designed malware to avoid exhibiting traditional bad behavior usually flagged by behavioral heuristics. In other words, they are using the following cloaking techniques to hide the presence of an attack:

  • Custom runtime packers.
  • Server-side polymorphism or Crimeware-as-a-Service.
  • Kernel mode root-kits.
  • Sophisticated memory subversion.

A major risk to security is the emergence of server-side polymorphism or Crimeware-as-a-Service, in which the polymorphic engine does not reside within the virus code itself, but rather remotely on a server. There are two forms of server-side polymorphism that we know of today: the type that distributes mutated variations of malware into the wild in volume and PCs that are part of a botnet -- a specific bot variant that can mutate remotely via a command over HTTP. This is called crimeware-as-a-service because the actual viral code resides in the cloud -- similar to a Software-as-a-Service platform. In other words, CaaS provides malware-on-demand to the infected host.

This methodology has proven to be harmfully effective and difficult to counteract when approaching it with traditional anti-malware models. Server-side polymorphism is hard to detect because the transformation functions -- the routines used to change the signature of the code -- are not visible to the virus analyst. The actual algorithms or techniques that are involved in this process cannot be studied to the degree necessary to create an effective vaccination. Botnet communication is often encrypted as a defense mechanism to prevent the easy discovery of a command-and-control server that dishes out the mutated malware. Attacks using server-side polymorphism often succeed in infecting their targets while flying under the radar.

The net effect results in potential data exposure via malcode waiting to happen that often goes unseen. Analyzing the data points further shows that 73 percent of the breaches documented were conducted by outsiders with a 31 percent ratio of malcode involved, according to a study published by the Verizon Business Risk team. When security solutions designed to detect and prevent these threats are not responding and the malware goes undetected for months, a serious security breach is possible and immediate action should be taken to remedy the situation.

With the avalanche of new threats seen on a daily basis, and the high degree of undetected infections by resident software, end users are encountering “The Silent Epidemic.” This is partly due to the deliberate strategies used by hackers to remain invisible for as long as possible, leaving resident security software in the dust. On average, there are more than 4,000 new malware strains released everyday crippling the capabilities that antivirus labs have in place to respond efficiently.

Furthermore, the different variations of malware have increased and are expected to grow during the next five to 10 years, leading to many more data breaches and a host of other high-profile security incidents.

Protecting the Networks
The most important thing to remember when creating a secure virtual system is to take a holistic approach. Technologies such as system hardening, regular behavioral analysis, proactive end-point security, IPS firewall and heuristics technologies are essential for maintaining a fortified virtual environment. Included below are some tips on how to ensure you are meeting all of these requirements.

When designing what controls should be implemented and where, it’s necessary to harden the operating system on both the host and virtual machines from common run-of-the mill exploitation. It’s also critical to ensure that patches remain up-to-date. System hardening -- locking down the operating system -- should be a mandatory requirement because it will eliminate most malware that tends to exploit the zero-day vulnerabilities that exist in common application platforms. For example, it’s not necessary that Adobe Acrobat spawns a command shell or executes any other arbitrary system command.

It’s also absolutely essential to conduct regular security assessments that include detecting both vulnerabilities and active threats. If your servers run Web-based applications, check them to ensure that exploitation such as SQL injections and input validation attacks cannot occur.

Ensure proactive end-point security with herd intelligence. The best way to ensure you are proactively capturing as much malicious data as possible is to employ a security system that uses herd intelligence, also known as collective intelligence. This innovative SaaS platform automates and enhances the malware collection, classification and vaccination process by gathering detections from the Internet community at large, rather than locally. By reducing the manual effort required to process the thousands of samples received daily, herd intelligence increases the capacity and visibility that the A/V lab has by deploying technologies within the cloud.

The Yankee Group has estimated that herd intelligence and other cloud-based technologies will quickly become mainstream. Andrew Jaquith, former security and risk management program manager for the Yankee Group, recommends that businesses “make herd intelligence central to their long-term survival strategies.” This technology allows companies to expand the number of malware samples they collect to 15,000 a day, Jaquith said.

“Antivirus companies that are not taking steps today to plan for malware volumes 100 times their current load are not thinking hard enough about the problem,” Jaquith wrote in an article titled “Herd Intelligence will Reshape the Antimalware Landscape.”

It’s imperative that system operators take a proactive approach when developing a security plan for a virtual network, because the rate at which new malware emerges outweighs the capabilities of antimalware labs to keep up and process new threats. The best end-point security solution should include more than just signature-based detection for malicious code.

A Layered Approach
All of these technologies -- system hardening, behavioral analysis, behavioral blocking, herd intelligence, IPS firewall and heuristics -- if used in a standalone fashion, won’t protect from advanced threats, but in combination, will provide a robust layer of defense against sophisticated attacks.

If corporations do not take a holistic approach to end-point security, server-side polymorphism and other stealth tactics will continue to open the door to all sorts of problems, from the increase in targeted attacks to undisclosed data breaches. By using the most effective means of stopping hackers and preventing the onslaught of malware, users can rest assured that the valued information and assets will remain protected.

About the Author

Ryan Sherstobitoff is the chief corporate evangelist at Panda Security.

Featured

  • Gaining a Competitive Edge

    Ask most companies about their future technology plans and the answers will most likely include AI. Then ask how they plan to deploy it, and that is where the responses may start to vary. Every company has unique surveillance requirements that are based on market focus, scale, scope, risk tolerance, geographic area and, of course, budget. Those factors all play a role in deciding how to configure a surveillance system, and how to effectively implement technologies like AI. Read Now

  • 6 Ways Security Awareness Training Empowers Human Risk Management

    Organizations are realizing that their greatest vulnerability often comes from within – their own people. Human error remains a significant factor in cybersecurity breaches, making it imperative for organizations to address human risk effectively. As a result, security awareness training (SAT) has emerged as a cornerstone in this endeavor because it offers a multifaceted approach to managing human risk. Read Now

  • The Stage is Set

    The security industry spans the entire globe, with manufacturers, developers and suppliers on every continent (well, almost—sorry, Antarctica). That means when regulations pop up in one area, they often have a ripple effect that impacts the entire supply chain. Recent data privacy regulations like GDPR in Europe and CPRA in California made waves when they first went into effect, forcing businesses to change the way they approach data collection and storage to continue operating in those markets. Even highly specific regulations like the U.S.’s National Defense Authorization Act (NDAA) can have international reverberations – and this growing volume of legislation has continued to affect global supply chains in a variety of different ways. Read Now

  • Access Control Technology

    As we move swiftly toward the end of 2024, the security industry is looking at the trends in play, what might be on the horizon, and how they will impact business opportunities and projections. Read Now

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3