Todays Threat Landscape

Thieves, hackers always looking for new ways to grab information

• By Bill Morrow
• Aug 01, 2012

Today’s threat landscape is constantly evolving. Cyberthieves and hackers are always looking for new ways to obtain sensitive information. As Web browsers have become the common interface for accessing information that drives business activity, browsers have become the primary target of theft and data leakage. Despite major investments in online security, companies and individuals still face significant risk of their data being breached. In the battle for information security, cybercriminals are moving faster and more aggressively than ever before. Lost corporate data—intellectual property, financial records and employees’ identities—can result in the public relations nightmares that occupy the headlines every day.

Sophisticated malware and keyloggers can compromise HTTPS Web sessions after the data has been decrypted, stealing sensitive information or account credentials and transparently redirecting users to hostile sites and mining the session content. The browser on the endpoint continues to be the weakest part of most networks because one wrong click of the mouse can open a company’s most sensitive data to significant threats. These threats translate into substantial business risks, ranging from lost or stolen intellectual property to privacy breaches and regulatory violations to brand impairment, customer loss and legal action.

According to the 2012 State of the Endpoint report from the Ponemon Institute, on average malware incidents have nearly doubled from 27 percent in 2010 to 43 percent in 2011, with 31 percent of enterprises reporting that occurrences have significantly increased in frequency, specifically when it comes to Web-borne malware attacks. On average, respondents said they are seeing more than 50 malware attempts per month within their organizations. While all organizations in the study use antivirus/anti-malware technology, less than half (40 percent) of respondents said it is one of the top five most effective technologies.

Cybercriminals and online hacktivists know that people love social networking sites, and the trust they have in these sites presents the perfect opportunity to create socially engineered malware attacks. As organizations embrace the use of social media, the importance of data security increases substantially because users can easily introduce malware and keyloggers onto the company network from their Web-based interactions with company applications. Sensitive corporate data can remain in the Web browser cache in clear text format, where it can be easily extracted by either malware or end users, even after the Web session has ended.

Additionally, stored user names and passwords from browser sessions remain available in the authentication cache and are vulnerable to malware. Browser vulnerabilities alone present security issues for an organization of any size, but when those vulnerabilities are combined with careless or malicious user error, they can lead to significant data loss issues for organizations.

As we’ve seen with various breaches, cyber spying exponentially increases the risk of data loss. And we aren’t just talking about credit card numbers and personally identifiable information. We’re talking about the theft of extremely sensitive intellectual property relating to the status of the company, including research, business plans and technical papers. The amount of damage that can be done in a single instance of a data breach is almost unlimited and undoubtedly raises questions for many organizations about the security of some of their more sensitive information.

Corporate Data Loss: An Inside Job?

Threats to sensitive data don’t come just from outside the company. With hosted enterprise applications like CRM systems, Webmail and Microsoft SharePoint, users have the flexibility to work anytime and anywhere from any browser-enabled PC. With many of today’s CRM databases, it’s astonishingly easy to copy vast amounts of critical data, such as customer information, account numbers and other financial information, onto an external drive. In fact, many companies have lost data to unscrupulous employees who stole competitive business information and either sold it or took it with them to a new company. Data loss can also occur unintentionally by employees. Due to malicious intent or careless end-user behavior, the consequences of data loss can be devastating—ranging from reputation damage to lawsuits and financial loss.

Microsoft SharePoint facilitates the communication of employees across an enterprise, allowing them to share sensitive corporate information with one another. According to Microsoft, 67 percent of its enterprise customers have deployed SharePoint within their organization. SharePoint makes it easy to set up websites to share information, and organizations are embracing its collaborative nature. A 2010 report from the Radicati Group indicated that by 2014, SharePoint will have an installed base of 477 million, representing a 31 percent average annual growth rate.

A 2009 survey from Surety revealed that the majority of organizations are using SharePoint to store and share their most vital electronic records, such as critical intellectual property (IP) records, strategic corporate planning documents, company financials, employee records, electronic medical records (EMR) and personal health records (PHR). Forty-six percent of respondents estimated that the data housed in their SharePoint systems was valued greater than $10 million. Nearly 30 percent of survey respondents valued the electronic records housed in their Share- Point systems at more than $50 million, with nine percent indicating that their data was valued greater than $500 million.

Yet concerns remain about data breaches, compliance requirements and malware threats for sensitive corporate Web-based data—and for good reason: the average cost of a single data breach is $5.5 million. Web applications are the third-most common breach vector and account for more than one-third of data loss. The Surety survey also revealed that nearly one-quarter of respondents lack confidence that their organizations’ electronic records or other digital content are protected when they are being shared within the SharePoint environment. Of the respondents whose organizations have suffered a data breach within their SharePoint system, 67 percent indicated that the tampering was at the hands of a person with access to SharePoint from inside the organization.

A 2012 survey from Cryptzone revealed that these security breaches have only increased in the past three years. Nearly 45 percent of respondents indicated they had copied information from SharePoint to a local hard drive or flash drive to work at home or to send out via email to users without access to the system, even though 92 percent of them recognized that this was a security breach. More alarmingly, 30 percent aren’t bothered by this fact if it helps them to do their job. In addition, a third of IT administrators, or somebody they know with administrator rights, has read documents hosted in Microsoft’s collaboration server that they are not meant to read.

Many organizations are also deploying SharePoint as extranets, to share information with partners, contractors and clients. Granting access and making information available to external users can increase efficiency and productivity. At the same time, it also increases business risk to confidential information and intellectual property, not to mention compliance regulations.

Data integrity relies upon leveraging and protecting information assets. How do you protect sensitive corporate information that’s being shared by internal and external users across a platform such as SharePoint? SharePoint administrators have little, if any, visibility or control over data delivered to the browser on the endpoint, creating significant risks to sensitive information.

BYOD Threats

The consumerization of IT is increasing at an incredible rate, which is evident by the number of iPhones, Androids and iPads readily available at people’s fingertips. The increasing availability of mobile communications not only presents opportunities, it also opens the door for a variety of security challenges.

There are many advantages to allowing employees to use their personal devices for work, including increased efficiency. By granting access to the corporate network, and therefore corporate information, via mobile devices, companies enable employees to work from anywhere, at any time. It also provides cost savings to organizations, because personal-device usage means they don’t need to provide or manage mobile devices for their employees.

However, some organizations may decide the security challenges associated with the “Bring Your Own Device” (BYOD) phenomenon far outweigh the benefits. Potential unintended consequences—such as data leakage and malware—reinforce the need to enhance the security of company data. Organizations must control the data after it is delivered to the device in order to prevent accidental or intentional loss by end users.

Users are installing a variety of applications, including games and social networking apps, on their mobile devices that can potentially be malicious and put data at risk. We’re also starting to see malware written for mobile devices, mainly for the Android but also for jailbroken iPhones. With access to the corporate network through unmanaged devices, a careless or malicious employee can easily steal company trade secrets and intellectual property or leak sensitive customer information.

The smartest and safest strategy is for organizations to stop making a distinction between devices in the corporate network and devices outside of it, and instead focus on protecting their sensitive data. With BYOD, organizations need to assume that employees will connect to the corporate network to access company data from any device, at any given time, wherever they may be. As a result, organizations need to establish a strong security strategy to embrace this model in a suitable manner. This means better compartmentalizing access to sensitive information, better audit logging and log analysis and deploying security solutions that are designed to support the BYOD strategy, such as those that can control the replication of your data.

HTTPS No Match for Today’s Complex Threats

Nearly every enterprise today has a range of security technologies, such as authentication, SSL encryption, firewalls and intrusion prevention systems, designed to protect information traveling to and from the data center. Applications are delivering sensitive data through an encrypted tunnel, but what happens upon delivery and decryption of that data at the endpoint? Web server security solutions and HTTPS offer little defense to data once it has been delivered to the endpoint, and today’s most significant exposure is at the point of transaction—the end user’s browser.

Not knowing the security state of the endpoint is a critical security gap for an organization’s website or Web application owner, because they have very little visibility into the endpoint itself.

Particularly with the BYOD trend, IT professionals don’t know if antivirus software is installed or if it’s current. They can’t control the user’s choice of browser, version or the security patches and plug-ins that are installed. Worse, they can’t see if the user’s machine already contains malware such as keyloggers, frame grabbers or Trojans. Finally, they can’t see or manage stored information such as the end user’s cache, cookies, password store and browser history—all of which can be easily accessed by malware or malicious users.

Protect Your Most Sensitive Data

To protect valuable information such as intellectual property, organizations need to make data security a top priority. When it comes to sensitive information, the focus must go beyond authorized and unauthorized users to extending data protection from storage through transport to delivery on the endpoint.

Educating end users should be a top priority. Many data leaks caused by insiders are due to careless, not malicious, users. Ensure that employees understand security policies and take the proper security precautions, and secure data in the browser at the endpoint. Users often access confidential company information via the browser. Organizations need to extend and enforce security controls to end-user Web sessions, securing the data in Web applications from any endpoint to prevent unauthorized use and replication of data.

This article originally appeared in the August 2012 issue of Security Today.