Laser focus attacks, new exploits, and ongoing security woes continue to leave many organizations in disarray about how to defend their networks against highly targeted cyber-attacks. Even the government, which has taken a hard stance on protecting our digital infrastructure, has been slow to move. Here were some of the top security stories from May 2010.
New exploit resists Windows security
After months of dealing with malfunctioned security updates, Microsoft users once again found themselves vulnerable to a new tactic that bypasses the security protection of most antivirus software, leaving common Windows security software open to more attacks. The recently published technique could exploit the kernel driver hooks that most security software use to reroute Windows system calls through software to check for potential malicious code before it’s able to execute.
And the bugs keep coming for other technology leaders. After McAfee’s faulty security update led to thousands of Windows PC failures in April, Mozilla Firefox Web browser had to immediately deal with a major flaw in its Firefox 3.6.2 release. The security problem, which could potentially allow remote attackers to run commands of their choice, was addressed a week later with the release of Firefox 3.6.3.
Modern hack attacks developing a laser focus
At Symantec’s annual user conference, the company’s leading technologists said there’s been a shift in the intent of cyber-attacks on both business and government entities. Hacking attempts have progressed from being mass attacks looking to wreak havoc and steal as much data as they could, to highly targeted attacks looking for specific data from a specific organization. The challenge is how to increase visibility into all of the network and supporting activities, and at the same time, reduce the time from breach detection to mitigation, with the emphasis being on risk management and mitigation.
A prime example of these targeted attacks occurred when the U.S. Department of Treasury revealed three Web domains associated with the U.S Bureau of Engraving and Printing had been hacked to attack visitors with malicious software. The hackers targeted a handful of known bugs to redirect site visitors to a Web site in the Ukraine, which had been previously associated with similar attacks. Despite knowledge of the attacks, the sites continued to actively serve malicious software until the domains were cleaned up.
National strategy is light on cybersecurity details
Despite President Obama’s declaration to make cybersecurity a top priority last year, the U.S. government has made little progress toward securing our nation’s digital infrastructure from cyber-attacks, criminal cyber-espionage and theft. While the National Security Strategy the White House released last week emphasized the importance of government, industry and international partners working together to establish standards for combating cyber threats, James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, said the plan for defending cyberspace lacks substance.
“It says partnership, people, research, but it could have just as well said faith, hope and charity. [I see] nothing new in this, and no path forward.”
While many are encouraged that the administration has acknowledged the need to pursue new strategies to protect networks from cyber attacks, it’s not enough. The government needs to take a leadership role in laying a roadmap to address cybersecurity, then take action if we are going to make progress toward building a safer digital infrastructure.
DoD mulls protecting key private IT systems
The Pentagon raised the possibility of the Defense Department becoming engaged in safeguarding nationally critical IT systems run by business. Defense Deputy Secretary William Lynn III said the DoD is considering using the Einstein 2 intrusion detection and Einstein 3 intrusion prevention systems developed by the Department of Homeland Security to help secure critical systems such as finance and utility operated by the private sector. By creating a secure architecture that lets private parties opt-in to the protections afforded by active defenses, this could offer an important gateway to ensuring our nation’s critical infrastructure is protected from cyber attacks.
But for now, Homeland Security is hesitant to endorse such a program. In an email message, a DHS official said:
“DHS and DoD are working together to secure our respective portions of government networks, and we are relying on private sector and government technical expertise to address those requirements. We expect that experience will provide valuable lessons on ways in which critical infrastructure can be protected.”
In the meantime, to reduce the time to deploy IT security systems and increase the use of sophisticated technology tools to defend its own systems, Lynn said the DoD must rely on incremental development and testing, and make use of established standards and open modular platforms.
As always, thanks for reading this blog. Please feel free to provide any comments or feedback on these industry-related topics.