RSA a mixed blend of cyber security approaches… and the cloud

This year’s RSA Security Conference covered everything from the more vicious attacks to the best ways to prevent them. Because today’s cyber criminals are highly motivated to take whatever they want, Bret Hartman, CTO of EMC’s RSA security devision, said in order to protect their networks from an array of attacks, organizations need to develop a next-generation cyber security solution that encompasses key elements around governance, risk management and compliance policies, with virtualization underlying tomorrow’s security approaches.

When it comes to cloud adoption, Art Coviello, executive chairman of EMC’s RSA security division, said meeting the demands of the cloud requires deploying more flexible, dynamic security.

“Achieving this means building security into virtualized components and, by extension, distributing security throughout the cloud. Also, automation will be absolutely essential in enabling security and compliance to work at the speed and scale of the cloud. Policies, regulations, and best practices will be codified into security management systems and enforced automatically, reducing the need for intervention by IT staff–a problem that’s getting away from us today.”

Because virtualization and the cloud have the power to dramatically change security in the future, our Bouncer application whitelisting solution, which uses CoreTrace’s Software Intelligence (CSI) cloud-based service of known good and bad applications, helps organizations working in the cloud to identify and block malware and other unauthorized applications with a high level of flexible application management and control.

Night Dragon attacks a threat to power grid security

They get up, go to work, and come home like the rest of us. The only difference is while at work they’re hacking and social engineering oil, gas and petrochemical companies and their executives to steal highly sensitive information and intellectual property. That’s who McAfee suggests, in a report released in February, is likely behind the infamous Night Dragon operation.

In the article, ‘Night Dragon’ attacks from China strike energy companies,” the security software vendor said there is strong evidence — from the hacking tools to the computer IP addresses — that the coordinated cyber attacks targeting energy companies could be the work of Chinese hackers, otherwise referred to in the report as “company men”, that work regular 9 to 5 jobs.

With more coordinated campaigns like Night Dragon targeting the energy industry, unsettling reports like the recent U.S. Department of Energy audit of power grid security claim there’s still plenty of work to be done. The DOE found that cyber security standards that don’t always include security controls combined with a reluctance of power plants to identify critical assets is creating challenges for risk-based security approaches.

Hackers co-opting trusted websites to launch attacks

In the past, cyber criminals spent a lot of time using free domains to create fake websites that looked legit. As these sites became known for hosting questionable content, criminals have now begun hacking and compromising legitimate sites with outstanding security reputations to launch attacks.

In the 2010 Web Security Report released in February, Blue Coat Systems found cyber criminals are taking the time to co-opt trusted sites to host malware and other malicious content.
According to the article, “Cyber-Criminals Co-Opting Trusted Sites into Attack Infrastructure: Report,” evidence of this strategy took place last October when a Kaspersky Labs‘ software download page redirected visitors to a fake antivirus software. Even though a site has an excellent security reputation rating, the report warned that relying on a reputation defense could leave users susceptible to attacks.

As Mac OS X gains market share, so does Mac malware

As more and more security experts warn that cybercrime is turning away from targeting traditional Windows-based PCs and focusing on emerging platforms like tablet computers and mobile platforms, Sophos researchers have discovered a new Trojan horse online that is written exclusively for the Mac.

In the article, “Hacker writes easy-to-use Mac Trojan,” Sophos said the BlackHole RAT (Remote Access Trojan) program, which can be found on online hacking forums, may still be in beta mode. However, if someone were to figure out how to get it installed in a Mac computer, it would give the criminals remote control of the compromised machine.

As Mac OS X continues to gain market share on Windows, Chet Wisniewski, a researcher with Sophos, says cyber criminals are taking note. He’s also come across another Mac Trojan, HellRTS, which is circulating on file-sharing websites for pirated Mac software. Either way you look at it, with more Mac malware popping up and enterprises scaling beyond Windows, the ability to protect all network endpoints across all major platforms is becoming essential to any endpoint security strategy.

I appreciate you checking in and reading our top endpoint security stories for February.

Night Dragon is a fascinating attack, with all sorts of international intrigue including links to entities in China (for a great primer on purported Chinese involvement in cyberattacks, check out Richard Stiennon’s blog). However, the multi-pronged attack is easily prevented by any good application whitelisting solution–just like Stuxnet.

Night Dragon utilizes multiple remotely controlled applications on servers and PCs. Application whitelisting solutions like CoreTrace Bouncer stop Night Dragon and Stuxnet type attacks by preventing the execution of all applications that are not on the whitelist for each computer in the infrastructure — including both malicious and legitimate remote control applications used in these attacks.

I think it is worth noting that the same week Night Dragon was unveiled, both the UK and US governments raised alerts about cyber attacks.

First, UK foreign secretary, William Hague, disclosed at a security conference how cyber criminals are trying to infiltrate the UK government and defense contractors. He also pointed out that the threats aren’t unique to his government.

In the article, “UK foreign secretary: ‘We’re under attack’,” Mr. Hague said malware, social engineering and targeted phishing are gaining momentum against government organizations and businesses all over the world. He added that the attackers had infected government computers with the Zeus trojan, similar to the Zeus malware attacks seen by the U.S. Department of Homeland Security last year.

Second, a recent Pentagon Cyber Crime Center report that said computer-related crime, intrusions and data theft rose 37% in the volume of material it studied last year. The U.S. Defense Department agency, which conducts forensic analysis of cyber crimes involving military personnel, said it processed 372 terabytes of customer data last year, a 100 terabyte increase (37% jump) over 2009.

Once again, most of the attacks would have been thwarted by simply stopping the execution of unauthorized applications, no matter how they entered the system.

Anyone else notice more than a few themes repeating themselves???

Targeted malware attacks are the new norm, not the exception

Stealthier, targeted cyber attacks aren’t exclusively going after high-tech giants anymore. Research presented at last month’s Black Hat Conference said advanced persistent attacks that have hit defense agencies and high-profiled corporations like Google are also becoming the norm with medium-sized businesses.

In two separate analyzed attacks, researchers Nicolas Percoco and Jibran Ilyas of TrustWave’s Spider Labs research group said the malware didn’t discriminate between the size of the organization. The primary goal of the attack was to avoid detection and maintain a presence on the intended networks.

“Targeted malware is the norm, not the exception,” said Percoco.

Research has found that advancements in malware and anti-forensic features allow remote attackers to stay on their victims’ networks an average 156 days before they are detected. By avoiding detection, more persistent threats enable hackers to dive deeper into a mission-critical applications to steal valuable intellectual property or sensitive financial data they can resell on the black market.

Cyber crime costs businesses each $3.8 million per year

A new report by the Ponemon Institute on the cost of cyber crime revealed that midsized and large U.S. organizations from different industries and government agencies are each paying $3.8 million per year to fight weekly cyber attacks, malicious code and rogue insiders. The annual cost, which represents the direct cost of dealing with the attacks (not the antivirus software used to protect their networks), was derived from varying business reports that ranged between $1 million to a whopping $52 million per year.

The study also found it took, on average, 14 days for an organization to respond to a successful cyber attack, which cost businesses $17,696 per day. According to the report, defense, energy and financial services companies experienced higher costs than organizations in retail, services and education.

No matter if you’re working in the public or private sector, Larry Ponemon, director of the Ponemon Institute, said the study shows the impact cyber crime continues to have on businesses and their bottom line.

“The eye-popping thing we found is a lot of organizations are very disorganized in even understanding the environments they’re dealing with.”

Study finds SCADA systems security “like a ticking time bomb”

While organizations that run SCADA systems claim their networks are secure because they’re not connected to the Internet, findings from an extensive nine-year analysis of more than 120 security assessments of systems that manage power plants, oil refineries, and other critical national infrastructure found the opposite to be true.

The study, conducted by Jonathan Pollet, founder and principal consultant of Red Tiger Security, found that critical infrastructure facilities across the U.S. have been operating with tens of thousands of security vulnerabilities, outdated operating systems, and unauthorized applications. According to the report, facilities unknowingly had computers crucial to the operations running everything from Windows 95 and other unauthorized software such as peer-to-peer applications to games and pornography that contained major vulnerabilities.

“It’s kind of like a ticking time bomb. I’m hoping the message that we’re giving here can open a few eyes.”

While most systems contained common errors and were vulnerable to SQL injections, cross-site scripting and denial-of-service attacks, Pollet found that deploying a patch could take up to a year on systems that couldn’t be taken offline or were too important to risk installing a patch because it would disrupt a critical process.

Unfortunately, system vulnerabilities like these are exactly what attackers use to write malicious code around. Take, for example, the newly surfaced Stuxnet malware, which targets utility companies and exploits a zero-day vulnerability in Windows to access the Siemens WinCC SCADA systems database. Advanced knowledge of system flaws are the key to creating worms that target control systems. You can bet the energy sector is keeping a close eye on this one, and doing everything they can to work with NERC, the U.S. Department of Energy, and others to develop strategies to protect their critical infrastructures.

Are cyber spies already in your system?

It may sound a little farfetched, but some security experts believe that an increasing number of organizations are under surveillance by foreign spybots that are spying on U.S. businesses to gain competitive advantages or exploit weaknesses in their systems. While it’s difficult for researchers to pin down the magnitude of these insidious threats, they’re enough to put security professionals on high alert. Mark Lobel, advisory principal at PricewaterhouseCoopers, said the quiet nature of electronic cyber espionage can be deceiving, particularly when they are undetected by the usual security tools.

“Because the whole point is for the espionage to be stealthy, there is truly no way to know the size and scope of the issue. In conversations with people in the industry, they are confident that it is a larger problem than most people recognize or understand.”

Gartner VP of research for computer security, Neil MacDonald, takes it one step further by maintaining that as many as 75% of enterprises have been or are being infected with undetected, financially driven, targeted attacks that evaded their traditional perimeter and host defenses.

While there’s no way to completely protect an organization against increasingly sophisticated attacks, one security strategy that many experts agree can reduce the impact of such attacks is to practice defense in depth. While most companies continue to remain blissful of electronic surveillance, MacDonald added that denial never works. Taking false comfort in antivirus software and network scans that show zero infections doesn’t mean that a system hasn’t already been compromised.

Thanks for reading this monthly recap of some of the top stories within our space. Please feel free to provide feedback on any of these important topics.

While it is good news that Congress is taking proactive steps before things explode, their solution to consolidate power within the government to legally monitor and respond to cyber threats as they occur is no way to get on top of the actual problem. Instead of proactively addressing the situation with a reactive set of solutions, they need to carry these measures through with proactive solutions that prevent the situations in the first place.

As I mentioned in a previous blog about malware that is already resident in a system but is waiting for the opportune time to launch, no matter where these attacks come from, and no matter which ATPs are involved, the vast majority of attacks have to do with malware in some way, shape, or form running on local machines. Even if organizations have taken adequate steps to protect their private networks, they need to make sure the solutions that they put in place prevent any malware from executing, no matter how they enter the system. Plans that deal with attacks after the fact will continue to keep the bad guys one step ahead and in charge.

It’s almost become a cliché to say we need be more proactive, not reactive, in the fight against cyber crime. Unfortunately, this simple message needs to be reinforced because too many companies and organizations continue to operate with a reactive mindset. If we expect to successfully protect our networks from the thousands of new cyber threats, public and private sector organizations need to follow up their proactive security talk with real proactive solutions.

Further evidence of these targeted attacks surfaced last week when three websites belonging to the U.S. Department of the Treasury were hacked and serving malicious software. The malicious code redirected site visitors to a website in Ukraine that launched a variety of Web-based attacks.

In the article, “Modern hack attacks are developing a laser focus,” it highlights that cyber criminals have shifted to more information-centric attacks to obtain data with the highest possible value. The article broke down the four stages of a modern day targeted attack:

Stage 1: Incursion — Today, hackers leverage social engineering techniques to get the malware onto the endpoint. This approach is very targeted, often with a cyber thief using social media such as Facebook to gather information about a prospective target. The attack is designed to lure the victim to trust the email message or attachment with a unique malware-infected payload. Often these attacks and the malware are unique to the specific person and their organization, allowing the thief to find and steal important information that can be monetized, such as intellectual property or payment card data.

Stage 2: Discovery — This phase often uses unique malware that is spawned by the initial entry malware to scan and discover the desired information within the network. The incursion and discovery phases are very discrete. The malware hides inside the network inspecting and searching looking for specific targeted information. Once the hackers find what they want, the data extraction happens very quickly.

Stage 3: Capture and Stage 4: Exfiltration — Once the hacker finds what they are looking for, the data capture and exfiltration stages are fast and noisy. This is typically the first time most organizations realize they’ve been breached. By the time the organization detects the breach, analyzes the situation, develops a solution and takes action, the data is long gone and the damage is already done.

As the article points out, the way most enterprises protect their private data today leaves many openings for hackers to exploit and hide their malware.

1. Compliance — Most organizations have difficulty consistently enforcing the IT policies. Over time, configurations and changes to the same servers and endpoints — combined with patches not being applied in a timely fashion — allows malware to burrow and gather information without being detected by antivirus and traditional security tools.

2. Protecting information — While most organizations know where their critical information is primarily stored, sensitive data is often copied by employees and stored in places that may not be secure. Cyber criminals know this, which is why their malware spends so much time in the discovery stage. In many cases, breach investigation teams learn that data that was compromised was simply a copy of production data stored in unsecure locations.

3. Systems management — Organizations simply don’t know everything that lives on the network. Many times there are unknown systems attached to the network, and if an IT team doesn’t know about them, they can’t manage them. Gaps in patch management are a big contributor in breaches when malware exploits known vulnerabilities that have not been patched in a timely manner.

4. Infrastructure security — While most organizations have security in place, their growing and diverse infrastructure creates a lack of visibility across their entire environment. It becomes impossible to understand what is going on at any point in time.

What this all comes down to is modern day targeted attacks don’t lend themselves to today’s security solutions. Attacks and the malware they utilize are often unique to the targeted organization and will not be prevented by any traditional blacklisting endpoint security solutions such as antivirus. As cyber crime evolves, so should the tactics used to stop them. On Thursday, I’ll explore strategies for combating these modern threats and how organizations can regain control over their sensitive data.