Hackers move quickly to evade the latest security updates

In June, we saw two examples of how quickly cyber criminals can adopt to change. Security updates to both Macs and Windows held hackers back only long enough for them to create new variants that allowed them to resume active attacks on the same fixed vulnerabilities a few hours later.

According to the article, “Apple’s malware detection update circumvented in 8 hours,” malware developers were able to rewrite code overnight to evade the latest Mac updates. In another incident, “Hackers move fast to exploit just-patched IE bug,” just three days after Microsoft patched 11 bugs in Internet Explorer, cyber criminals were exploiting one of the patched vulnerabilities.

With hackers working non-stop to develop new malware and malware variants that can bypass even the most recent updates and signatures, organizations need a solution that doesn’t place a band-aid on known vulnerabilities that criminals can peel off hours later. Security tools like application whitelisting do this by simply preventing the execution of all unauthorized applications.

Poor user updating practices creating unclosed security holes

While security patches have their own challenges keeping cyber criminals from returning to exploit known vulnerabilities (see above), a recent study by G Data SecurityLabs found that users certainly aren’t helping (which is not a surprise to any InfoSec pro).

In the article, “Malware Authors Relying on Poor User Updating Practices,” cyber criminals are taking advantage of users’ negligence around installing the latest security updates. As a result, hackers are targeting both current and older unclosed security holes, said Ralf Benzmüller, head of G Data SecurityLabs.

“Even though an enormous number of program updates are being provided, users should not be fooled into deactivating automatic update functions. Not only does this apply to Java, but it should also apply in general to all browser plug-ins used and all applications installed on the PC.”

Whitelisting a top strategy for combating modern malware attacks

As cyber criminals exploit any vulnerability they can to infect corporate networks, implementing security strategies that stop targeted attacks that quietly stealing sensitive data is critical for combating modern day cyber threats.

The article, “Top five strategies for combating modern computer security threats,” outlines some techniques for protecting computer systems from unauthorized and malicious software from exploiting a user’s laptop or computer. One of the recommended solutions is application whitelisting.

While there are valid concerns around preventing attacks like memory exploits and handling dynamic environments without impacting user and IT productivity, advancements in leading whitelisting solutions have resolved these issues to provide Total Application Control (TAC) that allows organizations to proactively defend their network endpoints from modern malware attacks.

A key goal of today’s cyber attacks: Establishing a “persistent point of presence”

Today’s cyber criminal is not your stereotypical crook who breaks in, steals the loot, and gets out as fast as he can. According to Gartner analyst John Pescatore, the goal behind many of today’s attacks is to surreptitiously establish a persistent point of presence inside a network and use that to snoop on and steal information.

“A common thread through many damaging incidents is targeted executables getting installed on critical servers or high value employee PCs.”

In the article, “Attacks on IMF, Lockheed and others highlight need for defenses against targeted attacks,” a recent rash of successful cyber attacks against supposedly secure organizations has prompted the need for enterprises to deploy stronger defenses to protect their networks against highly targeted and persistent threats. Using whitelisting products alongside other AV tools to automatically block any unapproved applications from running on a system is one way to defend endpoints against custom Trojans that have been seen in many recent attacks.

Thanks for reading this month’s recap on some of the security industry’s biggest stories. I encourage you to regularly stop by to read our blog. Your thoughts on these important stories are always welcome.

“Attacks have evolved from simple scams to highly sophisticated espionage campaigns targeting some of the world’s largest corporations and government entities. The scale of these attacks and the fact that they originate from across the world, makes this a truly international problem requiring the cooperation of both the private sector and world governments.”

The report highlighted the year’s two biggest cyber attacks — Conficker and Hydraq — which continue to wreck havoc on enterprises across the globe well into 2010. The report also pointed out other trends that both the private and public sectors should be aware of, including:

• More targeted threats on corporate enterprises:
  Given the potential for monetary gain from compromised corporate intellectual property, the report found that cybercriminals are using personal information on social networking sites to create socially engineered attacks on key individuals within targeted organizations. The tricky thing about defending an enterprise from targeted attacks is that these threats may never be on a blacklist because they are not widespread. This is where application whitelisting fits right in as it stops the execution of any unauthorized application from running in the system.
• Malware toolkits:
  Cybercrime toolkits such as the Zeus botnet are making it easier for hackers with varying skill sets to create customized malware to compromise computers and steal information. This is also playing a large part in the growing number of hackers who are creating millions of new malicious code variants in an effort to evade detection by antivirus security software. In order to better protect our networks from evolving malware writers, anti-malware defenses need to evolve, too.
• Unabated web-based attacks:
  Cybercriminals are using social engineering techniques to trick unsuspecting users to visit malicious websites. Once there, these websites attack the victim’s Web browser and vulnerable plug-ins that are normally used to view video or document files. Since organizations realistically can’t control what websites people go on or what they download, the key is to stop the payload, not the user.
• Applying patches continues to be a challenge:
  The report also found that maintaining a secure, patched system is becoming more challenging than ever. Moreover, many users are failing to patch old vulnerabilities despite having the fixes to do so. The sheer volume of new patches and the time and resources it takes to make security updates is making it nearly impossible to protect a network from every new malware variant out there. As I mentioned in previous posts, the key is to stop the payload in the first place, even if you can’t stop the vulnerability in time.

“These attacks have demonstrated that companies of all sectors are very lucrative targets. [APTs are] the equivalent of the modern drone on the battlefield. With pinpoint accuracy, they deliver their deadly payload, and once discovered — it is too late.”

One of the methods the article suggests to protect systems from targeted attacks is using a whitelist to allow specific traffic over its networks while excluding everything else. In other words, they want to limit exposure to social engineering by limiting user access to potentially dangerous sites. Plans like these make some sense, but don’t address the core problem. There are too many ways that users can be tricked into accessing something that isn’t protected against for this to work. And for institutes such as higher education that conduct research at random places, restricting site access gets in the way of users doing their job and simply is not going to fly.

As we pointed out in the blog, “Cisco’s 2009 Security Threat Report: We need a patch for the common user!” people are the primary vulnerability going forward. Whether we like it or not, our employees, contractors and partners are continually accessing sites and other media that can cause problems. Rather than dealing with user behaviors that are simply out of our control or are required for them to be effective, enterprises should focus on the real problem — which is to stop the payload of these attacks.

As long as there are people in the mix, they will continue to unknowingly bring things into the network that cause all sorts of havoc. The reality is people make mistakes. They go on sites their company knows nothing about. They open bad emails and download the wrong stuff on their machines. Since we can’t realistically stop what users are doing, we have to address the results of normal, but risky behavior.

The bottom line is we need to stop the payload from getting on the network and becoming a threat. That needs to be the primary thrust, and is the focus of BOUNCER, which protects against unwanted applications while permitting users to go about their business.