WSTA: Security Threats

Symantec reminded attendees that there's a new kind of malicious activity on the internet, and presented a plan to deal with it.

by Alex Goldman ISP-Planet Managing Editor [February 6, 2009]

You've heard this talk before, from a security vendor. You've been told how threats are new and different and how you may not be prepared for them. Because it's a security vendor telling you this, you suspect that they have an interest in spreading fear.

But you also know that what they're telling you is true.

It's worth listening to this talk at least once every few years. When Robert Clyde, vice president of technology from the office of the CTO of Symantec rose to speak, the audience was attentive even though it was early on a winter morning. Snow advisories were in effect, but technology professionals from the financial industry had arrived to hear him talk at the Risk Management seminar of the Wall Street Technology Association because security is important.

It's likely that you know this, but let's review it anyway: malicious activity is targeting websites and social networks and no longer requires clicking on an attachment to infect a computer. Malware authors can take advantage of vulnerabilities in websites. Malicious activity is more insidious than ever before. Users can become infected and only become aware of the infection when their computer slows down and their internet connection gets overloaded (at which point they blame anyone but themselves).

What you may not know is this: there is a mature underground economy that matches buyers with purveyors of such information as e-mail lists and personal information. "This has changed the world," said Clyde. "Three years ago, if someone stole your list of credit card numbers or your payroll or pension roll with a list of social security numbers, they couldn't do much with it. Now they can sell it online, in web locations that have a tight link to organized crime."

Of course security specialists are responding to the new threats, but malware purveyors are innovating, using new tactics, and also by relocating to safe havens (such as the Ukraine) that have less developed infrastructures to prevent new crime.

Here's an example of a tactical innovation: Clyde said that a recent study of a phishing attack delivered a click through rate of 4 percent, which compares very favorably to the one-in-a-million click through rate of traditional spam. Delivered on a social network, the click through rate rose to 20 percent. If sent exclusively from female names to male recipients, the click through rate exceeded 70 percent.

If social networking is used in the ISP NOC, you may experience a generational divide: those under 30 (under 25?) consider it vital, why the older people consider it a toy. So, yes, it's a security risk, but so is every other application (instant messaging is now accepted as a business tool, and it, too, carries a risk—even e-mail was once seen as too risky for business but that was a long time ago).

A business can lose important data without succumbing to the mythical master hacker. Clyde said that hacking accounts for 13 percent of all data theft or loss, but insiders account for 21 percent. "Many insider breaches are inadvertent, not malicious," said Clyde.

What attackers want
But let's take a look at this underground market. Symantec, Clyde said, has been working with law enforcement to track the market for identity theft. He presented a list of identities and their value on this market. The most valuable item is bank market credentials, traditionally the target of the Nigerian scam.

Also on the list: credit cards with CVV2 numbers, and e-mail addresses and passwords. Odds are low that an ISP has credit card numbers (but webhosts do), and odds are high that an ISP has a list of e-mail addresses with passwords. Protect that list.

As to CVV2 numbers on credit cards, Clyde said, "I now believe that CVV2 numbers are useless. It's three more digits to enter in a form, but entering it into a form destroys the purpose of the CVV2 number. It should only be asked for in person on a phone call in a situation where there is valid suspicion of credit card fraud."

There is also a market in malicious tools—so if you did have a problem with an insider, that person could, if they new where to look, purchase malicious software. Of course, I don't recommend doing business with organized crime, but some malicious insiders are not thinking through what they are doing. No rational person would want to set up a long term business relationship with criminals, but some people are not rational.

The future is spears
When phishers first began targeting small groups in their attacks, the security experts called it "spear phishing." Nowadays, many kinds of attacks are more targeted than they were in the past.

"Malware authors learned that worms don't make cash," said Clyde. So malware authors are writing targeted applications and are hoping that if the target group is small enough, no prevention will be made. Real world diseases that are very rare are known as "orphan diseases" because the pharmaceutical companies can find no profit in treating them. Similarly, Clyde said, if malware was targeted at just a few users, or just a few hundred, would a security vendor ever know about it? Could it be prevented?

In order to prevent these spear attacks, Clyde advocates whitelisting good applications instead of blacklisting bad ones. In addition, many applications will be unknown, neither on the list of good apps nor on the list of bad apps. So, in high security environments such as the financial industry that was the audience for this speech, unknown applications should be executed on virtual machines and if those machines become infected, they can be discarded.

A final challenge, one that business managers will need to pay attention to, is the steady co-mingling of personal and business data. Just as social networks are entering into work, so, too, private data is traveling to the home. Security managers need to be aware of threats that include ID theft, data theft, tampering with business data and business apps, and threats to the OS and the cache. The solution is a relentless focus on identity protection and identity management, but we're not there yet. We need to be.

I find it useful to learn about the security fears of the financial industry, because the financial industry is ahead of the rest of the world. The high tech wizardry that's currently employed to defend the data that is money will someday be employed in every household.

Yes, security companies are purveyors of fear, and fear helps their business. But there are threats against which we need to be prepared. Every ISP owner should know about the latest trends in malware, and one way to learn about those trends is to hear this kind of speech from a security vendor.

— End