6 reasons to worry about cybersecurity

 

Connecting state and local government leaders

The adoption of new technologies and platforms, such as cloud computing and social networking, opens new avenues for increasingly sophisticated attacks. Meanwhile, old methods of attacks are getting smarter.

The threats from increasingly professional cyber criminals, spies and hackers are evolving to address the adoption of new technologies and platforms by government and private-sector enterprises.

“Obviously, the same old stuff is still a problem,” said Patricia Titus, chief information security officer at Unisys Federal Systems and former CISO at the Transportation Security Administration. Botnets continue to proliferate, and known worms such as Zeus continue to bounce back. “Zeus 2.0 is getting ready to hit the streets,” she said.

Attackers are also becoming more sophisticated, doing a better job of covering their tracks, splitting exploits among multiple vulnerabilities to make detection more difficult, and using new platforms such as social networking not only as vectors for delivering malware but also as resources for targeting attacks at high-value victims.

“The bad guys are going to target where the people are, and millions of people are on the social networking sites,” Titus said.


Related stories:

Risk management: The answer to security, or the problem?

The top threats to government systems and where they’re coming from

Google attacks began with an employee’s click, reports say


Those sites also are rich sources of open intelligence for social engineering.

“They have to do some upfront reconnaissance to determine who to target and how to target them,” said Paul Woods, Message Labs senior analyst at Symantec Hosted Services. Social networking sites “are a useful resource for any potential bad guy.”

The growing dependence on online resources for delivering government services also opens new avenues for attacks through the proliferation of public-facing Web sites. And the rush to cloud computing can create new security concerns, although the critical distinction is not so much between traditional computing and cloud as it between a private cloud and public cloud, said Peder Ulander, chief marketing officer at Cloud.com.

“The same threats you face in traditional computing, you’re gong to face in cloud computing,” Ulander said. For secure computing, the user must ensure that security policies are pushed into the cloud along with the data and services.

In short, the bad guys are watching what people are doing online and are adapting their techniques accordingly.

NEXT: Not all threats are new

1. Oldies But Goodies

Despite the steady growth in the number and variety of attacks, the vulnerabilities being exploited have long lives. A report on trends for the first half of 2010 from M86 Security Labs found that of the 15 most-exploited vulnerabilities, four were in Adobe Reader and five were in Microsoft Internet Explorer, and most had been reported and patched more than a year ago. Only two of the exploits, both for Internet Explorer, were reported in 2010. Some of the top vulnerabilities had been reported and patched as long as four years ago.

What is new is how the exploits for vulnerabilities are being used. Criminals are working to get the most mileage out of each exploit by controlling its use, said Chris Larsen, senior malware researcher at Blue Coat. Increasingly, exploits are used initially in targeted, low-profile attacks in which they could go undiscovered and unpatched for an extended period of time. A number of the advanced persistent threats (APTs) that remain resident on an exploited system for long periods of time, such as those reported by Google in January, fall into the category of exploits that are being carefully husbanded.

When an exploit becomes widely known, it is likely to migrate into tool kits so that it can be used by less professional criminals, whom Larsen called bottom feeders. Those exploits typically are used in larger attacks, when attackers hope to find unpatched computers.

“There really is a huge need to stay current on your patches,” Larsen said.

APTs are getting a lot of attention lately because of high-profile incidents, such as the Google hacks, but they are not new, Titus said.

“I think that APTs have gotten a lot of hype, more hype than they probably need to get,” she said. “They’ve been around for a long time.”

APTs simply reflect the determination of an adversary who is motivated and well funded, she said. They existed during the Cold War in the form of sleeper agents, such as the cell of Russian spies recently discovered in the United States, and they now have moved into a Cold War in cyberspace.

2. Social Networks

More serious than APTs is the proliferation of social networking, an emerging platform for collaboration that Titus called both an awesome tool and potential risk.

There are legitimate uses for social networking in government, Titus said. The Federal Emergency Management Agency uses it for situational awareness, and the Homeland Security Department "has a great opportunity to use social media to communicate with the public,” she said. Many agencies are establishing Facebook sites for public outreach and awareness. The use of social networking services is likely to continue growing.

“I think we’re going to see a huge surge of social media and services,” she said. “We’re looking at a service offering at Unisys,” a program that is in the research stage. But rushing to implement social networking without considering the liabilities is risky. “Along with the use comes responsibility,” she said.

Risks include breaches and compromises of the third-party sites. Such breaches on public-facing sites probably would not expose sensitive information, but they can provide platforms for phishers and other fraudsters. Messages that appear to be from familiar sources engender a greater degree of trust in readers. Such sites also can be useful tools in crafting attacks aimed at a few high-value targets.

NEXT: Who's the target?

3. Personal Targets

Professional criminals and spies are more frequently using low-profile, selective attacks that rely heavily on social engineering, Wood said, and government is a primary target for such attacks.

Spam remains a high-profile problem, accounting for more than 80 percent of total e-mail traffic by most measures, and the number of targeted e-mails containing malicious attachments or links intended for a specific victim is growing. Five years ago, only one or two examples of specifically targeted e-mails were found in a week, Wood said. That grew to one or two a day, and now there are 50 to 60 malicious e-mails found each day that target high-value individuals.

“This type of attack is very rare in the grand scheme of things,” Wood said. In June, an average of one in 276 e-mails, less than half a percent, was found to contain malicious code. But for government, the figure was one in 124 e-mails. That still is less than 1 percent, but the danger is increased by the fact that government officials are being targeted, and these targeted attacks do not usually look like spam. “We all know that e-mail can be easily spoofed, but if it is dummied up enough that it doesn’t look like spam, you are more likely to open it.”

If an attacker has done enough research, the attacker can even piggyback on a target's legitimate correspondence, increasing the odds that the user will open the malicious package.

“It is becoming harder and harder to recognize this type of attack because the attackers go to great lengths to disguise them,” Wood said. “The amount of work they put into them is a lot greater, but the return is potentially enormous,” because individuals with access to proprietary, sensitive and other valuable information are the targets.

4. Caution on the Cloud

Another major shift that has both bright and dark sides is cloud computing.

“Everyone is rushing to the cloud,” Titus said. “But now you can hear the brakes going on.”

Cloud.com has developed a software platform for offering cloud services to service providers, so Ulander is not exactly a disinterested observer on this issue. But he said the cloud is appropriate for at least some government services.

For public-facing services and short-term projects that require computing capacity without capital expense, cloud computing makes sense, he said.

But for all the attention it is getting, the move to the cloud is going slowly. “Security is one of the biggest inhibitors,” Ulander said.

Cloud computing is not necessarily the disruptive transformation that its proponents tout, he said. “The reality is that cloud computing is an evolution of the way we do computing; it is not a replacement for everything.” There will continue to be a need for fully secured, privately controlled facilities for hosting critical applications and services. But for average, nonsensitive operations, “the cloud today is far more secure than it ever needs to be,” he said.

The choice for some agencies is between a private cloud and public cloud. Security considerations in a private cloud are no different from those in multiuser data centers used for server consolidation efforts, Ulander said. Using the public cloud puts operations more in the open.

However, every cloud has its silver lining, and the bright side is that cloud computing also can offer an added layer of security. Putting security operations in the cloud can allow security features to scale as utilities and provide visibility into network activity that is not available at lower levels.

“We see a lot of things that go on in the Internet,” said Tom Ruff, public-sector vice president at Akamai, a content delivery service provider.

Ruff called the company’s global network of servers, which put online content within one hop of 90 percent of Internet users, “the first cloud out there.” When distributed denial-of-service attacks began flooding seven government agencies with eight years' worth of traffic in just two days in July 2009, Akamai was able to keep its government customers operating with a kind of brute force defense, absorbing the malicious traffic on multiple servers. The Akamai network also was able to gather information in the attack, identifying more than 300,000 IP addresses as sources, and was able to cut off all Korean traffic at one agency’s request.

The use of a cloud service such as Akamai can help reduce an agency’s attack surface by reducing the amount of infrastructure needed.

“DHS has a small Web infrastructure,” Ruff said. “They publish to our network, and we do all the heavy lifting for them.”

Clouds will not eliminate the need for other security, he said. “We will never replace the firewall.” But they can extend an agency’s security policy into the Internet, providing an additional layer of security.

That security will only be as good as the service provided, Ruff said. “Government is going to have to start holding cloud vendors accountable.”

The cloud might not eliminate the need for firewalls, but it can provide security on a scale that enables providers to offer it as a utility. Cloud security company Zscaler recently announced the integration of e-mail security into its Web security offering, allowing filtering and policy enforcement well away from the enterprise perimeter.

Zscaler Chief Executive Officer Jay Chaudhry said some administrators are reluctant to give up local control of some security, but he added that “that’s more of a cultural thing,” outweighed by the advantages. A cloud-based service can scale beyond the capacity of an enterprise at a fraction of the cost of acquiring and maintaining point appliances, he said. “Why keep buying boxes?”

NEXT: What do attackers target?

5. The Risk of Gov 2.0

The Open Government Initiative, often referred to as Gov 2.0, has the disadvantage of possibly increasing the attack surface of government enterprises because more information and applications are being made available on public-facing servers.

If not adequately isolated from the enterprise, that can become another entry point for attacks, Ruff said. “You are courting cross-scripting and ways to infiltrate the Web infrastructure.”

“Adversaries can use the Web content as an entry point to back-office systems of any kind,” said Amichai Shulman, chief technology officer of Imperva. “You can work your way into the organization and the control systems.”

Increased reliance on online services also can make organizations more vulnerable to disruption, Shulman said. “The more we get used to these online services, the fewer nononline systems there will be.” People choose to file tax returns with the Internal Revenue Services either online or on paper. Eventually, the paper option will disappear, and a disruption of online services would cripple essential services.

But Shulman added that despite the proliferation of threats, defenses against Web attacks are improving.

“Web services only go back about 10 years,” he said. As recently as five years ago, “there weren’t that many tools to help us with attacks. But today we do have the knowledge and the tools to help us. To some extent, we have a better chance of winning this battle in the cyber world than in the real world.”

The cyber world provides better chances for a standardized environment with universal adoption of best security practices and policies, he said. “It is not 100 percent” security, he said. “Nothing is. Of course, it is still a cat-and-mouse game.”

6. Insider Botnets?

One of the mouse moves security experts are anticipating is the possible use of compromised computers that make up botnets in new ways to further increase their value to bot herders. They typically are used en masse to deliver spam, launch attacks, gather information and infect more bots, either by the botnet’s owner or someone who rents time on them. But Blue Coat’s Larsen said there is growing concern about the possibility of individually infected computers in organizations being rented as platforms for insider attacks.

“It’s logical,” he said. “I would expect it is happening, but I don’t know.”

Infected computers inside enterprises are more of a nuisance than a threat because they usually are used to mount attacks outside the enterprise. They can be cleaned up and forgotten. But a bot being used to gather information inside the enterprise is a real threat. “That’s the scariest thought I’ve come across in a long time,” Larsen said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.