Cyber security: do you know where you stand?
It is impossible to assess the true extent of cyber attacks, but businesses can make a sensible assessment of their risk profile and security posture
Short of time?
In August 2003, a computer worm called Blaster wreaked havoc with IT systems across the planet.
Based on a vulnerability in Windows XP and 2000, the worm spread through spam email and used infected computers to attack Microsoft’s software update service.
Soon after the worm was first detected, 18-year-old Minnesotan Jeffrey Lee Parson was arrested and charged with its creation. In 2005, he was convicted and sentenced to three years in jail.
Parson made the motivation for the worm apparent in a comment in the source code: “Billy Gates why do you make this possible?” he wrote. “Stop making money and fix your software!!”
Blaster was one of the last high-profile worms to torment the IT industry. And it was one of the last examples of a successful malware attack motivated by little more than the glory and bragging rights.
Ten years later, this potentially damaging but relatively innocuous form of IT security attack has been entirely replaced by three other, much more serious, threats.
The first is criminal. As the Internet has become a platform for commerce, it has also become a breeding ground for financially motivated computer crime.
The second is political. The Internet is now both a battleground and a channel for espionage for nation states and terrorist groups. Government bodies, media companies and any business with potentially valuable intellectual property is now in the firing line.
The third, hacktivism, is the most reminiscent of the early days of computer crime. Hacktivists are typically young, and their motivations are not a million miles from Jeffrey Lee Parson’s apparent aim of embarrassing Bill Gates. But what was once a niche is a now a global movement, and participating in hacktivism no longer requires deep technical knowledge.
Many IT insiders cringe at the use of the word ‘cyber’, especially as a prefix for ‘security’, ‘crime’ or ‘war’. It is a dated piece of science-fiction jargon, which implies naivety about the way the Internet really works.
But the buzz around ‘cyber security’ in the mainstream media may have its uses. Executives who first heard about hacking in the era of the film War Games and the Cookie Monster virus may not understand that the stakes for businesses are now much, much higher.
The recent resurgence of the word ‘cyber’ implies a break from the past, a new threat to be addressed. And while the principles of information security remain unchanged, the implication of a need for renewed focus on the problem can only help the cause.
Now is as good a time as any for organisations to take stock of the threats they face, the state of their defences and the awareness of IT security at every level of the business.
To listen to some security suppliers, you would be forgiven for thinking that every business in the UK has been infiltrated by hackers – most likely from China – who are quietly scanning their IT infrastructure for valuable data.
In truth, it is very difficult to assess the true scale of ‘cyber’ activity. If these attacks were easy to detect, they would not be particularly threatening.
“There are vendors who would like to scare you into buying their solutions by saying everybody has been hacked,” says Mikko Hyponnen, chief research officer at security firm F-Secure. “It’s not that simple. Not everyone has been hacked.
“But we do see a surprising number of organisations that have been breached, and for extended periods of time without realising it,” he adds.
The worst example, Hyponnen says, was the head of R&D at the UK-based defence contractor who had a backdoor installed on his laptop for 18 months. “It doesn’t get much worse than that,” he explains.
What businesses can do, Hyponnen argues, is take a view on how likely they are to fall foul of the various kind of cyber attack. Not only should this inform their risk assessment, but also the information security defences they put in place.
“If you are a defence contractor, it’s almost guaranteed that you will be targeted”
For most businesses, criminal hackers are the biggest concern. “If you are an ordinary business, criminals will definitely be interested in your point of sales systems, your cash-flow systems, your payment systems or your salary systems, because there is money in those systems,” he explains.
“As long as you have credit card data, they don’t care if you’re in London, Edinburgh, Dublin, Helsinki or Milan – as long as they get the credit cards, they can make money.”
Criminal attacks are mostly web-based these days, Hyponnen says. “Email used to be the biggest problem for money-making attacks, but slowly it has been replaced by web exploits,” he says.
“The most likely way of getting hit is if one of your employees visits a website that has been hacked, and it downloads a credit card-stealing Trojan,” he explains.
“The site will look normal, and the person who operates the site won’t know it’s happened, but the hacker has inserted a script that exploits a plug-in in your browser, or the browser itself, to install the Trojan.”
Precautions against this kind of attack include having up-to-date antivirus software that can identify the latest Trojans and making sure browsers and plug-ins are kept up to data. There are also specialist anti-web fraud tools: in August, IBM acquired an Israeli company called Trusteer, whose software detects browser-based malware for consumers and employees.
It is an area where user education, while always important, can only do so much, Hyponnen says. Employees should always be advised against visiting suspicious-looking websites, but there have been cases of trusted, legitimate websites being compromised too.
Much of the recent interest in so-called ‘cyber’ security of late has focused on targeted attacks. This is when a group of hackers has a specific organisation in its sights and can therefore take the time to tailor its method of attack to match the target’s particular vulnerabilities.
There is a well-established modus operandi for these targeted attacks, which has been in use since at least 2005, Hyponnen says.
The attack vector is invariably an email-borne attachment, which usually contains a malware infection that, once installed, gives hackers remote access to the infected computer.
To make employees open these attachments, hackers will do their best to make it look like they were sent by a personal or professional contact. They may therefore harvest data from their mark’s social networking profiles, or use publicly available information about a company, such as a forthcoming merger, to spoof a plausible work email.
The attachments typically exploit vulnerabilities in common desktop software, such as Microsoft Office, Adobe Reader or Java.
This kind of attack is sometimes referred to as an ‘advanced persistent threat’. This is a US Navy term which, depending on who you ask, either describes the above methodology or is a euphemism for Chinese intelligence forces.
Certainly, APT attacks are often linked to China. In the first example that F-Secure saw, Hyponnen says, the hackers used the same technique to target a number of businesses, defence contractors and – most tellingly – a pro-Tibetan independence charity.
There are plenty of other groups using the technique, however. According to cyber security consultancy Context, it is now the predominant means of hacking a bank.
Web-based attacks are increasingly being used in targeted campaigns. Infecting a website to target a particular community of people is called a ‘watering hole’ attack.
Recent examples include a high-profile incident in which computers at Apple, Microsoft and Facebook were all infected after a software development site was compromised.
“This ‘watering hole’ or ‘drive-by download’ technique is fairly common in the crime world, but two years ago we didn’t see many – if any – state-backed hackers using it,” says Context researcher Nick Naztielli. “But we’re now seeing more targeted, APT-style attacks using that particular vector.”
How can an organisation tell if it may be the subject of a targeted attack? Any company linked to national security and defence should consider themselves a potential target, says Hyponnen. “If you are a defence contractor, the risk of being targeted is very, very high. It’s almost guaranteed that you will be targeted.”
Aside from that, companies with valuable intellectual property, especially in the high-tech field, may also be at risk, as are those with information about critical national infrastructure and international supply chains.
Another motivator for targeted attack may also be customer data itself, which can be used to launch thousands more attacks.
In July, video gamer maker Ubisoft was the latest high-profile company to have customer data, including email addresses and encrypted passwords, stolen by hackers. It follows similar attacks on companies including electronics giant Sony and marketing firm Epsilon.
“These companies represent a large concentration of a lot of different data items,” says Rik Ferguson, global vice president of security research at Trend Micro. “By breaching someone like Ubisoft, you’re going to walk away with names, dates of birth, email address, maybe marketing preferences – all kinds of things that allow you to construct much more credible email or social networking attacks.
“Personal information is a saleable commodity, and companies with a large user base represent a very attractive target,” Ferguson adds.
Know the signs
There are many different components of defending against targeted attacks. Perhaps the most important, in this case, is user education. Staff should certainly be aware that emails that look highly plausible could nevertheless pose a security threat, if they are not so already.
They should also be able to spot the signs that an email attachment is malicious. One telltale sign, Hyponnen says, is when a file – a .PDF or an Excel file, for example – opens, immediately disappears, and then reappears.
One way hackers cover their tracks is to prepare malicious files so that they crash the application in such a way that allows them to access the host computer, but that also open another, apparently legitimate, file at the same time. “This is a very typical sign of a malicious attack.”
Both targeted and money-making attacks exploit vulnerabilities in outdated software, so keeping end-point software up to date is essential.
One particular headache in this regard is Java. According to security software vendor Kaspersky Lab, Java overtook Adobe Reader as the most common attack vector for malware last year.
One reason may be the fact that Java does not automatically uninstall old versions when updated. This means that enterprise desktop estates are littered with old, vulnerable versions of Java that may not even be in use.
A study by security firm Bit9 found that the average business has 50 different versions of Java installed across its estate. Java 1.6.0, which Bit9 said is the most vulnerable, was found on 82% of enterprise endpoints.
Bit9 said that Oracle, which owns Java, has made significant progress in making Java more secure, but added that the legacy installed base still needs to be addressed.
It pointed to an open source tool called JavaRa, which helps organisations identify and remove old Java instances.
Minimising the potential damage that hackers could do if they did access the organisation’s IT infrastructure may be the hardest component of all, says 451 Research analyst Wendy Nather, as it entails discipline in the face of technical complexity.
For example, being able to spot unusual behaviour on the network demands a detailed map of the infrastructure components.
“In reality, knowing what you have on your network while also being able to make changes to it whenever you need is very difficult for many organisation to do,” says Nather. “Most organisations do not have the discipline, and that’s where the holes come in.”
Indeed, Nather says, one of the oldest security weaknesses in the book is still one of the most prevalent. “I’ve personally seen defence contractor-level consultants set passwords on systems as ‘password’.”