|
Security
Next Generation Security Threats
Security threats have evolved from viruses to blended threats.
The attack pattern has completely changed since and so should defence mechanisms.
By Varun Aggarwal
 “I
do it for the pleasure of creating something, seeing that it works, and making
something that could really survive, spread, and hold its own in the wild. A
virus is something that lives. In real life you can’t make a kind of animal.
You can in the computer. It’s like playing God.”
— BlueOwl, member of the Ready Rangers Liberation
Front.
There are two types of hackers. The first is the inquisitive
programmer, who wants to explore new technologies and new systems, discover
loopholes in various systems, and reach where no man has before. So many such
programmers, writing malicious code is a way to test and prove their knowledge,
to make their mark in the hacking community.
|
 "As
the cyber crime industry grows and becomes more organised,
it becomes easier for attackers to
execute attacks."
- Shubhomoy Biswas
Country Manager
SonicWALL
|
Then there’s the other kind of hacker that is prominent
today. These guys have no political axe to grind, they seek no glory from the
hacker community, and they have neither a religious agenda nor do they follow
extremist philosophy. They are in it for the money. This is the mafia that we
need to contend with.
Shubhomoy Biswas, Country Manager, SonicWALL, India explains, “As the cyber
crime industry grows and becomes more organised, it becomes easier for attackers
to execute attacks. It is now possible to buy and sell malware in an underground
marketplace. Some of the successful cyber criminals today are not even the ones
who penetrate attacks directly, but those who provide the infrastructure, through
illicit botnets, phishing kits, and other attack components and sell them to
others.”
Data Theft
The total size of the Indian security market in 2006 exceeded $106 mn which
had the largest share of Firewall and IPSec VPNs standing at $85 mn. According
to analysts, the Indian security market will grow at over 30 percent in 2007.
From a broad information centric security perspective, there
are a few key areas that have worried companies and consumers. These have increased
in frequency over the past year. Other issues are coming into focus. The
first is data theft. Organisations across verticals have been suffering
from the challenge of information leakage or loss. Thus organisations
are increasingly looking at reinforcing controls around privacy and data protection.
Srikaran Raghavan, Regional Sales Head, RSA – the security division of
EMC adds, “As laptops or PDAs are increasingly provided to employees whose
roles demand mobility, business critical data is increasingly being stored on
laptop hard drives or PDA memory chips. With the corresponding increase
in laptop and PDA theft, this has created a surge in the loss of sensitive information.
More than 70 percent of unauthorised access to information systems is committed
by employees, as are more than 95 percent of intrusions that result in significant
financial losses.”
Spam is also a major cause for concern for organisations. This not only creates
productivity issues, but also increases the opportunity for malicious content
or inappropriate material to enter an enterprise.
For mid-market and SMB organisations, there is a growing trend of investing
in all-in-one solutions to manage security controls. The smaller the organisation,
the fewer the resources assigned to IT and in turn to information security.
The UTM (Unified Threat Management) market is growing on the back of demand
for such consolidated security management systems in these markets. However,
it is important that customers evaluate the nature of their risks and the most
appropriate strategy to adopt, with respect to security management—the
consolidated one or the individual specialist approach.
From a consumer perspective, virus threats and spam are the
traditional security concerns. The laptop and PDA theft increase has also affected
consumers’ personal fortunes, as in many cases, passwords and other personal
data are often stored on these devices.
The more pressing concerns for consumers, leading to identity theft and potential
monetary loss, are phishing incidents. Phishing refers to a criminal activity
whereby fraudsters attempt to solicit confidential or personal information from
unwitting consumers through e-mail.
Raghavan informs, “From information that is in the public domain, the total
reported losses in India till date amount to just over Rs 1.1 crores in 2006
alone. Worldwide, the total losses till date due to phishing are over a billion
dollars. The specific verticals being targeted by phishing include banking,
finance and associated industries and telecom. This is leading various
organisations in these verticals to evaluate measures that protect consumer
identity and mitigate the risk of online fraud.”
It is also important to note that while these organisations have spent extensively
on information security management around their infrastructure, the fraudsters
are targeting the consumer population, who may not have the means or sufficient
awareness to improve security on the PCs that they employ.
Mobile security
|
Wireless networks are increasingly
becoming susceptible to high level attacks. Enterprises most commonly
adopt VPN and VoIP to take advantage of wireless technologies. However,
these technologies can be targeted by malicious users to steal valuable
information or to attack systems
|
Traditionally mobile phones were only used as a medium for communication, as
they were restricted to voice based services. However as mobile phones
have evolved, multiple services (voice, data, video) have been consolidated
on to a single platform. As users continue to leverage these services
for m-commerce or business automation, the necessity for authentication
and data protection has become a reality.
Bill payments, grocery shopping, etc have already been activated
in several countries through debit or credit cards. The M-commerce community
is now seeking to build the necessary solutions to deliver similar functionality
on phones, so that the consumer needs nothing more than his phone to transact
day-to-day business. This therefore makes the “wallet” on the
phone a critical component and thereby leads to the genesis of protection on
the phone through biometric authentication and encryption of key wallet data
and other sensitive credentials that are used to conduct business.
|
 "Banks
rising to the alarming
situation of online fraud have started deploying anti phishing solutions
in their organisations"
- Niraj Kaushik
Country Manager
Trend Micro
|
Niraj Kaushik, Country Manager, Trend Micro explains, “Phishing
as we know it is the act of sending an e-mail to a user falsely claiming to
be an established legitimate enterprise in an attempt to scam the user into
surrendering private information that will be used for identity theft. India
also has in the recent past witnessed phishing attacks against the users of
major banks such as HDFC Bank and ICICI Bank. Banks rising to the alarming situation
of online fraud have started deploying anti phishing. Hence, phishers have now
started discovering alternate and untried channels of extracting financial information
from their victims.”
One of these methods is phone phishing. In this method, fraudsters
typically use a phone call to extract financial information from users.
|
 "In
addition to loss or theft, security experts are finding a growing number
of viruses, worms, and Trojans and a combination of these that target
mobile devices"
- Mohammed Hayath
Business Development
Manager-Security
Cisco India & SAARC
|
This method still relies on e-mail as the medium for “spreading
the word” about which phone number people are supposed to call. The role
of anti-fraud firms remains to address these fraud attempts. For software companies
the task consists of blocking consumer access to such e-mail, and detecting
fraud or countering it on backend systems. As a proactive service in addition
to the current “standard” phishing site shut down service, RSA FraudAction
includes shut down services for phone phishing attacks as well, though this
is still a rare type of attack. This attack relies on the burgeoning
popularity of VoIP phone services. Once RSA receives a copy of the fraudulent
e-mail, or the phone number used in the attack it traces the VoIP provider and
contacts said provider to shut down the phone line. This is similar to
what it does with fraudulent Web sites by dealing with the ISP or hosting provider.
Smartphones and PDAs are at greater risk and must have added security since
most applications that were earlier limited to the PC are now available on the
PDA. These include confidential BI generated data available on PDAs. While the
threats of viruses, pharming, phishing, botnet creation etc exist, the portability
of these devices necessitates additional care.
The same rules of PC maintenance apply to PDAs as well, but most importantly
locking the phone through an auto-lock mechanism can itself be a simple yet
effective way to protect personal and enterprise data.
Mohammed Hayath, Business Development Manager-Security, Cisco India & SAARC
adds, "In addition to loss or theft, security experts are finding a growing
number of viruses, worms, and Trojan horses and a combination of these that
target mobile devices. These could further unknowingly infect the organisation's
network with a worm or virus. For instance, consider the scenario of an authorised
user with a smartphone or PDA and a secure VPN connection to the network. If
the smartphone or PDA is contaminated by a virus before the user established
a VPN link, the virus could bypass the corporate firewall and enter the network."
Wireless Hacking
Wireless networks are increasingly becoming susceptible to high level attacks.
Enterprises most commonly adopt VPN and VoIP to take advantage of wireless technologies.
However, these technologies can be targeted by malicious users to steal valuable
information or to attack systems. The number one threat to VoIP is Denial of
Service (DoS) and Quality of Service (QoS) degradation.
The current implementations of code signalling, message delivery, and code protocol
fall short of providing adequate call party authentication, end-to-end integrity,
and confidentiality of messages with VoIP. VoIP converts voice signals from
the telephone into digital signals (data packets) that travel over the Internet.
If left unprotected, this traffic is vulnerable to spying, theft, and data manipulation.
In order to help prevent or resolve these security threats, enterprises should
protect data and VoIP environments by implementing a combination of antivirus,
firewall, intrusion detection systems, and virtual private networks (VPNs).
These technologies must also be optimised for voice.
| Eavesdropping through interception
and/or duplication |
Access can be gained through any access
point to the voice network (particularly if there are wireless access points
in the same network that supports the VoIP service). Once access has been
gained, network sniffer tools are commonly available to intercept IP based
traffic. |
| Loss, alteration or deletion
of content through programmed attacks |
For example, the programmed
substitution of Dual-Tone Multi-Frequency (DTMF) or Interactive Voice Response
(IVR). |
| Lack of capacity/system Management |
Network traffic can impact on VoIP traffic. |
| Denial of service attack
(DoS)
|
Swamping of network traffic resulting
in no capacity to support voice. This can be targeted from within the enterprise
or externally. |
| Viruses and other malware |
Swamping of network traffic resulting
in no capacity to support voice. This can be targeted from within the enterprise
or externally as well. Viruses can also target specific VoIP protocols. |
| Power failure |
VoIP is different from traditional telephony
in that voice services are potentially vulnerable to a number of power failure
points within the data network, for example the local router and switches.
In contrast, traditional telephony handsets are powered from one centralised
point, usually with a backup battery bank. |
|
Source: IT Security Expert Advisory Group (ITSEAG),
which Symantec is a part of
|
Chinks in the latest technologies
We have witnessed a number of new technologies like Wi-Fi and RFID taking over
the market because of various benefits that these technologies provide in terms
of accessibility and remote management. However, new technologies come with
their own set of problems. In the midst of bringing in innovation, security
is often neglected. The same is the case with these technologies that we are
talking about.
Sam Sathyajith, Country Manager - India & SAARC, Arbor Networks, Inc explains,
“The main security issues with RFID come from weak or non-existent authentication
of the information recipient, meaning that the privacy of the information stored
on the RFID-enabled device (such as a passport) can be compromised. For VoWiFi
and WiMAX, these have little or no security precautions built into the transport
protocol, and instead the applications that use these layers should apply their
own security. Also, the reference implementations of some of these technologies
contain many basic security issues, allowing for some of these devices to be
crashed or compromised.”
One of the greatest challenges faced by a network administrator
is the fact that wireless networks like VoWifi and WiMAX are traditionally implemented
as an overlay onto the wired network, creating two parallel network infrastructures
that must be deployed, configured and managed separately. This translates to
twice the work for the network administrator because every point of administration
that occurs on the wired network has to be duplicated on the wireless network.
Parallel networks do not have a unified management platform for logging and
reporting events on the network either, so the network administrator will have
to find some way to aggregate this information. Additional training is also
required since the network administrator would have to learn two separate interfaces.
Overall, it adds up to a load of extra work.
Although a lower level of granularity in access control may have provided adequate
protection in the past, it is no longer acceptable because of the frequency
with which user machines can be compromised. A user can pick up a malicious
piece of code on the Internet and not even be aware that it is on his machine.
Once inside, the code can scan the entire network for an open NT file-share
and attempt to replicate itself. Facing these types of threats, the network
administrator needs the ability to not only control who can go where in the
network but also to look closely at the data that has been transmitted after
access has been granted.
An additional dilemma is that many best-of-breed wireless security solutions
require the user to install software on their machines. This prerequisite is
often unrealistic because it is obtrusive and impractical for the user, and
the software is often not compatible with the user’s platform. These difficulties
degrade the flexibility of wireless, and the transparency of the user experience.
- Create a mobile device security policy
specifically for handheld devices.
- Start an awareness programme to make the
new policy known within the organisation.
- All security settings should be maintained
and controlled centrally.
- Deploy Enforceable Mandatory Access Control
on all devices as the first line of defence.
- Purchase PDAs for employees; never allow
users to connect their personal devices to the company network.
- Standardise on a few brands of devices,
and support only a few mobile operating systems.
- Use Password/PIN standards.
- Consider automatic and user-transparent
encryption of all data on mobile devices and removable media.
- Track and label devices; treat mobile
devices like desktops and laptops, labelling them and keeping records.
- Treat wireless like the Internet. Use
a VPN on top of WEP to connect to the internal network.
|
Client Side security
|
Threats using Web 2.0 technologies
can be expected in 2007. User-created content, through blogs and social
networking sites, can host browser exploits, distribute malware and spyware,
host unwanted ads (splogs), or links to malicious Web sites
|
Notebooks and desktops are used by a diverse group of mobile and high net worth
individuals. Sensitive data ends up on laptops when they are issued to employees
by companies. Organisations define security standards for desktop users,
as the desktop has also become the weakest link in the chain of information
access. For almost identical reasons, companies seek to restrict access to desktops
to authorised individuals as well as protect information downloaded by users
to those desktops.
Loss or theft of a laptop is no longer restricted to the cost of the lost asset.
It also extends to the potential cost of information leakage, because data from
the laptop was accessed by another individual. There have been countless
cases of data recovered from a laptop being offered on the market for a price
to people who could use that information for their commercial benefit.
In fact there have been specific incidents of laptops purchased from eBay that
had data recovered from them containing HR databases of Fortune 500 companies.
This kind of information is explosive and of a very sensitive nature.
Biometrics requires an identification characteristic of the user that is on
their person at all times, for e.g. fingerprints. However, conventional
fingerprint devices require that the verification signature be stored on a smartcard
to ensure that they cannot be tampered with if left on the laptop or desktop.
This is called “match-on-card” technology. It must also be noted
that while biometrics may be convenient, it is not fool-proof and there are
well documented examples of biometric devices being compromised. The question
that organisations must ask themselves is what cost must be paid to achieve
a specific goal, namely the access and protection of the asset and the information
on it respectively.
In this specific case, biometrics is attempting to ensure that only valid users
have access to assets assigned to them. However in the event of theft
or loss, the hard drive can be detached and connected to another machine for
access and in that event it is important that a second level of security be
enabled.
Encryption has become a shot in the arm for all those concerned for the safety
of sensitive information on a notebook. As mentioned above, even if the
laptop hard drive is accessed by an unauthorised individual, if the data is
encrypted, it cannot be viewed by that individual because the credentials required
to decrypt (make the data visible) are not stored on the hard drive, but on
a smartcard or USB device. The combination of encryption and biometric
authentication with match-on-card technology make for a tight knit solution.
| Almost 50 million people in India use smart phones
and about two million people are joining this club every month. The mobile
phone is now turning into a computer which makes it susceptible to precisely
the same vulnerabilities as that of a PC like viruses, spam and spyware
Though vendors in the mobile content security area are
offering solutions for fighting spam, malware and viruses, a few players
are providing encryption online for online transactions.
Another feature designed especially for mobile phones
is to block SMS spam that allows an approved sender list, restricts a
blocked sender list, and has the ability to block SMS messages lacking
a mobile telephone number. Mobile users may also initiate manual scans.
Mobile viruses such as Cabir and Commwarrior can spread
via Bluetooth. Commwarrior can also spread via multimedia messaging systems.
Most mobile phone viruses target handsets that use the Symbian operating
system. Infection can be avoided by turning off Bluetooth on a smartphone.
Mobile devices are increasingly coming under attack from
viruses. Mobile handsets with Wi-Fi cards are prone to these attacks as
they connect to a public network and, at the same time the organisation’s
network. Other services on mobile phones that might make them vulnerable
include the ability to open e-mail attachments and removable storage cards.
Due to the rising popularity of data-centric mobile phones and personal
digital assistant (PDAs), these devices could become an attractive target
for virus writers in the future.
Vendors are providing solutions for different kinds of
attacks. Some are offering solutions for end point devices while others
have offerings for the traffic or the way in which data flows from source
to destination. There are other players with solutions to secure the corporate
networks and some have only anti-virus solutions.
Since mobile devices have become a necessity among all
top-rung executives, the demand for security within an organisation is
growing rapidly. Hence, the first step that most CIOs practice and recommend
is encryption of data. Other solutions could be creating awareness, conducting
training, and using passwords.
The key security issues faced by users of mobile devices
are misuse of data if stolen, the ease with which data can leak out, and
unauthorised access. Encrypting data, factor authentication and blocking
data transfer to pen drives are some of the measures that CIOs can consider
to ensure security on their mobile devices.
The first step towards security in a mobile environment
starts with the framing of policies, followed by an awareness programme
for users.
|
Predictions for 2007
In the coming year, Symantec expects to see threat activity emerge around Microsoft
Windows Vista, through Web 2.0 adoption and within youth technologies. Anand
Naik, Director, System Engineering, Symantec India and SAARC says, “Threats
using Web 2.0 technologies can be expected in 2007. User-created content, through
blogs and social networking sites, can host browser exploits, distribute malware
and spyware, host unwanted ads (splogs), or links to malicious Web sites.”
Symantec predicts that the new security features in Windows Vista will result
in fewer instances of widespread worms that target core Windows operating system
vulnerabilities. This class of worm was largely responsible for the majority
of high-profile outbreaks in the early part of this decade. It expects that
worms will continue to thrive; however, their method of propagation will change.
This trend has already been observed since the release of Windows XP SP2 and
is expected to continue.
Sathyajith adds, “In 2007, we have begun seeing a continuation of the trend
of targeted Trojan attacks against high profile offices and the individuals
who occupy them. These are more often than not using previously undisclosed
Microsoft Office file format vulnerabilities and go undetected for a while.
They typically install new spyware packages operated by the original attackers.”
|
