ISSSource White Papers

Posts Tagged ‘APTs’

Thursday, July 9, 2015 @ 05:07 PM gHale

Advanced persistent threats (APTs) are a big issue that can keep security professionals up at night wondering if and when they will suffer from an attack.

Along those lines a critical infrastructure end user got in touch with ICS-CERT to evaluate the organization’s control systems environment for a possible APT.

Security Schism Front and Center
Cyber Incidents Down; Reporting Declines
Insider Attacks Rise, Unaware of Risk
Small Risk Converts to Big Problem

In its analysis of a previous incident response, the end user discovered the bridge between the corporate and processing network suffered a compromise, according to a report in the ICS-CERT Monitor. Concerned about the integrity of the processing environment, the end user requested ICS-CERT support to analyze the systems for activity and then, secondarily, evaluate the overall security posture.

As a result, ICS-CERT deployed an incident response (IR) and assessment team to look for evidence of trespassers and to perform an architectural review of their security.

The following is a mini case history of what occurred during the teams’ site review, according to the report in the ICS-CERT Monitor. While the name of the end user is not available, the problems it faced are very real and similar to the same issues other companies are confronting on a daily basis.

Despite pre-planning measures, the ICS-CERT review efforts ended up hampered by insufficient asset management in the control systems environment that caused a significant delay in identifying systems for examination and evaluation. To compensate for incomplete documentation, the team instead led discussions and conducted reviews of available materials to determine undocumented systems and create an up-to-date representation of the network architecture.

Asset management issues also made it difficult to determine who had primary responsibilities for the various systems within the network. As the IR team interviewed workers, it was evident they lacked clearly defined roles and responsibilities for the systems within the control environment. This prolonged the response time for access requests, authorities, data, and information needed to support the incident response effort.

Host-based analysis efforts also ended up slowed due to a lack of forensic information that was not adequately preserved or maintained for the team. Because of this, ICS-CERT focused on network evaluation techniques identifying unusual use patterns in the ICS network. ICS-CERT also compared network-based findings against indicators collected from various sources in an attempt to identify adversary communications from any remnants.

While onsite the team quickly identified the facility was using the same physical network cables and routing equipment for both networks, and the only segmentation was the hard-coded IP addresses for the processing environment in a separate subnet from the corporate network. This meant the two networks had essentially no segmentation. This segmentation issue was emblematic of the poor network visibility identified by the IR and assessment teams. The user lacked capabilities to monitor network traffic and identify suspicious activity in the ICS and corporate enterprise. In addition, critical assets ended up unmonitored with no physical security, leaving any employee the ability to tamper with critical systems undetected.

ICS-CERT provided recommendations and proposed a network re-design to heighten overall security posture and reduce the risk of future intrusion. These recommendations were for the technical and policy levels and included guidance such as:
• Define and establish accurate asset management responsibilities and assign appropriate authorities
• Verify network architecture
• Deploy system patching
• Create network segmentation
• Deploy physical security of critical assets
• Increase security operations staff and define mission roles and responsibilities
• Apply application whitelisting for approved applications and user authentication for remote access
• Deploy a security monitoring solution to ensure adequate visibility into the re-architected network

Wednesday, March 18, 2015 @ 05:03 PM gHale

By Gregory Hale
While reported security incidents are down from last year, the percentage of advanced persistent threats (APTs) hovering over the industry remains ominous.

Security incident reports are down from the previous year, according to analysis just released by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in its quarterly ICS-Monitor bulletin.

Security: A Presidential Mandate
Malware Focuses on U.S. Attacks
Users Remain Security’s Weakest Link
Finding a Balance: Managing OT Cyber Risk
Employee Training Boosts Security

In Fiscal Year 2014, ICS-CERT received and responded to 245 incidents reported by asset owners and industry partners, it reported in the bulletin. That number is down from Fiscal Year 2013 which had 257.

While the decline is small, it is interesting to note in this era of sophisticated attacks and a push for more cooperation and transparency between the government and industry, the number of reported incidents is down.

The report also went on to say the “ICS vendor community may be a target for sophisticated threat actors for a variety of reasons, including economic espionage and reconnaissance. Of the total number of incidents reported to ICS-CERT, roughly 55 percent involved advanced persistent threats (APT) or sophisticated actors.”

“In the report what worried me was also the increase of an APT in the figures (about 55 percent) which might indicate that others have been compromised and as yet do not know it,” said Graham Speake, vice president and chief product architect at NexDefense, Inc.

“As always with these figures there are ‘lies, damned lies, and statistics’ and trying to compare year on year is difficult, if not impossible,” Speake said. “If the trend in advanced threats is growing, then the number and severity of incidents (discovered or not) will increase. An APT today, gets added in something like Metasploit tomorrow and then becomes just another point and click tool.

The Energy Sector led all others again in 2014 with the most reported incidents, with 65. Although that number is down from the previous year’s 145.

Incidents reported by the Critical Manufacturing Sector totaled 78, some of which were from control systems equipment manufacturers. This year’s number is up from the 38 the previous year.

The scope of incidents encompassed a vast range of threats and observed methods for attempting to gain access to business and control systems infrastructure, the report said, including but not limited to:
• Unauthorized access and exploitation of Internet facing ICS/Supervisory Control and Data Acquisition (SCADA) devices
• Exploitation of Zero Day vulnerabilities in control system devices and software
• Malware infections within air-gapped control system networks
• SQL injection via exploitation of web application vulnerabilities
• Network scanning and probing
• Lateral movement between network zones
• Targeted spear-phishing campaigns
• Strategic web site compromises (a.k.a., watering hole attacks)

The 245 incidents are only what ended up reported to ICS-CERT, either by the asset owner or through relationships with trusted third-party agencies and researchers. Many more incidents occur in critical infrastructure that end up not reported. ICS-CERT is continuing its effort to encourage asset owners to report malicious activity that has had an impact on their organization even if the company does not need assistance.

Sharing Goes Both Ways
“ICS-CERT has encouraged collaboration but I think most entities are still reticent to share info unless regulation forces them to,” Speake said. “Additionally, companies are starting to invest in security – not in a huge way, but at least in setting up some people trained in security who are more aligned to the OT side of the house. With regulated industries, NERC CIP in particular is ensuring people are trained and security measures in place. This may be preventing some attacks from becoming successful and hence not reported.”

ICS-CERT said in its report it can provide situational awareness information about similar or related incidents and share data regarding the threat actor’s techniques and tactics. ICS-CERT will also provide incident response services at the asset owner’s request. All sensitive or proprietary information reported to ICS-CERT remains protected from disclosure under the Protected Critical Infrastructure Information (PCII) program.

Work needs to happen in the sharing department or there will be a dearth of information coming from either end.

“As an industry we cannot give up on information sharing as it does hold the potential to provide great benefits,” Speake said. “But information sharing does involve sharing information in two directions and ICS-CERT and other agencies often share with some and not others.”

Wednesday, July 30, 2014 @ 05:07 PM gHale

Nearly 33 percent of IT security teams never speak with their company’s executives about cyber security and of those who did, 23 percent spoke to them once per year, a new report said.

This lack of communication and security awareness can greatly increase companies’ risk of experiencing some kind of attack, said Jeff Debrosse, director of security research at Websense, which sponsored the “Roadblocks, Refresh, & Raising the Human Security IQ” report by the Ponemon Institute.

Breach Alert: Critical Infrastructure at 70%
Data Breaches: Not Learning from History
Sounding Off on Internet of Things
BYOD Use Surging; Policy Usage Weak

Debrosse said the “31 percent [of IT teams that do not speak with their corporate executives] will, at some point, find themselves on the front page because they’re not having a conversation about insider threats, APTs, etc.”

But even though they aren’t discussing threats with upper management, security teams are constantly thinking about them, which could contribute to the communications breakdown. An overworked employee might not have time to assemble a report and attend a meeting, though this is what they need to do. The executive suite might take silence on the IT team’s part to mean everything is running perfectly when, in reality, IT may need additional support or funding.

IT teams need to “really insist and show the ‘why’ of having security as part of executive team meetings and discussions,” Debrosse said. Whether that means offering a quick to-do list or even stating nothing has changed, it’s important to show the IT security team’s presence and differentiate themselves from the general IT department.

He suggested security leaders take advantage of cyber threat models, such as the NIST “Risk Management Framework,” to show the cost of risks and their solutions as well as to defend budget requests.

The report, which surveyed more than 160,000 IT security professionals in 15 countries to determine the challenges they face in dealing with cyber security threats, also found 47 percent of respondents felt frequently disappointed with the level of protection their security solution offers, and 52 percent of companies do not provide cyber security education to their employees. The majority of those surveyed work for financial companies, and the United States and India accounted for the largest portion of respondents.

Click here to register for the report.

Wednesday, July 30, 2014 @ 10:07 AM gHale

EDITOR’S NOTE: This is an excerpt of the second in a two-part series from Del Rodillas at Palo Alto Networks discussing the Havex campaign and its effects on industrial control systems. In part one of this series, Del discussed why the Havex Trojan is a significant industry milestone. This week, he looks at how to mitigate exposure through the combination of good practices and next-generation firewall technology.
By Del Rodillas
In my initial engagements with control systems operators two security objectives, both linked to keeping uptime high, frequently come up.

First, the operations manager, or person responsible for security in the operational technology (OT) environment, remains concerned over whether only the approved users are using the right applications and resources in the specific usage model intended for SCADA. This person, at the very basic level, would want to be able to validate that the system ends up used only in a way that aligns with the business objectives, ultimately with the goal of implementing role-based access control. In this person’s mind, an internal user accidentally causing system downtime is as much a cyber threat as an incident malicious in nature.

Second, there is a concern that malware, especially advanced persistent threats (APTs) that have never been seen in the wild, would, by accident or on purpose, get introduced into the network disrupting service availability.

Havex an ICS Game Changing Threat
Havex Varient Brings Attack via OPC
Malware Analysis from ICS-CERT
Energy Sector Alert: Dragonfly Attack

Not surprisingly, I often find that a couple of core capabilities critical for achieving these security objectives, namely protocol/application layer visibility and Zero Day threat detection, are not yet deployed in their OT environment.

Most operators only have legacy stateful inspection firewalls (port-level visibility) plus add-ons like IPS/AV (block known threats). Whether they’ve been lax in upgrading their technology, or for some other reason, these operators are finding their technologies have simply run out of steam and cannot provide the type of visibility, security controls, and threat prevention required to combat advanced threats. It is imperative that asset owners take a fresh look at better techniques and tools that can help improve security posture to the required level and reduce downtime due to cyber incidents. So what are some of these options?

Proper Segmentation
Technology is a critical piece of the cybersecurity equation, but its benefits have limits if you don’t have a clear understanding of risk, if you don’t have a clear set of access control policies, and/or if you haven’t segmented your network in a way that aligns with these risks and policies. As always, the IEC 62443 standard is the gold standard for network segmentation in industrial control systems.

Segmentation and access control, especially when done with a least-privilege approach, are key in that they reduce your attack footprint and establish a baseline from which anomalies could end up easily detected. In the context of the security concerns raised by Havex, some basic but important questions to ask yourself around access control and segmentation include:
• Do you have enough security zones and points of inspection between zones, a.k.a. conduits in IEC 62443 terms, to validate compliance to policy or to be able to implement controls? For example, while you may isolate the OT from IT with a perimeter firewall, are you able to observe intra-OT traffic such as HMI/Workstation to Server, PCN to Plant/PLC, and interplant traffic? It will be very difficult to see the fingerprints of APTs if you have a flat SCADA/ICS network.
• Have you clearly defined which users and machines are allowed to access which applications, and from which zones these policies are relevant? What file/data types are allowed to traverse your network?
• If direct Internet connectivity is allowed, do you have a list of which domains/IP addresses are allowed, and which users are allowed to access those sites? You may be clear on what is and isn’t allowed to enter the ICS environment, but what about what goes out?

These aren’t easy tasks, but they have to occur up front. The fact that SCADA/ICS systems are purpose built with a very specific set of users and applications should help in terms of containing the effort of creating access policies.

It’s all about the ID
Clearly, effective segmentation and access control is dependent on the ability to control protocols/application based on user and the ability to inspect content.

App-ID, User-ID, and Content-ID technologies should be the heart of the platform. App-ID provides visibility to protocols and applications, versus just ports/services. For example, App-ID is able to identify ICS protocols such as OPC, DNP3, Modbus, BACnet, OSIsoft PI, and others. Functional App-IDs are also available for some protocols like Modbus and IEC 60870-5-104 to enable resolution at the read/write level.

User-ID is the technology that allows role-based access control by mapping IP addresses to user (or user group). A variety of user information repositories and authentication events could be used for this purpose.

Content-ID is able to inspect the payloads (e.g. files, data types, URLs, threats). It is important to note that packets are processed for App-ID, User-ID, and Content-ID in parallel, and in a single pass providing not only high-performance, but also shared context. which is equally as important in terms of correlation analysis.

Here is how App-ID and User-ID may end up applied in unison to enable role-based access for OPC. Actually, your OPC policy within the SCADA may be very different from the OPC policy you have at the IT-OT boundary. For example, at the perimeter you may allow only a certain set of users, say finance users in the Active Directory group “SCADA_finance” access to the OPC application so they can get access to a primary or replicated historian in the SCADA zone or SCADA DMZ zone. This can all be defined in single policy that involves no opening up of ports. Furthermore, a network appliance could use a positive enforcement approach meaning no other traffic but that allowed in policy will pass through by default.

Within the OT, you might allow all users in the “SCADA Ops” AD group access to OPC. This might be very different for a third party vendor that needs to access your network to service their products that do not use OPC. To limit the risk of the third party accidentally or intentionally accessing resources via OPC while letting them do their job, one could also define another role-based policy. For example, you could define a rule that allows the vendor access to another ICS protocol only between relevant security zones. You could also define a third party zone that has jump servers and another PLC Zone where that vendors products reside. While we use OPC as an example, these same kinds of policies could just as easily be applied for other ICS protocols and applications as well as common administrative protocols, such as SSH, FTP, and SNMP, that are often used in SCADA networks.

Access control via App-ID and User-ID helps to reduce your attack footprint as well as the risk of accidental cyber incidents such as erroneous programming by less experienced personnel. This takes us to the next core technology, Content-ID. This service blocks malicious payloads, such as exploits, viruses, and spyware/CNC (command and control), and also helps to further reduce your footprint by controlling access to URLs/Domains.

Finding Zero Days
Okay so what about the never-before seen variants of Havex? The next thing to put in place is a means to detect Zero Day malware. There are services that isolate suspicious payloads entering your network, detonates them in a virtual sandbox environment, and determines if payloads are benign or malicious in nature. Service subscribers get protections against malicious payloads in as little as 30 minutes.

End point security remains a vital cog in securing a network. One way a security solution could work is instead of the technology trying to block the large and quickly growing universe of known malware and exploits, it blocks the techniques themselves. The universe of techniques is on the order of a couple dozen and grows very slowly, therefore this approach much more effective.
Del Rodillas is a senior product manager for SCADA & Industrial Control Systems at Santa Clara, CA-based Palo Alto Networks.

Thursday, February 20, 2014 @ 03:02 PM gHale

Security firms Check Point and Bit9 will combine their individual areas of expertise in a move to upgrade their service offerings.

The companies will offer the upgraded service in the first half of 2014.

VMware Deals for Mobile Security Firm
Belden, exida Ink Partnership Pact
French IT Security Firm Acquired
Palo Alto Networks Deals for Morta Security

Check Point and Bit9 said the solution will attempt to fix four key challenges posed by advanced threats: It will let IT managers prioritize alerts, respond to them, prevent incoming attacks and analyze all incoming files passing through their endpoints and servers.

“Integrating the Check Point Threat Emulation Service with the Bit9 Security Platform, now with Carbon Black, extends real-time malware prevention, detection, analysis and response to every endpoint and server,” said Brian Hazzard, vice president of product management for Bit9. “Attacks and compromise are the new normal, but complete lockdown of every machine is unrealistic.”

“The best protection is to secure as many endpoints and servers as possible and put the rest in a ‘detect-detonate-deny’ posture that allows for real-time security policy enforcement as threats appear. This is exactly the operational value and closed-loop integration we will deliver as result of our partnership with Check Point.”

“Check Point’s network-protection and threat-emulation capabilities, combined with Bit9 and Carbon Black’s advanced threat security and incident-response solutions, will deliver complete end-to-end protection,” said Dorit Dor, vice president of products at Check Point.

Check Point and Bit9 are two of many companies to bolster their advanced threat-detection and protection portfolios in recent months. IBM just unveiled a new Security QRadar Incident Forensics attack-detection tool for enterprise-level businesses.

Thursday, July 25, 2013 @ 06:07 PM gHale

There has been an uptick in more sophisticated and targeted malware attacks over the last 24 months, a new survey said.

The most likely avenue for a malware attack, and cause for successful malware attacks, is lack of user knowledge about cyber security risks, according to a survey of 315 North American-based IT security professionals working at enterprise-class organizations (1,000 employees or more) sponsored by Malwarebytes and conducted by Enterprise Strategy Group (ESG).

C-Level Fears Own Security Profile
Survey: Security Metrics Too Complicated
Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness

The study found enterprise organizations are seeing an increase in more sophisticated malware and are making it a strategic priority to add new layers of endpoint security to protect their organizations against advanced Zero Day and polymorphic threats commonly used for targeted attacks.

“As cyber-attacks become more sophisticated, IT security professionals are realizing that relying on only one layer of endpoint security isn’t enough. Each endpoint needs multiple layers of malware detection to ensure complete protection,” Marcin Kleczynski, chief executive of Malwarebytes. “The reality is, most antivirus products will miss nine out of 10 Zero Day malware threats, and having a layered approach blocks advanced threats that traditional antivirus scanners may fail to detect.”

The ESG report found the majority of respondents have seen an uptick in more sophisticated and targeted malware attacks over the last 24 months. However, 62 percent of organizations surveyed said endpoint security software is not effective for detecting Zero Day and/or polymorphic malware, which leaves them vulnerable to these attacks. Likely avenues for malware to compromise an organization’s system included employees opening an infected email attachment and unwittingly clicking on an infected URL while surfing the Web. Survey respondents indicated an employee clicking on an infected URL posted within an email was the most likely vector for malware to infiltrate their organizations.

On average, it took 57 percent of respondents hours to detect that an IT asset suffered a compromise by malware. It took 19 percent of organizations several days to determine there had been an attack, and 29 percent of respondent organizations that have suffered a successful malware attack believe the increasing use of social networks is responsible for those attacks.

In addition, two-thirds of U.S.-based respondents do not believe the U.S. federal government is doing enough to help the private sector cope with the current cyber-security and threat landscape, and 85 percent of IT security professionals expressed concern about some type of massive cyber attack that could impact critical infrastructure, the economy and/or national security.

“When it comes to managing malware risk, enterprises would be best served by implementing a layered approach using proactive and reactive lines of defense through their networks. Antivirus software plays a key role in protecting organizations, but it should not be the only method used to deter malware attacks,” said Jon Oltsik, senior principal analyst at ESG. “Additionally, sometimes the biggest vulnerability in an organization is the computer users. Because employee actions can greatly impact computer security, educating employees on potential threats and how to avoid them should be made a priority.”

Thursday, July 25, 2013 @ 05:07 PM gHale

Senior executives are now becoming very aware of the cyber threat hanging over them with over 66 percent of the top brass concerned their companies will not be able to stop cyber threats, and one in five say their biggest concern is not knowing whether an attack is underway, a new survey found.

However, sometimes fears don’t always translate into fixes. Of those surveyed, 42 percent report not having an Incident Response Team in place, and nearly half (47 percent) said they are not making use of advanced malware analysis tools, according to the ThreatTrack Security report.

Survey: Security Metrics Too Complicated
Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness
Breach Discovery: 10 Hours

The independent blind survey of 200 C-level executives at enterprises ended up conducted by Opinion Matters on behalf of ThreatTrack Security in June 2013. The results highlight the opinions of CSO, CIO, CEO and CTO executives related to the cyber security practices of their companies.

At a time when advanced persistent threats (APTs), targeted attacks, Zero Day threats and other sophisticated malware have become profitable businesses for malware writers and cybercriminals, many large enterprises are still struggling with how to protect themselves.

It is especially telling that, according to the study, 97 percent of enterprises with annual security budgets over $1million still report concerns they are vulnerable to malware attacks and cyber espionage tactics.

“Enterprises are facing an unprecedented surge of highly targeted and sophisticated threats that are designed to evade traditional malware detection technologies,” said Julian Waits, chief executive at ThreatTrack Security. “The only way to battle these threats effectively is with a combination of highly skilled cyber security professionals armed with the strongest malware analysis tools available. Companies that don’t employ the right mix of people, process and technology are making themselves excellent targets for the cyber bad guys.”

Key findings from the survey include:
• 69 percent of executives fear their organizations may be vulnerable to targeted malware attacks, APTs and other sophisticated cybercrime and cyber-espionage tactics.
• More than one in five enterprises (21 percent) said their biggest concern is not knowing whether an attack is taking place.
• 47 percent said their cyber defense does not include an advanced malware analysis tool, such as a malware analysis sandbox; 42 percent do not have a dedicated Incident Response Team employed.
• One third of the enterprises surveyed say they are aware of a targeted malware attack against their company, including 50 percent of financial services firms and 53 percent of manufacturing companies.
• 82 percent of financial services firms fret over APTs and sophisticated attacks, but only half of them employ an advanced malware analysis tool like a sandbox.
• 36 percent of enterprises said they fear losing proprietary intellectual property and trade secrets in a breach than they are about losing their customers’ personally identifiable information (such as credit card data, social security numbers or medical records).

Friday, February 22, 2013 @ 03:02 PM gHale

Even in today’s heightened digitally aware environment, companies remain unprepared to protect themselves against an emerging, relentless cyber security danger that threatens national security and economic stability, a new survey said.

Advanced persistent threats (APTs) are not easy to eliminate, which makes them different from traditional threats, according to global IT association ISACA. But an ISACA survey of more than 1,500 security professionals found 53 percent of respondents do not believe APTs differ from traditional threats.

‘Trust’ Risk Losses Soaring
Attacks Spreading to Other Industries
More Effective DDoS Attacks on Rise
DDoS Attacks Steady; Others on Rise

This disconnect indicates IT professionals and their organizations may not be fully prepared to protect themselves against APTs, ISACA said.

“APTs are sophisticated, stealthy, and unrelenting,” ISACA International Vice President Christos Dimitriadis said. “Traditional cyber threats often move right on if they cannot penetrate their initial target. But an APT will continually attempt to penetrate the desired target until it meets its objective — and once it does, it can disguise itself and morph when needed, making it difficult to identify or stop.”

High-profile examples of APTs include the Google Aurora attack, disclosed in January 2010, and an attack on security, compliance, and risk management provider RSA in 2011. Although APTs are espionage tactics that often look to steal intellectual property, the Google Aurora and RSA attacks show these threats are not just facing government entities, the report said.

Although more than 70 percent of IT professionals surveyed said their organizations are able to detect APT attacks, and more than 70 percent said they are able to respond to APT attacks, their description of controls indicate a misunderstanding and lack of preparation, according to ISACA. Top controls enterprises use to stop APTs were anti-virus and anti-malware programs (95 percent), and network perimeter strategies such as firewalls (93 percent).

The difference is APTs can get around these types of defenses. “APTs call for many defensive approaches,” said ISACA Director Jo Stewart-Rattray.

APT hackers do use social media to learn information about employees of organizations. Then they send “spear phishing” emails that appear legitimate. Ninety percent of respondents in the ISACA survey said the use of social networking sites increases the likelihood of a successful APT attack.

While 22 percent of respondents said they suffered an APT attack, 63 percent said it is only a matter of time before their enterprise ends up targeted by an APT.

“We are only in February, and already we can declare 2013 as the year of the hack,” Tom Kellermann, vice president of cyber security for Trend Micro said in the news release. “… Enterprises are under attack, and they don’t even know it.”

Click here to register to download the report.

Thursday, February 21, 2013 @ 05:02 PM gHale

Sophisticated attacks that once targeted the financial services industry are now going out to other critical sectors, while the bad guys are employing new tactics and technologies to avoid industry-standard security measures.

Does that mean bad guys don’t want to play by the rules?

There is a continued proliferation of password-stealing Trojans and advanced persistent threats (APTs) such as Operation High Roller and Project Bliztkrieg, and the expansion of their attacks to government, manufacturing and commercial transaction infrastructure targets, according to the report from McAfee.

More Effective DDoS Attacks on Rise
DDoS Attacks Steady; Others on Rise
Mobile Number Harvesting Tool
Website Attacks up 600%

“We are seeing attacks shifting into a variety of new areas, from factories, to corporations, to government agencies, to the infrastructure that connects them together,” said Vincent Weafer, senior vice president of McAfee Labs. “This represents a new chapter in cyber security in that threat-development, driven by the lure of financial industry profits, has created a growing underground market for these cybercrime weapons, as well as creative new approaches to thwarting security measures common across industries.”

Leveraging data from McAfee’s Global Threat Intelligence (GTI) network, the McAfee Labs team of 500 multidisciplinary researchers in 30 countries follows the complete range of threats in real time, identifying application vulnerabilities, analyzing and correlating risks, and enabling instant remediation to protect enterprises and the public.

In Q4 2012, McAfee Labs identified the following trends:
More threats, more availability, more industries targeted. As a group, unique password-stealing Trojans grew 72 percent in Q4 as cybercriminals realized user authentication credentials constitute some of the most valuable intellectual property stored on most computers. Now widely available, these Trojans are increasingly appearing within customized threats or combined with other “off-the-shelf” threats available on the Internet. Fourth quarter revelations around the Citadel Trojan suggest this Trojan’s information theft capabilities are going beyond the financial services sector.

Web threats shift from botnets to URLs. McAfee continued to see suspicious URLs replacing botnets as the primary distribution mechanism for malware. An analysis of web threats found the number of new suspicious URLs increased by 70 percent in Q4. New suspect URLs averaged 4.6 million per month, almost doubling the previous 2.7 million per month figure from the last two quarters. Ninety-five percent of these URLs were hosting malware, exploits or code designed specifically to compromise computers. The decline in the number of infected systems controlled by botnet operators comes in part by law enforcement efforts to bring botnets down, but perhaps more so by the declining appeal of the botnet business model.

Increase in infections beneath the OS. The volume of Master Boot Record-related malware climbed 27 percent to reach an all-time quarterly high. These threats embed themselves deep within the PC system storage stack, where standard antivirus solutions cannot detect them. Once embedded, they can steal user information, download other malicious software, or leverage the infected PC’s computing power to launch attacks against other PCs or networks. While these MBR attacks represent a relatively small portion of the overall PC malware landscape, McAfee Labs expects them to become a primary attack vector in 2013.

Malicious signed binaries circumvent system security. The number of electronically-signed malware samples doubled over the course of Q4. This indicates cyber criminals have decided that signing malware binaries is one of the best ways to circumvent standard system security measures.

Mobile malware continues to increase and evolve. The number of mobile malware samples discovered by McAfee Labs in 2012 was 44 times the number found in 2011, meaning 95 percent of all mobile malware samples appeared in the last year alone. Cyber criminals are now dedicating the majority of their efforts to attacking the mobile Android platform, with an 85 percent jump of new Android-based malware samples in Q4 alone. The motivation for deploying mobile threats roots in the inherent value of the information found on mobile devices, including passwords and address books, as well as new “business” opportunities that are not available on the PC platform. These opportunities include Trojans that send SMS messages to premium services, then charge the user for each message sent.

Click here to download the complete report.

Thursday, December 6, 2012 @ 06:12 PM gHale

The rush of mobile devices entering corporate networks, advanced persistent threats and third-party application vulnerabilities are the primary pain points for IT professionals headed into 2013.

These are new and different issues where a few years ago, these were not even a blip on the worry-meter.

New Year Threat Forecast
Lockheed: Attacks Up ‘Dramatically’
Agencies Join in Security Plan
Ensuring Software Security Policies

One of the top concerns cited in the fourth annual report researched by the Ponemon Institute was the proliferation of personally-owned mobile devices in the workplace such as smartphones and tablets. Eighty percent of those surveyed said laptops and other mobile data-bearing devices pose a significant security risk to their organization’s networks.

With 13 percent stating they use stricter security standards for personal over corporate-owned devices and 29 percent reporting no security strategy for employee-owned devices at all, there is a clear disconnect between awareness and action.

These figures are quite different compared to the 2010 survey. At that time, nine percent of respondents said mobile devices were a rising threat. This year, 73 percent rank mobile as one of the greatest risks within the IT environment.

This year’s study also found IT professionals view third-party applications as a major security threat. In fact, 67 percent of those surveyed reported they viewed third-party applications as a significant risk – second to mobile security risk.

In previous year’s surveys, the server environment, data centers and operating system vulnerabilities were primary concerns. With the proliferation of mobile devices, along with the wide range of software and removable media commonly used in today’s enterprise environment, IT practitioners increasingly worry about the attack vectors these third party tools could bring into the corporate network.

In addition to mobile security risk, the security concern that represents the biggest headache for 2013 is advanced persistent threats (APTs). Whereas worms and less harmful viruses were a concern in earlier reports, today’s IT teams consider APTs and hacktivism a real, global threat.

Of those surveyed, 36 percent reported they viewed advanced persistent threats as a “significant” threat to their environments while just 24 percent of respondents held this view last year. In addition, 12 percent of those surveyed this year stated current anti-virus/anti-malware technology is very effective in protecting their IT endpoints from today’s malware risk.

“Once again, we found the changing security terrain is preventing the state of endpoint security from improving,” said Dr. Larry Ponemon, chairman and founder, the Ponemon Institute.

“With the rise of hacktivism and advanced persistent threats, along with the sheer number of malware incidents we are seeing today, IT simply cannot keep up with the bad guys,” he said. “Add to this fact that end-users are furthering the complexity of the IT environment by bringing in mobile devices and downloading third-party applications — causing risk to exponentially proliferate. IT simply must take further action before the risk is beyond their control.”

Over 670 IT and IT security practitioners took part in this year’s study. Of those, 77 percent were in organizations with a headcount of more than 1,000 and 66 percent were in a supervisory role or higher. These professionals spanned key industries including financial services, the public sector and healthcare.

Archived Entries