This is not to say that the days of mass email-borne assaults, such as the Blaster worm, which led to denial-of-service (DoS) attacks that shut enterprise networks down, are gone. They are not, experts say, and many of the intrusions, including spyware such as keyloggers, will be used in this new round of attacks.
Now, however, in addition to the old standby threats, up-and-coming attacks will comprise an entirely new breed of menace with the potential to wreak real damage on enterprise networks.
"The attacks we'll see in the future will come from people not with just programming experience but business and process expertise," says Scott Borg, director of the U.S. Cyber Consequences Unit, an agency supported by the U.S. Department of Homeland Security. "It's quite a shift. One of the big consequences is we're likely to see more attacks that target specific businesses and specific systems internal to those businesses."
That is not all, of course. Vulnerabilities in Voice over Internet Protocol (VoIP) systems will pose new problems for IT personnel, as will keyloggers and rootkits. Also add wireless and cell phone viruses to the mix. And do not forgot the innumerable botnets springing up, which are posing new spam, spyware and adware possibilities. Just how bad can it get? Let us count the ways.
An ugly year
Last year was an ugly one when it came to defending against large-scale security blitzes. This trend more or less began with what Ken Dunham, director of malicious code intelligence for security firm iDefense, calls a "very sophisticated" domain name system (DNS) cache poisoning attack that infected about 2,000 to 3,000 DNS servers and led PC users to sites that placed adware and spyware on hundreds of thousands of PCs.
This was followed by the usual assortment of attacks all year long, including a Windows-related vulnerability hit that led to the spread of the Zotob worm. This one took down systems across the country, including ones at ABC TV, cable news station CNN, and The New York Times. Panda Software recently released a laundry list of 2005's email attacks, and it was not pretty.
Will 2006 and beyond get any better? Not likely, according to many experts. Borg, for one, thinks it will only get worse. Organizations in the financial services industries will be targeted more heavily than others, with financial gain the ultimate goal, he says.
"We've already seen signs of this kind of threat, and the biggest evidence is the change in discussions at hacker conventions and channels," he explains.
While previous "hacker chatter" involved basic methods to break into networks, "now, they're talking about what they can do once they're inside," he says. "Now, they talk about payloads."
An economist and a senior research fellow at Dartmouth's Center for Digital Strategies, Borg pioneered in the mid-1990s the concept of value-based pricing of information resources that allows analyzing the costs of cyber assaults, such as a DoS attack. By his way of thinking, a DoS attack costs an enterprise "a whole lot less than most people think, as long as it lasts less than three days." This is the case in most of these incidents, he says.
Borg's reasoning for this assessment: Most companies, including those that practice "just-in-time" manufacturing, have two-and-a-half to three days of inventory. That means they can "just time-shift their production" to make up for the downtime, and a short shutdown does not impact their bottom line too severely.
When an attack takes an organization down beyond that timeframe, however, there is a big slack in production.
"That's when it starts to get expensive," says Borg.
More knowledgeable hackers
The new breed of attackers, with sophisticated knowledge of internal systems and processes coupled with their capacity to get inside an enterprise, have the ability to wreak that sort of extensive damage to enterprise systems, according to Borg. That means enterprises "must begin thinking about more than just perimeter defense," he says.
"They have to think about what they're doing with their information systems, how the bad guys are thinking, and what they'll be doing to their information systems," he explains. Again, this calls for a "big shift, and will require people to scramble to deal with new issues."
Large organizations with thousands of nodes will find the small, targeted attacks "almost impossible to defend against," says Patrick Hinojose, chief technology officer at Panda Software. "They're probably what scare CIOs at large corporations the most."
What was surprising about 2005, says Brian Burke, a security products research manager at IDC, was the resurgence of spam after a relatively quiet 2004. While traditional worms, trojans and spyware were last year's primary concern, Burke says spam bubbled up to become the number two security problem for enterprises, and he expects more of the same in 2006. He also calls spyware a rapidly growing threat.
Burke agrees with Borg on several points. Most notably, he has been impressed with "the sophistication of spammers and the increase in the number of botnets." While the malicious code of the past was easily detected by anti-virus/spyware tools, the malware appearing now "is designed to stay on a machine in stealth mode and not be detected by anti-virus software or firewalls." It can then be used for generating spam or spyware as part of a botnet or zombie army, he says.
"On the spyware side, we're seeing more malicious code targeted to certain corporations or individuals," Burke says.
He points to targeted spear phishing emails that appear to come from a "trusted" source, such as a small regional bank or from an individual within an IT department. These messages direct users to what appears to be a legitimate website, where they enter account numbers and passwords that give criminals access to financial accounts or, in the case of corporate workers, open access to internal systems.
"It's not just in financial services. In manufacturing environments, we're seeing people trying to steal intellectual property," Burke says.
Still others expect to see an increased prevalence of threat varieties, including keyloggers, attacks on VoIP phone systems and a nasty nest of added malicious characters, such as rootkits and attempts to compromise the growing number of "software-as-a-service" offerings.
Stu Sjouwerman, founder and chief operating officer at Sunbelt Software, believes keyloggers are among the biggest threats to enterprise security. He says there are dozens of vulnerabilities in Microsoft's Internet Explorer web browser that hackers can exploit to deposit keystroke loggers on unsuspecting users' PCs. In some instances, users do not even have to click on a malicious web page to become infected, he adds.
Johannes Ullrich, chief research officer of the SANS Internet Storm Center, voices concern about DoS threats to VoIP systems. "In the VoIP world, you'd need very little resources to shut it down," he says.
His research indicates that repeated calls to a VoIP phone from a standard dial-up modem totally shut down the VoIP phone connected via a T-1 line. At the heart of the problem, he explains, is how the internet protocol handles call-initiation which can be faked with the modem, thus tying up the phone.
Still other attacks on the emerging software-as-a-service offerings "will blossom" as well, says Patrick Ravenel, chief strategy officer for IT security risk management firm Preventsys. He believes it is only a matter of time before criminals begin "tricking software-as-a-service systems into giving them access to back-end databases using automated bot networks.
"These attacks will be difficult to detect because of the large number of users putting information into forms," he says. So where will it all end? That seems to be a prediction no one is ready to make.
Jim Carr is an Aptos, Calif.-based freelance business and technology writer. He can be reached at firstname.lastname@example.org.
CSO ALERT: What to look for
Here is a list of the things chief security officers should be aware of:
• Targeted spear phishing attacks aimed at financial services organizations and others with valuable intellectual property -- These appear to come from a "trusted" source, such as an administrator within an IT department, and point unsuspecting users to websites that download malicious code, such as keyloggers or other spyware, onto users' PCs.
• Quickly morphing worms, viruses and trojans -- Unlike the worms and trojans seen in previous generations of attacks, which were primarily static code, virus writers are now using automated tools that allow for the creation of multiple variations within hours. No anti-virus vendor can keep up with this kind of moving target, says Johannes Ullrich, chief research officer at the SANS Internet Storm Center.
• Keyloggers deposited on end-user computers via adware and spyware -- These can hide for days or weeks, waiting for users to type authentication-related information, such as usernames, passwords or account numbers.
• Rootkits, which are at the foundation of threats such as the Cool Web Search, EliteBar and ContextPlus spyware -- Rootkits install at multiple points in a file system, using Windows kernel-level interactions to hide executable files and other obvious signs of their presence.
• Dynamic web applications written by developers without training to avoid introducing security vulnerabilities -- This is a particular problem with PHP-based systems, says Christian Wenz, a partner in German security consultancy Hauser Wenz.
• Viruses and worms that jump from one device, such as a PC, to another, including smart phones and USB drives -- We saw this type of assault on the Sony PSP, which was attacked by the Trojan.PSPBrick, a trojan horse that deletes critical system files on a PlayStation Portable device, preventing it from restarting correctly.
2006:The next threats
Mike Murray, director of vulnerability and exposure research at nCircle, believes that there are two key areas that stand out clearly for attention in 2006: targeted attacks and the switch from client- to server-side vulnerabilities.
Rise in targeted attacks: In the past year, the trend has moved away from mass-distributed attacks that blindly assault any computer connected to the internet. These new threats, which carefully target single corporate networks, are becoming more profitable for cyber criminals and increasingly devastating for companies, resulting in the loss of millions of dollars and the trust of their customers.
One of the driving forces behind the development of targeted attacks has been the commitment from major software vendors, like Microsoft, to develop more secure applications and release update patches more frequently. This has significantly decreased the success rate and number of significant mass-distributed attacks (like those that caused Blaster and Slammer) as they have been thwarted at the vulnerability level. As traditional cyber techniques evolve, we expect to see targeted attacks on specific industries/businesses grow at an alarming rate in 2006.
The second key reason for the rise in targeted attacks is the improved level of awareness and sophistication among targeted enterprises during 2005, which manifests in more advanced defense strategies. This in turn limits the potential impact of mass-distributed attacks so black hats look for new vehicles and approaches.
Switch to client-side vulnerabilities: As the most recent SANS Top 20 report showed, the real risk to the enterprise environment has moved well beyond just Windows and Unix vulnerabilities, a trend which is likely to continue in 2006, with increased emphasis on applications themselves as well as hardware. One example was the Santy Worm, which attacked an open-source bulletin board.
Security products such as anti-virus, firewall and VPN products will increasingly become a security challenge themselves in 2006 -- it is a "who's watching the watchers" type of problem. As we have seen in countless numbers of heist films, the first thing that every attacker looks to do is disable the security and alarm systems -- once those systems are disabled, attacks become significantly more difficult to defend against or repel. Therefore, the exploitation of a vulnerability in your security infrastructure leaves you significantly vulnerable to further attack and, thus, needs to be handled quickly.