It's about all an enterprise can do to "stay at least one or two steps behind" criminal attackers in the constant effort to keep their websites out of trouble (and the news), says Mark Odiorne, the CISO at Scottish RE, which provides life, annuity and financial reinsurance services to the consumer insurance industry. "We have a number of external points of presence to the internet. We've grown those over the past few years and we're constantly checking those for vulnerabilities," he confides.
Odiorne believes it's especially important to perform a thorough assessment "anytime we make a change, such as upgrade a server." He says that Scottish RE's IT personnel are constantly testing the company's "external posture, especially of the servers in our DMZ area."
The testing, performed with Core Security's Core Impact web application assessment product, has paid off, according to Odiorne. Unlike Ameritrade, eTrade, and the City of Lubbock, Texas, all of which have had hidden web application vulnerabilities exploited recently (and lost either money or key personal information as a result), Scottish RE has suffered no break-ins via the web, Odiorne says.
The Core Impact software, in fact, saved the company's skin recently. Odiorne used it to break into a pair of unpatched servers on loan from a third-party data services firm. The vulnerability had the potential to open valuable corporate data to outsiders who, he says, "would have been to able to get data off the box, could have browsed through its directories, or copied files onto a machine." From there, an outsider could have run a keylogger or use it to run malware and/or just become a spam box, he adds.
The exploits available for attacking web applications may sport obscure, if sinister sounding names — SQL injections, "remote file includes" in PHP, cross-site scripting (XSS) and request forgeries (CCSR), and directory transversals are the most common. But they're still among the fastest growing threats that corporate information technology professionals must deal with, according to security experts.
The SANS Institute recently added web application vulnerabilities, in particular, those noted above, to its list of Top 20 Internet Security Attack Targets for 2006. "Most programmers never learned to program securely," explains Alan Paller, SANS director of research, "so they optimize time and don't know they're leaving holes."
The security professionals at consultancy Ernst & Young (E&Y) concur with SANS' assessment of web apps. "From our standpoint, web-based applications have become the main attack vector against enterprises," says José Granado, a principal in E&Y's security and technology solutions practice.
The trend has grown particularly strong over the last 18 to 24 months, he adds. Granado confides that "87 to 88 percent of the time we find a vulnerability in a client's web application," when E&Y performs a security assessment of a client's web site. Mostly, they're SQL injections or cross-site scripting problems, which would allow intruders to "inject malicious code and get to data," he says.
The swing shift
Enterprises are also now finding that they must cope with "a massive growth in zero-day attacks on Windows," says Paller. "It's like nothing we've seen before, as many as three to four times more than a year ago."
Other new threats SANS has put on its "most wanted" list: "Highly targeted spear phising, which has skyrocketed, and attacks on Microsoft Office applications," Paller says.
It all adds up to a fundamental shift in the way enterprises must deal with so-called cyberattacks, Paller believes. "The confidence organizations once had that their [network] perimeter is stopping attacks has disappeared," he says.
"This means that you have to start treating your internet communications with more care," he says. "You have to stop trusting your computers because, more and more, they're not under the control of your users, but more and more under the control of others."
Trust no one
The implications for enterprise security practitioners are varied. "The security architecture you use has to assume that the bad guys are already in your network," says Dan Blum, a senior vice president and research director
at the Burton Group, a research and advisory services firm which focuses on network infrastructure technologies. "You also have to assume your users could be tracked, so you can't trust all of your users."
Pete Allor, director of intelligence for IBM's Internet Security Systems unit, agrees that securing endpoint PCs is critical. "That's where the real problem is when individual computers become compromised, because that's where business is done, where personal data is stored, and thus where the risk is at."
The implications of a break-in go beyond just stealing data: Criminals who take over an end-user's PC "also gain access to the enterprise, which allows them to compromise the network further," with the ability to co-opt them into a botnet for sale to others, Allor says.
This leads to what Granado calls the "perfect storm scenario" — a confluence of cybercrime, increased government regulatory demands on an enterprises's online behavior, and consumer pressure for more and enhanced online security. This amalgamation, he believes, should drive security executives to take on such challenges well before their companies' boards of directors do because massive fallout from security breaches can dramatically impact business initiatives.
"Security-related issues can prevent companies from moving as fast as they want to to expand their business," he explains. "The speed and volume at which your vendor and partner relationships could slow down is huge from a business-growth perspective." n
-Jim Carr is an Aptos, Calif.-based freelance business and technology writer. He can be reached at [email protected] .
Security your brand
While marketing and legal departments have overseen protection of brand assets in the physical realm, addressing these problems in the digital realm also demands the attention of the CSO and CIO. Company and brand name, reputation and consumer trust must be as secure as any other digital asset in today's digitized global economy.
Even as we protect against the direct threats on data security that cyberattackers pose to the environment "inside the firewall," we must be equally vigilant in addressing the security of an enterprise's digital assets outside the firewall. Participating in a global economy, with our front doors facing toward the web, has created the need for a new level of responsibility to the organization and, ultimately, to its customers. Companies which encourage consumers to trust in their brand owe it to those customers to assure that "what they see is what they get."
Some of the more prominent digital age threats that companies must address today include:
Your brand risks being diluted or corrupted when trademarks are infringed upon on the web — either by sophisticated cybercriminals or mischievous social networking users.
Traffic diversion/domain abuse:
You owe it to your customers to make sure they are not being diverted to illegitimate online destinations. Consider the ramifications on consumer trust.
Identity theft and fraud:
One of the greatest transgressions a company can make is to have its customers' lives overturned in ruins due to their loyalty and responsiveness to what they believe is you reaching out to them.
You may have impeccable standards — but how do you know that your partners and affiliates who also represent your brand are in compliance with messaging, pricing and defined best practices?
Since prevention is always better than litigation, digital brand management is a critical new area where C-level technology executives once again can lead the way.
— Kevin Rohde, president, NameProtect, a digital brand management company
TOP SECURITY THREATS:
What to look out for
Spyware has seen massive growth in the past couple of years, and this coming year we expect to see no slowdown. This proliferation has bred an underground economy network with more participants with more experience and skills to profit from stolen data.
Targeted file attachment attacks:
Attackers used 2006 to up the ante against enterprises by using very targeted attacks against specific enterprise networks they wanted to penetrate. They send only a small number of messages to specific individuals and hope to gain an entry point.
2006 has seen the pace or migration of botnets away from internet relay chat (IRC) increased, and many botnets are moving to a web-based model. Instead of a persistent IRC connection, these bots will make a periodic poll to a web server for new commands and updates.
Windows file format attacks:
We saw an increase in the number of attacks targeting Windows file formats. Indications show that hundreds of such attacks are lurking in Office.
The increased number of effective blacklists for phishing sites, such as the ones in Firefox and IE7, has begun to push the phishing criminal community to using very dynamic URLs in an effort to stay ahead of these anti-phishing blacklists.
We expect the trend in the bad guys mapping the good guys to continue, which will continue to erode the visibility into their activities. This includes mapping sensor networks and honeypots, research communities, as well as poisoning them with false data.
Botnets using the IRC protocol have become easy for security researchers to infiltrate. We expect botnets to migrate from IRC to using multiple communication mechanisms, including Jabber communication protocol and web-based communication.
While consumers are becoming aware of generalized phishing, organizations' employees are much less prepared to deal with targeted phishing. We expect to see more phishing targeting specific companies.
The end of 2006 has brought increased effort into finding bugs in the kernels of operating systems. Vulnerabilities in an operating system kernel are far more severe than application vulnerabilities in that they can affect a multitude of applications and can be exploited in ways that silently subvert defenses.
The number of worms propagating using web-based cross-site scripting attacks in 2006 only scratched the surface of this threat. We expect to see a rise in worms that spread by injecting code into web forms such as blog comments and shared community sites.
— José Nazario, software and security engineer, Arbor Networks ASERT team; and Jeff Nathan, senior security engineer and software engineer, Arbor Networks ASERT team.