The Neel Mehtas of the world can chase headlines all they want looking for the next big splashy vulnerability. But what’s more important than the “novelty factor” of Heartbleed is the relentless repetition and adaptation that are so important to attackers today. That has nothing to do with sensationalism, and everything to do with practicality.
The one iron law in security is that the attackers are economic creatures like everyone else. They are professionals who want the appropriate return for their investments in labor and time, given the goals they have. If you are working for the Chinese People’s Liberation Army and have a goal of compromising a defense contractor to steal industrial secrets worth billions of dollars, you should be willing to invest quite a bit of time and money to penetrate their networks. The targets are few, the defenses strong and the prizes rich. On the other hand, if your goal is to smash-and-grab as many credit card numbers as possible, or to download medical records in bulk to commit medical fraud, the targets are much more numerous – and the defenses more porous.
Because 95 percent of the attackers fall into the second camp, attackers don’t need to be particularly clever. They want maximum gain and minimum effort. For this reason, for the vast amount of incidents we see are characterized by repetition and adaptation, not novelty. Simply put, attackers look around, see what is successful and adapt. That’s why the phishing attack that compromised RSA exploited a component (Adobe Flash) that had a history of vulnerabilities. That’s also why that large parts of the code used in the point-of-sale (POS) compromises are nearly three years old. And that’s why the number of vulnerabilities in the world’s most popular browser has increased geometrically for the past three years. If these things didn’t work, attackers would stop doing them.
So, the question we need to ask is what’s working today? And what is likely to be copied and “riffed on” by attackers seeking to be as economically efficient as possible? Here are some ideas. These aren’t totally novel, but that is exactly the point. Novelty doesn’t matter if you can adapt some old patterns to new “markets.”
Watch out for attacks on suppliers
Target was compromised because a lowly air-conditioning vendor that had a directory account on their servers was compromised first. Supplier risk has long been a key topic of concern for bank examiners. But outside of financial services, this is a totally new area of concern. Look for this to be a big area of focus in the future as attackers copy what was done with Target.
Point-of-sale and embedded systems can be entry points
We know from the Neiman Marcus and Target examples that attacks on POS systems work very well. These and other embedded systems often run aging operating systems and aren’t maintained as rigorously as your typical data center servers. There are nearly 300 large retailers, hotels and hospitality chains in the U.S. with more than 1,000 employees. All of these have POS and embedded systems. It should be a target-rich environment (so to speak).
Medical networks under surveillance, and attack
In the rush to interconnect electronic health records (EHR) systems between hospitals, insurers and consumers, do we know that security has been properly accounted for? The U.S. government estimates that health care fraud costs $80 billion a year. At least $12 billion of this is identity theft related. With more than 1,800 large health care and life sciences companies in the U.S., attackers will have opportunities. Personally, I will be paying particular attention to medical device, biotech and pharmaceutical research companies. These companies aren’t, strictly speaking, covered by the HIPAA and HITECH laws that protect medical information. Many feel that the laws don’t apply to them at all. But blind spots are future trouble spots.
Data collected from professional social networks such as LinkedIn can be used to create extremely authentic and insidious phishing emails. We’ve seen phishing attacks for years; according to industry sources, 95 percent of intrusions begin with phishing attacks. The ones we are starting to see that use social network information are much more clever. We call this trend “Attacks become much more personal” and think it will be a key attack pattern in the future. That’s why software that stops “targeted attacks” is now the hottest area of computer security.
Will any of these become the next Heartbleed? Perhaps, and perhaps not. There will be plenty of other types of attacks we can’t envision today. But rather than predicting the next lightning strike – the next unknown areas of vulnerability – it is far better to pay attention to the areas we already know are vulnerable.