Cybercriminals have over the past year grown more innovative and relied heavily on opportunistic, targeted and blended attacks, a security researcher said Wednesday at SC World Congress in New York.
Some of the most prevalent threats of the year have included attacks such as poisoned search results, rogue anti-virus, social networking malware and malicious advertisements, Chester Wisniewski, senior security researcher at anti-virus firm Sophos, said during a session that examined the changing threat landscape.
Also, blended attacks, which use a combination of threat vectors, have been a favorite among cybercriminals this year.
The latest variants of the data-stealing malware Zeus, for example, contain built-in instant messaging clients, which are used to notify botmasters when a user has logged in to his or her online bank account, he said.
“These guys don't stop innovating,” Wisniewski said. “The more we educate the users, the more they have to innovate and get creative.”
Over the past year, attackers have increasingly launched targeted attacks using unknown malware to silently steal data from compromised machines, Wisniewski added. However, the threat of targeted attacks has, over the past year, received more attention due in large part to Google's disclosure that its systems were compromised in a highly sophisticated and targeted attack, believed to originate in China.
But while the awareness of certain threats has increased, many organizations are still falling short on even the most basic information security tasks, such as implementing patches in a timely manner, Wisniewski said. In general, organizations should give priority to patches for flaws that allow remote code execution or elevation of privileges.
In addition, organizations are more often facing challenges with employees' use of personal computing devices, he said. The so-called “consumerization" of IT is an industry-wide problem that remains to be solved.
“We need to figure out ways to provide safe access without the transfer of data to an insecure device,” Wisnewski said.
Meanwhile, during the session, a member of the audience asked if there is any way to prevent zero-day attacks. Wisnewski responded that even with layered security, it is impossible to completely mitigate attacks that take advantage of unknown and unpatched vulnerabilities.
However, he said, security products today commonly include advanced security features that organizations rarely take advantage of, but which could help.
Another panelist in the session, Eamonn Medlar, head of systems security at global advertising and marketing company WPP, said technology is half of the solution to mitigating threats, especially of the zero-day variety.
Just as important is end-user training and education, he said.