If there is one certainty in the security business, it is that security professionals and hackers are in a constant battle to protect and exploit vulnerabilities.
Hackers trying to gain entrance into enterprise networks, for example, have seen a host of robust solutions developed and deployed to stop them. While this wasn't always the case, the majority of enterprise networks deploy perimeter defenses, such as network firewalls or intrusion prevention systems, which are just a couple of the well-established solutions with a rich history of research and development behind them.
Opportunity 2.0 for enterprise hackers
Unfortunately, with the rise of social media, corporations are now quite vulnerable once again. Exploits in peer-to-peer software, social networking and instant messaging applications have companies suddenly getting slammed with an entirely new set of security problems.
Few employees realize how dangerous social networking applications are to enterprise security. A study carried out by YouGov earlier this year, which sampled over 1,000 British corporate employees, reveals that 60 percent of users accessed personal e-mail applications and social networking sites from their work computers at least once a week, with 28 percent using an Instant Messenger (IM) application. Even more alarming to security professionals, 90 percent of workers surveyed believe that their work computer is either fairly or very secure, with 67 percent trusting that their IT department has taken the necessary measures to secure their computer against threats.
An additional risk factor is that remote workers have direct access to the corporate network, usually through a virtual private network, opening another avenue for attacks. Hackers can very easily compromise an employee at home, where they will almost always be caught off guard, and in many cases, may not even have any security software installed. This allows the attacker to walk right into the corporate network, bypassing all of those robust security solutions I mentioned earlier.
In some ways, these newer attacks can be much more of a problem than older, more traditional attacks on systems. These new attacks focus on human interaction and target unsuspecting employees. For example, malicious software can replicate simply by using accepted methods of a website, such as posting a comment on a blog. In October 2005, a cross-site-scripting worm had targeted users of the popular site, My Space. Without their knowledge, nearly 1 million users were added as "friends" of the worm's author on the community. Though the worm was very simple and innocuous, the flaws it exploited highlight a big problem and could have caused significant problems for the My Space community.
The vulnerability of videos recently came into focus with a worm that embeds malicious software in Windows Media and Real Media videos. The worm, which basically uses an infected hyper-link in the video file, requires that a user click the poisoned link. Other multimedia sites, such as You Tube, are prime candidates for attack. An attacker could create a custom video, inject it with an exploit, and then upload it to the site. If the video was popular, there could be 20,000 people viewing it, who would all likely be infected.
Vulnerabilities like this are being actively exploited in many applications, such as Microsoft Word, Microsoft Power Point and Internet Explorer. Even Mozilla's FireFox browser, often touted as a secure alternative or replacement to Internet Explorer, has had many of its own vulnerabilities exploited. What this really comes down to is that any client-side software product in high demand is a likely target and will commonly contain vulnerabilities.
What solutions are available to prevent these attacks?
Clearly, one of first things that enterprises should do is better educate employees about the dangers associated with client-side vulnerabilities and other areas of attacks, such as remote access.
While there is currently no silver bullet that will stop all of these attacks, there is some very promising research going into host-based solutions. Solutions that can proactively solve problems like this before they become a threat are key to addressing these issues. One example is locking down a user's computer system with application-based access controls that can control what the application can and cannot do, so that even if an application were to be exploited, no harm is done. Additionally, verifying applications and device drivers before the system allows them to execute on the computer is a very sensible approach.
It's likely that 2007 will be the year that many enterprises will have to come to grips with the new security problems resulting from social media and address them with the same energy, foresight and aggressiveness as they have other problems in the past.
-Mark Zielinksi is security engineer and member of Arbor Networks' Security Engineering and Response Team.