2011 was the year of hacktivism and advanced persistent threat, underpinned by a near-constant drumbeat of high profile breaches. None of these were actually new in 2011: APT has been talked about for several years now, and hacktivism has been around for far longer. Breaches, of course, have been around for as long as we've had computers. What's new is the level of public awareness and press commentary. All three of these have made front page headlines routinely throughout 2011, with literally more than a major story per day on average throughout the entire year. In this environment of heightened awareness and high noise level, what are the critical themes and issues we need to care about as security professionals, and what's hype? Here's my list:
- Publicly available exploits & mass malware. Although APT has been garnering all the headlines, mass malware and publicly available exploits are a bigger concern for the vast majority of companies. If you're one of the chosen few that's a strategic target of the APT actors, you have the privilege of worrying about both – but for everyone else, you're subject to automated attacks and drive-by downloads on a constant basis and need to protect against them as a top priority. Dan Guido did some ground-breaking research on malware, showing that in 2010 only 13 vulnerabilities were targeted – and between 2006-2010 only 75. Make sure you're up to date for that high priority list. Dan also suggests some broader mitigations that protect against classes of malware, such as enabling DEP for IE, Firefox, Java, Flash, and Reader. Similarly, familiarize yourself with the publicly available exploits in places like exploitDB and make sure that you're up to date for those point and click exploits. (Rapid7 Nexpose customers can see both of these types of vulnerabilities highlighted in their reports).
- Perimeter exploit exposure. Although it's fashionable to say that there's no network perimeter any more, the takeaway shouldn't be that you should ignore the perimeter. It's as important as it's ever been – you just need to worry about hardening the inside in addition to the perimeter. With that in mind, vulnerabilities that affect your external perimeter, like MS11-083 where attackers can send UDP data at closed ports to cause DoS attacks or even remote code execution are particularly concerning despite the relative complexity of exploiting them.
- Social engineering. For most companies, the weakest link is their employees or contractors clicking on malicious links, files, or inserting malicious USBs. The top two attack vectors identified in Microsoft's Security Intelligence Report Volume 11, which together account for over 70% of the total, both require this kind of direct human interaction. The best prevention here is education, as well as protecting against mass malware as outlined in #1 above – if you've patched your systems against the small number of vulnerabilities targeted by mass malware and taken broad brush steps like DEP and whitelisting, then even when your employees click on the wrong things you can minimize the damage they cause.
- Web application security. Most breaches in 2011 have used SQL injections to compromise poorly written web applications. This was the case with the widely publicized Sony breach, to name just one example. Web application scanning and better security SDLC training for web developers are the keys to addressing this. As more active content migrates to the browser through HTML5 and Flash, we expect WAFs will become structurally less effective since they literally can't see these client side interactions.
- Auto-run attacks. Fully 43% of malware infections analyzed by Microsoft misused Windows' Auto-run feature, either for network shares or for USB devices. Given those stats it's worth asking whether this feature has enough ease-of-use benefit to be worth the security risk.
- Lack of patching. According to Microsoft, only 0.12% of attacks target zero-day vulnerabilities, so that implies that the other 99.8% target vulnerabilities that don't exist on patched systems.
- Zero day attacks. As above, Microsoft's data tells us that only 0.12% of attacks target zero-day vulnerabilities. Part of the issue here is simple economics: with the vast majority of attacks having a financial motive, ROI matters. Zero day exploits take either a lot of high skill research to find, or equivalently a lot of cash to buy on the open market. It's far cheaper to use an exploit from an exploit pack that targets a known vulnerability for around $28 to $50 each (the exploits are actually free, the price is for the finished packaging & management) vs. spending $50,000 to $80,000 for a new zero-day in proof of concept form and completing the development yourself. With these economics, today's business-minded hackers will invest in zero days only for their highest value targets. And they don't hold their value after use: after they've been used and discovered, they become known vulnerabilities and their value plummets back to zero.
- APT. If you're a strategic target that attracts the attention of state actors, then the threat of APT is very real and a top concern. There's a huge amount of cyber espionage that goes on every day, primarily driven by China, but Russia, Iran, North Korea and others all play the game. I've heard credible stories from targets outside the ones you'd expect (governments, defense industry, NGOs aligned with interests antagonistic to the actors above, money center banks, IP-laden technology companies, etc), for example an investment bank who was involved in a Chinese deal that got hacked by the company he was negotiating with to aid their bid strategy. All that said, for everyone else it's neither super relevant nor particularly new. APT has actually been around for years even though it suddenly arrived in the public consciousness in 2011. The thing that tipped this into the over-hyped bucket for me is not just the oceans of ink spent on it or the relatively limited percentage of the world that's an actual target, but the fact that it's now fashionable to attribute any successful breach to APT: “they were just hyper advanced, there's nothing we could have done about it.” Sure.
- Antivirus. The dirty “secret” of the security world is that AV is largely ineffective – most companies that test this seriously suggest that the detection rate is sub 20%, and some people believe it may be sub 10%. Why is that? It's simple – there are a number of “testing” services available today that take a malware sample and run it past all the major AV engines. This is a useful service for companies trying to figure out whether a sample they have is malicious, but it's also vital for the hackers who use these kind of services as a QA criteria to test their malware before they use it: they keep tweaking the code and/or re-packing until it flies past all the AV engines. By definition then, all of these tweaked versions of malware are undetectable by all of the major AV engines when they launch. Unfortunately, due to its history and inclusion in many corporate and regulatory compliance mandates, companies place too much reliance on AV and as a result can have a false sense of security.
What Do You Need to Do to Become More Secure?
With all of these issues, what can you do to make yourself more secure? We suggest getting the basics right. Where possible, create routine processes that ensure security on an ongoing basis, rather than a set of ad hoc activities to solve specific one-off issues. For example:
- Have a standard patch management SLA for all critical issues.
- Use vulnerability management and configuration assessment tools to identify where you have process or tools gaps, and address them. Ideally, the tool you select should identify publicly available exploits, mass malware targets, and web application vulnerabilities.
- Implement broad brush hardening techniques such as DEP on common malware targets such as IE, Firefox, Java, Flash, and Adobe Reader (This approach helps against many classes of malware including zero days and APT for those that are targeted). On a related note, turn off auto-run for your Windows clients.
- Build business continuity and incident response plans and test them quarterly to make sure they work.
- Ensure that your business leadership understands the risks, your plans, and the investments required for success.
- Do EFFECTIVE security awareness training for all personnel, and implement a strong security SDLC in your application development teams.
- Do regular penetration testing to vet your end-to-end security architecture, processes, and incident management approach.
- Create clear accountability for each area, with clear expectations and standard reports.