Emails are essential business communications and collaboration tools and the vast majority of business information is, at some point of its lifecycle, communicated via emails and their attachments. Even though the use of other forms of communications is increasing, email usage continues to outpace them all.
The fact that hackers target emails is not news, but their motivations have changed. They are no longer content with just causing disruption through the damage caused by malware-riddled messages, but now look to steal the sensitive information that many emails contain.
It is therefore essential that email systems are adequately secured. But it is not sufficient to think of email security merely in terms of protection against malware threats. Rather, email security needs to be considered in a wider context that includes protection against outbound threats to prevent data leaking out of an organisation.
Other considerations for email security include mailbox management, continuity, archiving and discovery, and compliance reporting. Continuity is extremely important so that productivity is not impacted by and no records are lost owing to downtime. Archiving and discovery are increasing in importance and are ideal candidates for a cloud-delivery model, allowing organisations to securely store and quickly find email records when they are needed. A compliance capability, including blueprints for the main industry standards and government regulations is also of vital importance for complying with the demands of such mandates that all business records, including those produced electronically, are processed, transmitted and stored in a highly secure manner.
A new report discussing what is required of a holistic email security system and comparing the capabilities of some of the major players in the market is available for download via the following link: http://www.mimecast.com/bloorsecurity.
Buzz phrases of the day include consumerisation of IT and BYOD--bring your own device. The former phrase refers to the use of increasingly powerful and feature-rich devices, be they PCs, smartphones or tablet computers, by consumers. The meteoric rise of the tablet computer embodies this trend. According to comScore, the use of tablets in the US alone took just two years to reach 40 million--compared to seven years for smartphones to reach the same level of adoption. And those end users increasingly want to use their own devices to access both work and leisure applications--the second trend, BYOD--as they are often seen as superior to those issued to them by the organisation.
As a result of trends such as these, the number of devices connecting to corporate networks is expanding rapidly and those devices must be managed to ensure that the organisation is not exposed to security vulnerabilities through their use.
Traditionally, securing endpoints has been approached by installing software on every device needing to be protected, which works by scanning programs for signatures that have been developed by anti-virus vendors that indicate that the program is malicious. However, this method is no longer sufficient. The number of viruses and other malware has grown dramatically, with an average of 73,000 malware samples being seen daily in 2011, many of which are variants of known viruses that have been developed to avoid detection. The amount of malware that is considered to be aggressively polymorphic is also growing and this is a further problem with traditional anti-malware technologies as this type of malware is designed to modify itself on each infection. A system based on signatures alone provides no defence against threats that vary from those seen before.
A further problem is that anti-malware programs are large and tend to get bigger as more signatures are added to their defences. It is well known that they tend to be a drain on computer resources, significantly slowing down computer performance, especially at startup and during scans. Even on corporate-owned devices, many users try to circumvent such controls and many would find it totally unacceptable for an organisation to demand that they deploy such controls on devices that they have purchased themselves.
Clearly a new approach is needed--one that provides better protection by guarding against new threats as well as those for which countermeasures have already been made available--and one that does not hinder the user. This can be achieved by subscribing to endpoint security services based in the cloud, whereby only a small agent is placed on each device and protection is applied in the cloud, before exploits can ever reach the device.
Such services are new and there are a number of elements that must be considered, including the types of controls that are provided over and above signatures, the availability of cloud-based threat intelligence networks for identifying new threats, privacy and data protection controls, protection for devices when not connected to the network, and remediation capabilities should any threat still be able to break through the barriers. Bloor Research will be participating in a webinar at 10am GMT on Wednesday 29th February 2012 that will outline what organisations should look for when choosing such an endpoint security system and the benefits that they can expect. For more information and to register for this webinar, click on the following link:The changing face of endpoint security.
Cloud-based computing is growing faster than the IT sector as a whole. There are plenty of analysts throwing numbers about regarding cloud spending. Here are some from Forrester Research: in 2011, US$40.7 billion was spent on public, private and virtual private cloud IT services and that will expand to US$241 billion by 2020. Of that spend, US$21.2 billion was spent on software as a service, which will expand to US$92.8 billion by 2016--26% of all sales of packaged software applications.
One area that is showing particular growth is the market for email management and archiving. It is estimated that around 60% of business-critical data is transmitted via email, either in the body of the text or as attachments, and that information forms the basis of vital business records. All organisations are subject to regulations of some form or another and many of those regulations demand that business records be maintained. Those regulations vary widely from those applicable to specific industries, such as financial services or pharmaceuticals, to those affecting any organisation, such as employment and data protection regulations.
Being able to retrieve those business records when needed is not only vital for regulatory compliance, but also aids greatly in productivity of workers and in responding to internal or external regulations. According to Osterman Research, 66% of IT organisations that it surveyed referred to email or instant message archives or backup tapes to support their organisation's case in litigation in 2010 and 63% were ordered by a court or regulatory body to product email or instant message records.
However, whilst the need to maintain business records is stark, technology vendor Proofpoint found in a recent survey that just 54% of large organisations in the US had deployed a technology solution for email archiving in 2010 and another survey, by GFI Software, found that that proportion fell to just over one-third of small and medium-sized companies.
Early email archiving technology tended to focus on the needs of specific types of companies, with financial services particularly well served. And, as email volumes continue to grow and grow, many felt that centrally archiving all emails was too complex a challenge. For large organisations in particular, scalability was considered to be an issue, and many others brushed the issue under a carpet. As a result, many organisations continue to rely on users storing emails on their own hard drives or using the email system itself as a storage repository. Neither is a good option as email records can be hard to find or even lost forever--especially if stored on a piece of equipment that is lost or stolen, which is a common problem with laptops and other portable media. A further issue to be considered is that many employees regularly use their smartphones for sending and receiving emails and those emails need to be captured for future use as well.
However, there is an alternative available that is suitable for any organisation, no matter its size or the regulatory burden that it faces--subscribing to cloud-based email management and archiving services. Such services take the cost and complexity out of managing email storage and provide ancillary services as well, such as business continuity and security. They are also highly scalable and suited to the demands of the mobile workforce.
According to Orlando Scott-Cowley, product marketing manager at cloud archiving vendor Mimecast, "Email archiving is going through the phases of its lifecycle. On-premise solutions are no longer scalable, have become too complex and don't really solve the email retention or litigation readiness problems that organisations have. Companies, whether regulated or not, are now turning to the cloud for their email archiving needs. Those that chose to deploy on-premise archives all those years ago are now finding they have the added complexity of migrating those solutions to more flexible and scalable cloud offerings. Setting their data free has become a bit of a nightmare, but their current on-premise vendors do not appear to be keen to wake them up from their bad dream."
Jon Pilkington, VP marketing and product management at cloud archiving vendor Sonian agrees, stating "Cloud-powered archiving provides a cost-effective, highly scalable solution for SMEs and enterprises alike. We view the cloud as a transformation service that is challenging the capital-intensive, on-premise models in use today, making email archiving accessible to companies of all sizes and verticals."
Email management and archiving are considered by many organisations to be among the most suitable applications for using cloud-based services as they are relatively uncomplicated and uniform. In December 2010, the US government unveiled its "Cloud first" policy, under which federal agencies must consider the option of using cloud-based services when planning new IT projects. In April 2011, the White House CIO stated that 15 agencies had announced that the intended to move their email management and archiving applications into the cloud. Two agencies--the General Services Administration and the Department of Agriculture--claim to have saved some US$40 million by abandoning in-house email. Building on this, the US government announced in November 2011 that all federal agencies have until May 2012 to report on how they intend to improve the way that they store and manage electronic records including emails, blog posts and social media activity and the White House in conjunction with the National Archives and Records Administration is currently drafting a new records management directive. Using cloud-based services is considered by many to be the best option.
Other governments are following this lead. The UK government has stated that cloud computing should account for half of its IT spend by 2015 and it is hoped that this will reduce its annual IT expenditure of £16 billion by £3.2 billion.
Organisations that follow suit and embrace the cloud for email management and archiving will find that there are many benefits from doing so, not least of which is the peace of mind that business records will be securely preserved and can be easily retrieved as and when necessary. Emails are among the most requested documents as evidence in lawsuits and the courts no longer accept the argument of technical difficulty when dealing with legal issues surrounding email management and archiving. With cloud-based services, the burden and cost is taken out of the hands of the organisation and placed in those of specialists. For a competitive overview of some of the main players, click to download this document: Email archiving best practices
According to recent research, Microsoft Exchange accounts for 65% of email servers in use in organisations today. Many of these are deployments of Exchange 2003, for which Microsoft no longer offers support, and Exchange 2007. According to the Radicati Group, Exchange 2007 accounts for 44% of all enterprise on-premise deployments. However, with the release of Exchange 2010 and other related products by Microsoft, earlier versions of Exchange are losing market share. Radicati predicts that Exchange 2010 will account for 57% of total Exchange deployments by 2014.
Exchange 2010 offers many improvements over previous versions in areas such as more flexible and lower cost of deployment, easier access for mobile clients, and the introduction of email archiving, retention and discovery capabilities. These are just some of the reasons why many organisations are looking to upgrade to 2010--but such migrations are not without risks in such areas as data loss and downtime, which affects productivity.
Email archiving specialist Mimecast is holding a seminar 3rd November in London to explore the issues organisations face in migrating to the latest Exchange version, as well as Microsoft's new Office 365 software-plus-services productivity suite, which expands options for having services hosted, which takes much of the tasks of administration and management out of the hands of internal IT resources. Nick Caw from Microsoft will be on hand to explore the benefits of these new products and services further.
As a specialist in email management services, Mimecast is offering services to those organisations looking for a pain-free migration to these new services. It will also introduce its capabilities in add-on services for Microsoft products and services to offer a more complete and robust email archiving capability for organisations that need something more advanced, including always-on capability, even in the event of a server outage. Bloor Research will also contribute, looking at the need for email archiving as well as considerations in selecting a vendor, including a look at the capabilities of some of the major players on the market.
The following link will take you to the registration page for the seminar:The great email migration.
Given the amount of business information that is contained in the multitude of emails received and sent every day and the need to preserve business records and correspondence for regulatory compliance and governance purposes, as well as for dealing with litigation requests, the use of email archiving technologies and services is growing fast.
Email archiving is not a standalone capability, but should rather be considered as part of a wider encompassing email management solution that provides complementary capabilities in mailbox management, policy enforcement, security, continuity and e-discovery. To ensure that any technology or service selected can cover all of these bases, the capabilities should be tightly integrated as part of one unified system that is built on a common architecture and that provides a single management interface. This will allow for centralised policy enforcement, and will provide management reports that provide an audit trail for governance and compliance purposes.
Bloor Research has today published a report that discusses what organisations should look for when evaluating products or services and looks at the delivery options available in terms of hosted services or on-premise deployments, or a hybrid mix of the two. It then provides details of some of the offerings of the major players in this market sector, comparing the strengths and weaknesses of each. The report can be accessed here: Best practices in email archiving.
When the BSIMM project started I was excited but apprehensive - the challenge to produce such a maturity model was enormous. With BSIMM3 we not only see the fruits of a huge amount of detailed work but the team behind it have proven that they can bring together lots of disparate firms with different ideas together under the BSIMM banner. The scientific foundation of BSIMM is its strength - the rigour behind the work is a joy to behold.
Check out the details here http://bsimm.com
Nigel Stanley
Practice Leader - Security
Bloor Research
To reduce complexity, a high proportion of organisations are looking at modernising their data centre infrastructure through consolidation, virtualisation and by leveraging the cloud. In traditional data centres, security controls can be applied to each physical system and systems with different levels of criticality or those that contain the most sensitive data can be physically separated. This is no longer the case for next-generation data centres where virtual resources cannot be compartmentalised in the same way and security controls can no longer be tied to physical resources.
While the chief goals of data centre modernisation projects are to enable the business by being able to accommodate rapidly changing business needs, while reducing operational complexity and cost, risk and compliance obligations must also be prioritised.
The modern data centre requires an integrated set of security controls that are applied consistently across physical and virtual systems, as well as those residing in the cloud, with federated management and reporting across hybrid environments that may include extensions to private and public clouds. The only way that this can be achieved is by building security into the design phase during key inflection points as data centres are built out, virtualised or upgraded and must be applied consistently across all systems in a hybrid environment that spans physical and virtual systems, as well as cloud-based computing. This will enable the busi¬ness by improving its ability to offer dynamic services that are always available, and that are resilient and secure, which will improve the capability to manage risk, apply and enforce consistent security policies, and to achieve compliance objectives.
A recent paper discusses these issues in greater detail and provides details of the key issues and security controls that organisations should be looking at. The paper can be accessed here:Architecting the security of the next-generation data centre.
IPv6 Day came and went without much fanfare. That is because, according to participants, it worked. True, there were a few problems encountered, but no more than expected and that was one of the main points of the exercise anyway. According to Cisco, the event proved that careful and gradual adoption will be easier than believed. And Arbor Networks reported that the test was enough to tell us that we can handle the transition to IPv6.
So what happens next? One of the benefits seen from the day is that it has persuaded hardware and software vendors to add support for IPv6 into their products, which has been one of the biggest sticking points to date. There are still further challenges to be overcome, including details of running dual stack IPv4 with IPv6 and new security challenges that are unique to IPv6. But now is the time for all organisations to at least be planning for their own transition.
IPv6 will allow continued growth of the internet, which has become essential for commerce, communication and social interaction. According to Verisign, internal drivers for adoption are for organisations to be as technologically current and future-proofed as possible, whilst external drivers include the need to keep up with the increasing number of devices requiring IP addresses, ranging from mobile and streaming technologies, to smart meters, cars, TVs, game consoles and medical devices, plus a surge in new users from emerging markets who all need IT addresses.
Another push for IPv6 take up is that governments worldwide are increasingly looking to promote take up of IPv6. In Europe, national governments are undertaking their own initiatives, as well as efforts being made at an EU level. The US government is going even further as it believes that IPv6 technologies will allow it to pursue policy goals in areas such as healthcare, education and energy. In September 2010, the federal government mandated that all agencies must upgrade external-facing systems to IPv6 by end-2012 and internal applications that communicate with the internet by 2014.
The transition to IPv6 will not happen overnight, but there is finally a great deal happening to spur adoption. There are workarounds that have been in put in place to extend the life of IPv4 and organisations, but these are just that--temporary workarounds, not a long-term solution. According to Alan Way of Spirent: "The organisation that sticks doggedly to its old IPv4 inheritance won't be cut off from the outside world, it will simply suffer increasingly degraded performance as more and more communications move to IPv6. For financial services and such high speed transactions this would be disastrous. For other businesses, it could still erode their competitive edge."
Taking back control in today's complex threat landscapeToday's security threats are complex and sophisticated and are getting ever harder to defend against. Attackers use multiple methods and vectors to try to bury deep into networks and are increasingly looking for longer term gain, rather than just a one-off theft. Traditional security controls that focus on previously seen attacks are no match for these complex, blended exploits.
Organisations deploy multiple security controls to defend their networks and these still have their place. However, there are newer technologies that have emerged recently that can improve their chances of defending against the insidious threats seen today--those of application control and change control.
Application control uses whitelisting to ensure that only authorised applications can be allowed to run and to prevent those with a malicious payload from executing. This is because if an application is not on the whitelist it can be automatically blocked. Change control technologies prevent vulnerabilities from being introduced into networks that can be exploited by controlling the configuration creep that occurs when changes are introduced into the network, whether intentional through patching or upgrades, or where misconfigurations have been introduced by mistake. Such controls can do much to ensure that the integrity of the network is kept as intact as possible. https://www.bloorresearch.com/research/white-paper/2099/taking-back-control-todays-complex-threat-landscape.html
Bloor Research has recently published a report that looks at the role played by these technologies in greater detail. The report can be accessed here upon registration: There will also be a webinar on this subject tomorrow, 10th August 2011, at 10am BST. The registration page for this event is here: http://www.brighttalk.com/webcast/288/32519
The internet protocol (IP) is the primary communications protocol for determining how data packets are routed around the internet and is responsible for the addressing system that ensures traffic is routed to the intended destination. The current version is IPv4 and has worked well for years, running in the background without anyone really worrying about it.
But IPv4 was developed when the internet was a smaller place. Ten years ago, there were slightly over 360 million internet users worldwide; by mid-2010, that had grown to around two billion. However, those numbers do not tell the whole story. Many people use more than one device to connect to the internet, often a mobile device in addition to a PC. As well as this, any manner of devices are becoming internet-enabled--from home appliances to medical equipment, networked cameras to intelligent transport systems, online gaming consoles to cars. It is estimated that there are currently five billion devices connected to the internet and that by 2020 that number will grow to some 50 billion. Each devices needs an IP address to identify it on the network and there are simply not enough addresses available with IPv4.
Because of this, IPv6 was developed some years ago, offering a vastly expanded pool of available IP addresses. The transition to IPv6 is not optional as the internet and the number of devices connected to it continues to expand. There are many reasons for switching over to IPv6 beyond the fact that the number of available IP addresses is at exhaustion point--it offers security improvements over IPv4, such as mandatory use of IPSec for encryption and authentication, it offers auto-configuration for new devices connected to the network, it offers superior connections for mobile devices and improves peer-to-peer collaboration capabilities. However, there are also new security issues that it introduces that will need to be addressed, including an increased risk of distributed denial of service and buffer overflow attacks.
According to network equipment and services vendors, those security risks can be mitigated. Of more concern are security issues that are not inherent in IPv6 per se, but rather concern the way that it is used and implemented. Misconfigurations are considered to be among the most important security issues since IPv6 is new, is considered to be complex, and there is a lack of implementation and policy guidance, training and available tools.
In an effort to test drive IPv6 implementations, 8th June 2011 has been designated as IPv6 Day by the Internet Society. A wide variety of organisations will participate in IPv6Day, ranging from web content providers such as Facebook, Yahoo and Google, to service providers and telcos. The purpose of the day is to gather information about how IPv6 functions in a production environment with a view to accelerating the momentum of its deployment worldwide and to work out how to iron out problems that are already known about, such as IPv6 brokenness, which are primarily related to misconfigured network equipment and faulty firewall settings.
IPv6 Day is not a flag day for worldwide implementation of IPv6, which will probably take a number of years. However, it is an important milestone in terms of uncovering the issues that will be involved in its deployment so that any problems can be solved. The results of IPv6 Day will be reported on in further articles on this blog.
But why is code security so important?
The use of complex software is now part of daily business life. Unfortunately cyber criminals are taking advantage of this to spread malware and to attack systems with the aim of stealing information, money and intellectual property.
Information security specialists have been relatively successful in protecting networks and data systems from these cyber criminals but, to date, computer software has been an Achilles heel, open to attacks that take advantage of bugs and errors in computer code. Once a security bug is found it can be abused by cyber criminals whilst a business, in many cases, remains blissfully unaware that they are under attack.
Computer software must therefore be checked for security related bugs--a process that has historically been very manually intensive and expensive, with limited scalability and needing access to the underlying source code.
It's a software developer's job to write application code that satisfies customer requirements and meets business objectives. This code needs to be functional, usable, reliable and with acceptable performance and supportability. As the modern world relies on software to function, teams of developers must do their best to churn out millions of lines of code under huge pressure to satisfy customer demand.
With looming deadlines and the need to do yet more work developers, in the past, had little time to ensure their code was free from bugs or errors that opened security holes in the application. Fortunately, as many applications ran within a client server network, relatively isolated from the outside world, this approach was normally successful.
Then along came the Internet, the World Wide Web and the subsequent massive growth in handheld devices that exposed what would be normally closed applications to millions of anonymous users. Combine this with the recent introduction of organised cyber criminals continuously looking for new ways of committing crime, and the computer security ground rules have been rewritten forever.
Against this background we have seen a huge move towards componentised code, and the reuse of code libraries and functions that had been developed in house, purchased or borrowed from other developers. As customers have looked to slim down their costs, the use of commercial and open sourced software grew. Outsourced software development has seen projects sent across the other side of the world to be written by developers they have never met in a country they may never have visited. So not only do developers need to worry about security defects in the code they write, but also in the code they reuse.
This perfect storm raises huge concerns in the minds of information security professionals who are trying to get a grip on the scale and diversity of software entering their organisations.
On the other hand we need to consider the developers. The sheer volume of potential security flaws and new and emerging threats can be overwhelming to a developer under pressure to roll out yet another new feature.
Software development managers and information security professionals need to act now to address the security of the software they write, purchase or co-opt into their solutions.
I recommend this event for both security professionals and developers alike.
Nigel Stanley
Practice Leader - Security
Bloor Research
The video demonstrates just how straightforward and achievable GSM cell phone/mobile phone interception can be, given enough time and some smart folks.
Hopefully people will now believe me when I say that voice data protection needs to be seriously considered!
Nigel Stanley
Practice Leader - Security
Bloor Research
We found jihadists were compiling packages of information designed to be received on smartphones. They contained copies of videos, songs, speeches and images that followers are encouraged to pass on. Some were using Bluetooth short-range radio technology to anonymously spread information to potential supporters, and there are further implications for mobile phone security following the commoditisation of tools and techniques.
Practice Leader - Security
Bloor Research
This year's Counter Terrorism Conference (London, 19th - 20th April 2011, ) looks set to be one of the largest CT events ever.
We need to keep up with new threats and challenges, and I have been asked to speak at the conference on cell/mobile phone security. My session is called "Cell Phone Hacking - The Terrorist's Latest Playground" and is scheduled for 1100hrs - 1120hrs on Wednesday 20th April. It will be based on research I have been conducting into the jihadist use of mobile phones to spread propaganda against a background of commoditised hacking against the GSM mobile phone network.
In addition to speaking at the conference I will be spending time at the Morrigan Partners stand (P44) discussing the issues that GSM hacking is presenting to businesses and organisations. I will be at the stand from 1430hrs - 1530hrs on Tuesday 19th April and 1200hrs - 1300hrs and 1430hrs - 1530hrs on Wednesday 20th April.
If you are interested in the problem of cell/mobile phone hacking come along and have a chat at these times. I'd be happy to speak about more research I am doing and ways in which you can protect your data, systems and users from such attacks by terrorists and criminals alike.
Nigel Stanley
Practice Leader - Security
Bloor Research
As part of my unhealthy obsession on smartphone security for the forseeable future I have put together a pretty well equipped lab and test environment so that I can decide what I think, in my humble opinion, is the most secure smartphone and operating system.
I have to say the lady in the Vodafone store thought that Christmas had come early when I ended up walking out with half a dozen smart phones in one go. Sad to say this now makes my mobile phone collection far larger than what is considered normal outside of drug dealing circles. I have everything from early 1990's monsters through to the Apple iPhone 4 and most in between.
Anyway, I will be conducting a great deal of research over the next 12 months, including a couple of academic papers in support of an MSc I am completing at Royal Holloway, University of London in information security. My project is on smartphone security and I am lucky to have the support of a major network provider (more of whom later) who are interested in the outcome of my report as well.
So, what smartphones will I be reviewing and more importantly using for day to day business as well as trying to break?
I have a Blackberry Bold which I have just commissioned, upgrading from my older "work" Blackberry. (The only problem is I keep trying to caress the screen ala iPhone to make it work. Top tip - Blackberries don't work like that...)
The Apple iPhone I have is a work of art. I love the touch screen but I am infuriated by the app store, and in particular the lack of response I have had when trying to setup an account. That said I have managed to access some apps via Mrs S's account (with permission) and the Trainline app is very useful.
I have not spent much quality time with my HTC Wildfire, Nokia N8 or LG900 but plan to do so over the coming months.
So there you have it. I will report back regularly on how I manage to break, disable or otherwise destroy these phones all in the name of research over the next year. In the meantime I am going to be using my old faithful Nokia for voice calls and Blackberry for emails.
I will be at the InfoSecurity exhibition in April running a keynote on smartphone security if anyone fancies a chat. There are also a growing number of papers I have written on this subject on the Bloor website
Nigel Stanley
Practice Leader - Security
Bloor Research
There has already been much fallout from the recent massive release of information by the WikiLeaks organisation--including attacks on WikiLeaks itself by those angered by its actions that aimed to disrupt and discredit the organisation. This saw WikiLeaks targeted by a variety of sustained distributed denial of service (DDoS) attacks that aim to make its web presence inaccessible.
Although these attacks were seen to be relatively modest in size and not very sophisticated, the publicity that they received has served to raise awareness of the dangers of such attacks, which can be costly and time-consuming to defend against. DDoS attacks occur when a hacker uses large-scale computing resources, often using botnets, to bombard an organisation's network with requests for information that overwhelm it and cause servers to crash. Many such attacks are launched against websites, causing them to be unavailable, which can lead to lost business and other costs of mitigating the attacks and restoring service.
DDoS attacks are actually extremely widespread. A recent survey commissioned by VeriSign found that 75% of respondents had experienced one or more attacks in the past 12 months. This is echoed in recent research published by Arbor Networks of 111 IP network operators worldwide, which showed that 69% of respondents had experienced at least one DDoS attack in the past year, and 25% had been hit by ten such attacks per month. According to Adversor, which offers services to protect against DDoS attacks, DDoS attacks now account for 4% of total internet traffic. Another provider of such services, Prolexic Technologies, estimates that there are 50,000 distinct DDoS attacks every week.
The research from Arbor Networks also shows that DDoS attacks are increasing in size, making them harder to defend against. It found that there has been a 102% increase in attack size over the past year, with attacks breaking the 100Gbps barrier for the first time. More attacks are also being seen against the application layer, which target the database server and cripple or corrupt the applications and underlying data needed to effectively run a business, according to Arbor's chief scientist, Craig Labovitz. Among respondents to its survey, Arbor states that 77% detected application layer attacks in 2010, leading to increased operational expenditures, customer churn and revenue loss owing to the outages that ensue.
Measures that are commonly taken to defend against DDoS attacks include the use of on-premise intrusion detection and prevention systems by organisations, or the overprovisioning of bandwidth to prevent the attack taking down the network. Others use service providers, such as their internet service provider (ISP) or third-party anti-DDoS specialists, which tend to be carrier-agnostic, so not limited to the services offered by a particular ISP. The first two options are time-consuming and costly to manage by organisations and they need the capacity to deal with the massive-scale, stealthy application-layer attacks that are being seen.
With attacks increasing in size and stealthier application-layer attacks becoming more common, some attacks are now so big that they really need to be mitigated in the cloud before the exploit can reach an organisation's network. ISPs and specialist third-party DDoS defence specialists monitor inbound traffic and when a potential DDoS attack is detected, the traffic is redirected to a scrubbing platform, based in the cloud. Here, the attack can be mitigated thus providing a clean pipe service--the service provider takes the bad traffic, cleans it and routes it back to the network in a manner that is transparent to the organisation.
Guarding against DDoS attacks is essential for many organisations and vital especially for those organisations with a large web presence, where an outage could cost them dearly in terms of lost business. DDoS attacks are becoming increasingly targeted and are no longer just affecting larger organisations. Rather, recent stories in the press have shown that organisations of all sizes are being attacked, ranging from small manufacturers of industry food processing equipment and machinery through to large gambling websites.
By subscribing to cloud-based DDoS mitigation services, organisations will benefit from a service that not only provides better protection against DDoS attacks than they could achieve by themselves, but can actually reduce the cost of doing so as the cost of hardware and maintenance for equipment required is spread across all subscribers to the service and organisations don't need to over-provision bandwidth as the traffic is directed away from their networks. For protecting vital websites, subscribing to such a service is akin to taking out insurance for ensuring that website assets are protected, and the organisation can protect itself from the cost and reputational damage that can follow from a successful DDoS attack that renders services unavailable.
The recent announcement of a strategic hook up between McAfee and Wind River shows that the big players are taking this seriously, and clearly with Intel's hardware expertise thrown into the melting pot it presents an interesting view of mobile device security being, at long last, supported with specially designed solutions rather than crippled PC products crowbarred into a smaller form factor.
As cloud computing becomes more prevalent, the need to secure non-PC based endpoints that access remotely hosted corporate data becomes a number one concern for CISOs - or if it isn't it should be.
Nigel Stanley
Practice Leader, Security
Bloor Research
My habits are not dissimilar to those of many others. In the morning, my first act is to collect my phone from beside the bed, check my email accounts and then look to see who has posted what on Facebook and Twitter. All these services are based in the cloud, accessed directly via the internet. But web-based services have become the preferred way for criminals to disseminate malware, with the intention of harvesting information that can be used for financial gain. As well as this, mobile devices are becoming an increasingly attractive target for hackers and issues surrounding smartphone usage are now being seen as a major issue for organisations looking to protect their sensitive data from loss or misuse.
Where organisations once looked to limit or block the use of mobile devices and web collaboration and social media tools, many have now come to realise the value of such devices and applications as they enable greater flexibility and productivity. According to research by technology vendor Clearswift, 61% of respondents to a survey conducted in the UK in 2010 stated that their organisations are encouraging or allowing the use of collaborative and social media tools, and more than half say that their use is critical to the business. For social networking site Facebook, the greatest growth is being seen among the 35-plus age group. The use of mobile devices is also seen as critical and research shows that smartphone shipments will overtake those of PCs in 2011. And new tablet computers are proving to be a runaway success.
The technology tide cannot be turned back. Rather, the onus is on organisations not just to allow the use of such tools, but to ensure that in doing so they are not adding to the security risks that they face. Since so much malware is delivered via web applications and users connect to web-based applications directly via an internet browser, an organisation must ensure that it can control what applications users can access to avoid them visiting sites that are riddled with malware or that contain inappropriate content that could hard the organisation's reputation. They must also be able to control what information can be downloaded from or uploaded to web applications, from whatever device is being used.
Traditionally, web security controls have been delivered via an appliance, installed within the organisation's four walls and administered and managed locally. That works fine for large organisations where employees generally work from the office, but is generally too expensive an option for smaller resource-strapped organisations, or those with large numbers of mobile workers, for which VPN technologies would also have to be purchased to provide a secure connexion to the appliance.
The advent of cloud-based computing opens up the playing field. It allows users to connect directly to resources, providing always-on, instant access from anywhere at any time and is particularly suited to smaller organisations--especially those that are looking to benefit from the economies offered by software-as-a-service applications--and for those will large numbers of mobile workers or geographically dispersed operations.
In order to ensure the security of those applications and to control access to the data they contain, specialised cloud computing vendors began to develop web security services based in the cloud, backed up by global threat intelligence networks that look to stop malware in the cloud, before it can even reach end users. Such specialised vendors in the market include Webroot, which added to its capabilities with the acquisitions of BrightCloud and Prevx in 2010, Clearswift, which recently expanded the capabilities of its products and services, and Websense, which has combined its web security protection with outbound DLP for content control.
There are also specialised vendors that have been acquired by larger security or networking players. These include Cisco, which acquired ScanSafe, McAfee, with its MX Logic acquisition, Symantec, which acquired MessageLabs and MI5 Security, and M86 Security, which recently acquired web security capabilities from Finjan. All of these are building out their cloud-based web security offerings, looking to extend their presence in the SME sector and to cater to mobility trends. The newest entrant to the market is network security and management company Blue Coat Systems, which has just unveiled its new cloud-based web security offerings. All of these vendors have also announced that they are unveiling hybrid options to allow organisations to combine the use of appliances deployed on-premise with cloud-based services for those that need them.
With threats emanating over the internet a constantly growing problem, more organisations should evaluate the developments being made in web security offerings--especially since research from the Computer Security Institute shows that just three-fifths of organisations are using any web security controls, such as URL filtering. A survey conducted during Infosec in London in April 2010 found that 62% of organisations with 500 or more employees and 43% of smaller organisations had experienced virus and other malware infections in the past year--up from just 14% of organisations of any size in the 2008 survey.
There is a pressing need for organisations to pay greater attention to web security since web applications are a prime vector of attack and growing more so. And the time is right to do so. All the vendors mentioned in this article continue to build out their capabilities and there is something suited to every organisation--from the smallest microfirm to multinational enterprises.
Critical infrastructure is a term that is used to describe assets and facilities that are essential for the functioning of society and the economy. It encompasses a wide range of vital assets, including utilities and communications networks, food and water supply, oil and gas facilities, public health systems, transport networks and financial services. Should such services be disrupted, the consequences could be dire.
Yet many organisations operating critical infrastructure facilities--some 90% of which are private organisations--feel that while the threats are real, they are not adequately prepared to defend against an attack on their IT systems. A survey conducted by Secure Computing, now part of McAfee, asked respondents to indicate their state of readiness for defending against IT threats in eight different industries in the critical infrastructure realm. More than 50% of respondents stated that utilities, oil and gas, transport, telecommunications, chemical, emergency services, and postal and shipping industries were not prepared, with the energy and oil sectors emerging as the most vulnerable targets and, therefore, the most likely to be attacked.
Attacks against critical infrastructure have been on the rise. These range from wide-ranging nation state attacks, such as that seen against Estonia, that caused widespread services outages affecting a range of industries and the government sector, many of which are providing vital services, to the targeted attacks seen recently against high-value nuclear infrastructure facilities in Iran.
Highly targeted in nature and generally employing a range of techniques in combination in an attempt to evade defences and make their attacks more likely to be successful, malware threats are becoming increasingly sophisticated and complex. Malware writers also increasingly test their exploits against defences that are available and release large numbers of variants of a particular strain of malware to avoid detection by anti-malware technologies that rely on signatures of known viruses and blacklists of applications known to be malicious to guard against infection.
That is a game of catch up that can no longer be won. The most recently reported attack on critical infrastructure was perpetrated against oil, gas and petrochemical companies, purportedly by Chinese hackers, dubbed 'Night Dragon'. McAfee reports that the attacks, which looked to steal information property, have been going on undetected for some four years owing to the elaborate mix of techniques that were used against their websites and staff to compromise their operations. McAfee states that, despite penetration testing, the breadth and complexity of the computer systems in place made it difficult to link malicious actions together.
However, application whitelisting vendor CoreTrace, states that whitelisting technology can actually stop such attacks from occurring in a proactive manner. Rather than relying on signatures identifying attacks that have already been seen, whitelisting works by only allowing approved applications that are known to be good to run. It states that its technology can stop attacks such as Night Dragon in their tracks.
According to JT Keating, VP of marketing for CoreTrace: "The new attack against critical energy infrastructure computers, code named 'Night Dragon', utilises multiple remotely controlled applications on servers and PCs. Application whitelisting technology stops 'Night Dragon' and 'Stuxnet' type attacks by preventing the execution of all applications that are not on the whitelist for each computer in the infrastructure--including both malicious and legitimate remote control applications used in these attacks." With hackers now looking for fortune rather than fame, only a proactive stance to security will allow organisations to stay one step ahead of their attackers.
This is an interesting paper It introduces some work called Soundminer, "a stealthy and context-aware sound Trojan for smartphones".
It explores the threat of smartphone malware with access to on-board sensors, which opens new avenues for secret collection of private information. The trojan intelligently "pulls out" sensitive data such as credit card and PIN numbers from both tone- and speech-based interaction with phone menu systems.
It shows how potential attackers can now target side channel information
Nigel Stanley
Practice Leader - Security
Bloor Research
Subscribe by RSS
-- Advertisement --
Recent Comments