Social networking will be the attacker platform of choice in 2011, says Ed Skoudis, founder and senior security consultant with InGuardians.
"But organisations will also have to look out for attacks using memory-scraping, lessons learned from Stuxnet, hardware hacking, and exploiting lack of defences around Internet Protocol version 6 (IPv6)," he told attendees of RSA Conference 2011 in San Francisco.
Skoudis, who has also authored and regularly teaches the SANS Institute courses on network penetration testing and incident response, said the "bad guys" always move to where the action is, which is now social networking sites like Facebook and LinkedIn.
Attackers like social media because users so easily give up their personal information and there are so many attack vehicles, he said, such as posting enticing links to malicious sites and applications that ask for information about users and their friends.
Businesses need to educate their users about the dangers of disclosing information on social networking sites, said Skoudis.
Businesses should also establish their own official presence on social networking sites to prevent anyone else from setting up a fake site and they should monitor social networking sites to see what staff and others are saying about the company or its brand.
Johannes Ullrich, head of the SANS Internet Storm Center, said threats are also becoming automated, such as using search engine optimisation to promote links to malicious sites.
"Attackers are also using browser history to make social engineering scams more plausible by linking to previously-visited sites or using malicious pop-ups related to victim's interests.
Ullrich said businesses should use DNS monitoring, which is easy and inexpensive, to detect malware used on social networking and other sites.
Memory scraping is responsible for many of the biggest data breach cases, said Skoudis, and is typically used to penetrate organisations that have so-called end-to-end encryption deployed.
The problem is, that although all information is encrypted at source, during transmission, and in storage, it is typically not encrypted while it is being processed by an application.
"Attackers know that data is usually decrypted for processing and they are therefore targeting and capturing it while available in clear text in memory, using the memory scraping functionality of Metasploit's Meterpreter, " said Skoudis.
Businesses should look for any leakage of personal information, and data leakage prevention (DLP) will help where leakage is accidental, he said, but businesses must realise that it will not help against determined attackers and that end-to-end encryption is not a panacea.
"Encryption helps, but strong host security is still vital," he said.
Pivoting through IPV6 is on the rise as an attack method, said Skoudis. The problem is the IPV6 has been enabled in many organisations and they are not even aware of it and have not put any monitoring or defence mechanisms in place.
"IPV6 is enabled by default on most modern operating systems, including the latest couple of versions of Microsoft Windows, Mac OS and Linux," he said.
Most enterprise firewalls and intrusion detection and prevention systems have relatively few capabilities for detecting or blocking attacks through IPV6, said Skoudis.
"Attackers are coming through IPV4 and pivoting to IPV6, which enables them to access the corporate network largely unimpeded," he said.
Skoudis said business should disable IPV6 everywhere on their networks where it is not currently needed, to give them time to plan deployments of IPV6 when necessary and make sure security defences actually address the threats.
Ullrich said that like all new technology, businesses need to plan for and gradually roll out IPV6.
"Although it is easy to turn on, the switch to IPV6 requires substantial planning and rethinking of existing network designs, especially as there is no proper tool yet to monitor IPV6," he said.
According to Skoudis, Stuxnet is relevant to every business because it provides a glimpse of malware to come.
Businesses should be preparing for malware that uses the same techniques and characteristic as those of Stuxnet, such as stolen security certificates, multiple zero-day vulnerabilities, fine-tuning for a specific target or environment, and the ability to cause physical damage including loss of life through cyber attacks.
"Stuxnet underlines the need for businesses to have thorough security programmes that cover the SANS top 20 vulnerabilities and are vigorously applied," he said.
Finally, businesses need to take note that hacking of hardware is also on the rise, said Skoudis, and will become more mainstream as attackers are forced to seek other avenues as software becomes harder to exploit.
"Businesses should think about what hardware hacking could mean for their organisation and hardware makers should start carrying out penetration testing of their products to protect customers against this kind of attack," he said.
21 Feb 2011