Future Security Threats Outlook

IBM's X Force research does a post mortem of of security threats that hogged the limelight in the year 2007 and predicts vulnerabilities to watch out for in 2008

Saturday, April 05, 2008

First the good news-2007 saw a 5.4 % decrease in publicly disclosed computer security vulnerabilities in comparison with 2006. Now, the bad news-of these vulnerabilities, the number of 'high severity' vulnerabilities has gone up by 28%, and even worse news-only 50% of these can be corrected through vendor software and patches. High security is defined as security issues that allow immediate, remote or local access, or immediate execution of code or commands with unauthorized privileges. Common examples are most buffer overflows, backdoors, default or no passwords, and bypassing security on firewalls or other network components.

Changing nature of threats
The message is loud and clear. Hackers are not wasting their time on miniscule 'projects'. They are rather investing time and money on causing more sinister damages. IBM's X Force report for security and trend statistics has evaluated the various genres of threats, including an in depth analysis of 410,000 new malware samples, which is a third more than last year's number.
According to the report, Tuesday is the busiest day for vulnerability disclosures followed by Wednesday, Thursday, Monday and Friday. There is an interesting reason behind this. A large number of vendor-released vulnerabilities and patches are released on the second Tuesday of each month. Microsoft started the trend by regularly disclosing its vulnerabilities on the second Tuesday of each month, and other vendors seem to be following suit for a variety of competitive and strategic reasons. The study also predicted that, in the months to come, the biggest aim for creating vulnerabilities would be to gain access (50%) followed by denial of service (13.8%), data manipulation (11.2%), obtaining information (9.3%), bypassing security (6.5%), gaining privileges (5.7%) and file manipulations (1.3%).

Upon analyzing and tracking the source of browser exploits, the X Force report has revealed that most of them are generated by Web exploit toolkits. In 2006, using browser obfuscation for Web-based exploits started gaining traction. With the prevalence of Web exploit toolkits, nearly all in-the-wild browser exploits seen by the end of 2007 were obfuscated or encrypted. Throughout 2007, the growth of Web exploit obfuscation and encryption increased substantially. Nearly 80 percent of Web exploits used obfuscation and/or self-decryption. By the end of 2007, this rate had reached nearly 100 percent, mostly caused by toolkits such as mPack, influencing the underground market.

Another trend that has become prevalent is the use of IFrames and other methods of hosting links to malicious content. IFrames make third-party content appear as if it were a part of the URL displayed by the browser, when, in fact, the content within the IFrame is hosted by another server. Underground exploit sales through ICQ-based brokers also continued to flourish, and the newer trend of exploit toolkit leasing became more prevalent. Leasing allows attackers to get a piece of action with a smaller initial investment. Attack toolkits of this nature can be found at online file storage sites. In addition, attackers occasionally tend to modify an exploit toolkit if a new exploit becomes public. Encrypted exploits are contained in streams of encrypted data present in a script, such as JavaScript, that is decoded on the client's machine and then executed. Obfuscated exploits are simply rearranged in a way that makes it difficult for intrusion detection and prevention systems (IDS and IPS) to match a signature. Prior to 2006, obfuscated web-browser exploits were not prevalent enough to cause concern in security communities and were used only in targeted attacks designed to breach known failings in an organization's perimeter security defenses. This year, the percentage of these attacks is likely to go up drastically.
Among malware, Trojans can be expected to be the biggest source of damage. Trojans represented the largest category of malware in 2007-109,246 varieties accounting for 26 percent of all malware, with the most frequently occurring malware on the Internet beingTrojan.Win32. The other kinds of malware that have infected computers worldwide in the latter half of 2007 are worms (16%), adware (14%), viruses (12%), downloaders (10%), dialers (6%), and backdoors (6%) among others.

Threats to browsers
When it comes to Internet browsers, critical vulnerabilities for Mozilla Firefox were dramatically lower in 2007 compared to 2006. More than 80% are aimed at memory corruption, with a handful targeted at buffer overflows and interestingly, not a single one for security zone bypass. Vulnerabilities for Internet Explorer, however, are likely to be much higher in number sending out a clear signal that a simple way to safeguard your browser based threats is to move over to Mozilla. Interestingly, the percentage of image-based spam is likely to be drastically low, going by its plunging numbers in 2007. As an offshoot of this, unsolicited PDF based spam and other GIF and JPEG spams can even be expected to go completely out of circulation.

While IBM's X Force report gives a wide overview of global threats and their future, Columbia based Prism Microsystems, which delivers business critical solutions that integrate Security Information and Event management (SIEM), did in-house research on the nature of network threats. The result, in brief, is that firewalls are no longer a dependable shield against threats. To quantify this claim, Prism revealed how Rapidly Mutating Attacks (RMA) is likely to gain popularity among spammers and attackers. As the name suggests, an RMA could be a spam particle or a bug which stations itself within your network, and spreads its vicious wings to every other region of the network. Ideally, these mutants use the Web to 'hack' into your official address book, and within a matter of a few hours, infect all your contacts; and their contacts, and so on. Mutants of this severity can easily sneak through firewalls and run-of-the-mill anti-virus suites. Another form of attacks which is gaining popularity is Targeted Attacks. Though one would like to believe that attackers spend time and effort to understand the nature of one particular network in order to deploy a planned attack only for a big corporation or an international bank, illegal wizard tools that provide a virtual 'blueprint' of a particular network, irrespective of size are available in the underground market, and in a matter of minutes, a hacker can find out the most vulnerable component of your network, after sneaking in just one email or a freeware application.
In this scenario, it is important that firewalls, anti-virus applications and back up software do not operate in isolation. Taking it a step further, it is also vital to deploys all-holes-sealed applications that do comprehensive real time checks on the network. A starting point to this, according to Prism, is to deploy a log management system, which acts pretty much like a black box in an aircraft. A mechanism of this nature does not wait for the problem to occur before sorting it out. It records or 'logs' information about every single byte of data that goes out and comes in to the network. This log can be retrieved everyday, every week or whenever the network administrator chooses to. Depending on rules and access benchmarks set by the company, the log management system alerts the administrator or moderators of the network, about the slightest deformity or change in these benchmarks. In an extreme situation, log management tools can even send a text message to the administrator who can then choose to rush to the spot and analyze the real time log record of network usage and pin point the suspicious activity of one particular employee or software application. This also brings to light an alternate philosophy that in some cases trouble begins at home. Insider attacks, in the case of larger companies can't be ignored.

Page(s)   1