Future Security Threats Outlook

First the good news-2007 saw a 5.4 % decrease in publicly disclosed computer

security vulnerabilities in comparison with 2006. Now, the bad news-of these

vulnerabilities, the number of 'high severity' vulnerabilities has gone up by

28%, and even worse news-only 50% of these can be corrected through vendor

software and patches. High security is defined as security issues that allow

immediate, remote or local access, or immediate execution of code or commands

with unauthorized privileges. Common examples are most buffer overflows,

backdoors, default or no passwords, and bypassing security on firewalls or other

network components.

Changing nature of threats



The message is loud and clear. Hackers are not wasting their time on miniscule
'projects'. They are rather investing time and money on causing more sinister

damages. IBM's X Force report for security and trend statistics has evaluated

the various genres of threats, including an in depth analysis of 410,000 new

malware samples, which is a third more than last year's number.



According to the report, Tuesday is the busiest day for vulnerability
disclosures followed by Wednesday, Thursday, Monday and Friday. There is an

interesting reason behind this. A large number of vendor-released

vulnerabilities and patches are released on the second Tuesday of each month.

Microsoft started the trend by regularly disclosing its vulnerabilities on the

second Tuesday of each month, and other vendors seem to be following suit for a

variety of competitive and strategic reasons. The study also predicted that, in

the months to come, the biggest aim for creating vulnerabilities would be to

gain access (50%) followed by denial of service (13.8%), data manipulation

(11.2%), obtaining information (9.3%), bypassing security (6.5%), gaining

privileges (5.7%) and file manipulations (1.3%).

Upon analyzing and tracking the source of browser exploits, the X Force

report has revealed that most of them are generated by Web exploit toolkits. In

2006, using browser obfuscation for Web-based exploits started gaining traction.

With the prevalence of Web exploit toolkits, nearly all in-the-wild browser

exploits seen by the end of 2007 were obfuscated or encrypted. Throughout 2007,

the growth of Web exploit obfuscation and encryption increased substantially.

Nearly 80 percent of Web exploits used obfuscation and/or self-decryption. By

the end of 2007, this rate had reached nearly 100 percent, mostly caused by

toolkits such as mPack, influencing the underground market.

Another trend that has become prevalent is the use of IFrames and other

methods of hosting links to malicious content. IFrames make third-party content

appear as if it were a part of the URL displayed by the browser, when, in fact,

the content within the IFrame is hosted by another server. Underground exploit

sales through ICQ-based brokers also continued to flourish, and the newer trend

of exploit toolkit leasing became more prevalent. Leasing allows attackers to

get a piece of action with a smaller initial investment. Attack toolkits of this

nature can be found at online file storage sites. In addition, attackers

occasionally tend to modify an exploit toolkit if a new exploit becomes public.

Encrypted exploits are contained in streams of encrypted data present in a

script, such as JavaScript, that is decoded on the client's machine and then

executed. Obfuscated exploits are simply rearranged in a way that makes it

difficult for intrusion detection and prevention systems (IDS and IPS) to match

a signature. Prior to 2006, obfuscated web-browser exploits were not prevalent

enough to cause concern in security communities and were used only in targeted

attacks designed to breach known failings in an organization's perimeter

security defenses. This year, the percentage of these attacks is likely to go up

drastically.



Among malware, Trojans can be expected to be the biggest source of damage.
Trojans represented the largest category of malware in 2007-109,246 varieties

accounting for 26 percent of all malware, with the most frequently occurring

malware on the Internet beingTrojan.Win32. The other kinds of malware that have

infected computers worldwide in the latter half of 2007 are worms (16%), adware

(14%), viruses (12%), downloaders (10%), dialers (6%), and backdoors (6%) among

others.

Threats to browsers



When it comes to Internet browsers, critical vulnerabilities for Mozilla

Firefox were dramatically lower in 2007 compared to 2006. More than 80% are

aimed at memory corruption, with a handful targeted at buffer overflows and

interestingly, not a single one for security zone bypass. Vulnerabilities for

Internet Explorer, however, are likely to be much higher in number sending out a

clear signal that a simple way to safeguard your browser based threats is to

move over to Mozilla. Interestingly, the percentage of image-based spam is

likely to be drastically low, going by its plunging numbers in 2007. As an

offshoot of this, unsolicited PDF based spam and other GIF and JPEG spams can

even be expected to go completely out of circulation.

While IBM's X Force report gives a wide overview of global threats and their

future, Columbia based Prism Microsystems, which delivers business critical

solutions that integrate Security Information and Event management (SIEM), did

in-house research on the nature of network threats. The result, in brief, is

that firewalls are no longer a dependable shield against threats. To quantify

this claim, Prism revealed how Rapidly Mutating Attacks (RMA) is likely to gain

popularity among spammers and attackers. As the name suggests, an RMA could be a

spam particle or a bug which stations itself within your network, and spreads

its vicious wings to every other region of the network. Ideally, these mutants

use the Web to 'hack' into your official address book, and within a matter of a

few hours, infect all your contacts; and their contacts, and so on. Mutants of

this severity can easily sneak through firewalls and run-of-the-mill anti-virus

suites. Another form of attacks which is gaining popularity is Targeted Attacks.

Though one would like to believe that attackers spend time and effort to

understand the nature of one particular network in order to deploy a planned

attack only for a big corporation or an international bank, illegal wizard tools

that provide a virtual 'blueprint' of a particular network, irrespective of size

are available in the underground market, and in a matter of minutes, a hacker

can find out the most vulnerable component of your network, after sneaking in

just one email or a freeware application.



In this scenario, it is important that firewalls, anti-virus applications and
back up software do not operate in isolation. Taking it a step further, it is

also vital to deploys all-holes-sealed applications that do comprehensive real

time checks on the network. A starting point to this, according to Prism, is to

deploy a log management system, which acts pretty much like a black box in an

aircraft. A mechanism of this nature does not wait for the problem to occur

before sorting it out. It records or 'logs' information about every single byte

of data that goes out and comes in to the network. This log can be retrieved

everyday, every week or whenever the network administrator chooses to. Depending

on rules and access benchmarks set by the company, the log management system

alerts the administrator or moderators of the network, about the slightest

deformity or change in these benchmarks. In an extreme situation, log management

tools can even send a text message to the administrator who can then choose to

rush to the spot and analyze the real time log record of network usage and pin

point the suspicious activity of one particular employee or software

application. This also brings to light an alternate philosophy that in some

cases trouble begins at home. Insider attacks, in the case of larger companies

can't be ignored.