First the good news-2007 saw a 5.4 % decrease in publicly disclosed computer
security vulnerabilities in comparison with 2006. Now, the bad news-of these
vulnerabilities, the number of 'high severity' vulnerabilities has gone up by
28%, and even worse news-only 50% of these can be corrected through vendor
software and patches. High security is defined as security issues that allow
immediate, remote or local access, or immediate execution of code or commands
with unauthorized privileges. Common examples are most buffer overflows,
backdoors, default or no passwords, and bypassing security on firewalls or other
network components.
Changing nature of threats
The message is loud and clear. Hackers are not wasting their time on miniscule
'projects'. They are rather investing time and money on causing more sinister
damages. IBM's X Force report for security and trend statistics has evaluated
the various genres of threats, including an in depth analysis of 410,000 new
malware samples, which is a third more than last year's number.
According to the report, Tuesday is the busiest day for vulnerability
disclosures followed by Wednesday, Thursday, Monday and Friday. There is an
interesting reason behind this. A large number of vendor-released
vulnerabilities and patches are released on the second Tuesday of each month.
Microsoft started the trend by regularly disclosing its vulnerabilities on the
second Tuesday of each month, and other vendors seem to be following suit for a
variety of competitive and strategic reasons. The study also predicted that, in
the months to come, the biggest aim for creating vulnerabilities would be to
gain access (50%) followed by denial of service (13.8%), data manipulation
(11.2%), obtaining information (9.3%), bypassing security (6.5%), gaining
privileges (5.7%) and file manipulations (1.3%).
Direct Hit! |
Applies To: Everyone USP: Learn about the latest Internet security threats Primary Link: www.iss.net/x-force_report_http://pcquest.ciol.com/2008/images/2008/index.html Google Keywords: Internet Security |
Upon analyzing and tracking the source of browser exploits, the X Force
report has revealed that most of them are generated by Web exploit toolkits. In
2006, using browser obfuscation for Web-based exploits started gaining traction.
With the prevalence of Web exploit toolkits, nearly all in-the-wild browser
exploits seen by the end of 2007 were obfuscated or encrypted. Throughout 2007,
the growth of Web exploit obfuscation and encryption increased substantially.
Nearly 80 percent of Web exploits used obfuscation and/or self-decryption. By
the end of 2007, this rate had reached nearly 100 percent, mostly caused by
toolkits such as mPack, influencing the underground market.
Another trend that has become prevalent is the use of IFrames and other
methods of hosting links to malicious content. IFrames make third-party content
appear as if it were a part of the URL displayed by the browser, when, in fact,
the content within the IFrame is hosted by another server. Underground exploit
sales through ICQ-based brokers also continued to flourish, and the newer trend
of exploit toolkit leasing became more prevalent. Leasing allows attackers to
get a piece of action with a smaller initial investment. Attack toolkits of this
nature can be found at online file storage sites. In addition, attackers
occasionally tend to modify an exploit toolkit if a new exploit becomes public.
Encrypted exploits are contained in streams of encrypted data present in a
script, such as JavaScript, that is decoded on the client's machine and then
executed. Obfuscated exploits are simply rearranged in a way that makes it
difficult for intrusion detection and prevention systems (IDS and IPS) to match
a signature. Prior to 2006, obfuscated web-browser exploits were not prevalent
enough to cause concern in security communities and were used only in targeted
attacks designed to breach known failings in an organization's perimeter
security defenses. This year, the percentage of these attacks is likely to go up
drastically.
Among malware, Trojans can be expected to be the biggest source of damage.
Trojans represented the largest category of malware in 2007-109,246 varieties
accounting for 26 percent of all malware, with the most frequently occurring
malware on the Internet beingTrojan.Win32. The other kinds of malware that have
infected computers worldwide in the latter half of 2007 are worms (16%), adware
(14%), viruses (12%), downloaders (10%), dialers (6%), and backdoors (6%) among
others.
Threats to browsers
When it comes to Internet browsers, critical vulnerabilities for Mozilla
Firefox were dramatically lower in 2007 compared to 2006. More than 80% are
aimed at memory corruption, with a handful targeted at buffer overflows and
interestingly, not a single one for security zone bypass. Vulnerabilities for
Internet Explorer, however, are likely to be much higher in number sending out a
clear signal that a simple way to safeguard your browser based threats is to
move over to Mozilla. Interestingly, the percentage of image-based spam is
likely to be drastically low, going by its plunging numbers in 2007. As an
offshoot of this, unsolicited PDF based spam and other GIF and JPEG spams can
even be expected to go completely out of circulation.
While IBM's X Force report gives a wide overview of global threats and their
future, Columbia based Prism Microsystems, which delivers business critical
solutions that integrate Security Information and Event management (SIEM), did
in-house research on the nature of network threats. The result, in brief, is
that firewalls are no longer a dependable shield against threats. To quantify
this claim, Prism revealed how Rapidly Mutating Attacks (RMA) is likely to gain
popularity among spammers and attackers. As the name suggests, an RMA could be a
spam particle or a bug which stations itself within your network, and spreads
its vicious wings to every other region of the network. Ideally, these mutants
use the Web to 'hack' into your official address book, and within a matter of a
few hours, infect all your contacts; and their contacts, and so on. Mutants of
this severity can easily sneak through firewalls and run-of-the-mill anti-virus
suites. Another form of attacks which is gaining popularity is Targeted Attacks.
Though one would like to believe that attackers spend time and effort to
understand the nature of one particular network in order to deploy a planned
attack only for a big corporation or an international bank, illegal wizard tools
that provide a virtual 'blueprint' of a particular network, irrespective of size
are available in the underground market, and in a matter of minutes, a hacker
can find out the most vulnerable component of your network, after sneaking in
just one email or a freeware application.
In this scenario, it is important that firewalls, anti-virus applications and
back up software do not operate in isolation. Taking it a step further, it is
also vital to deploys all-holes-sealed applications that do comprehensive real
time checks on the network. A starting point to this, according to Prism, is to
deploy a log management system, which acts pretty much like a black box in an
aircraft. A mechanism of this nature does not wait for the problem to occur
before sorting it out. It records or 'logs' information about every single byte
of data that goes out and comes in to the network. This log can be retrieved
everyday, every week or whenever the network administrator chooses to. Depending
on rules and access benchmarks set by the company, the log management system
alerts the administrator or moderators of the network, about the slightest
deformity or change in these benchmarks. In an extreme situation, log management
tools can even send a text message to the administrator who can then choose to
rush to the spot and analyze the real time log record of network usage and pin
point the suspicious activity of one particular employee or software
application. This also brings to light an alternate philosophy that in some
cases trouble begins at home. Insider attacks, in the case of larger companies
can't be ignored.