Home > All, Security News, Vendor News > The Top Cyber Security Risks Report

The Top Cyber Security Risks Report

September 18, 2010 Leave a comment Go to comments

Last Thursday, Qualys (in conjunction with TippingPoint and SANS) published The Top Cyber Security Risks Report. I consider this report to be more valuable than most, because it

…features in-depth analysis and attack data from HP TippingPoint DVLabs, vulnerability data from Qualys and additional analysis provided by the Internet Storm Center and SANS.
The Top Cyber Security Risks Report

In short, it combines genuine data with the highest quality professional analysis. Compare this approach to the two recent ‘perception’ surveys I discuss here and here. Perception is, of course, highly valuable for marketing purposes: the danger is that other users might confuse the perception of what works with the reality of what works – and make bad choices. I put Wolfgang Kandek, CTO of Qualys on the spot by asking him if his experience of reality confirmed the general perception held by both of the perception reports that data loss prevention (DLP) and encryption are two of the best security controls for preventing security breaches.

Wolfgang Kandek

Wolfgang Kandek, CTO of Qualys

“I haven’t seen that impact, I have to say,” he responded. “For me, encryption is very helpful on, let’s say, on the laptop that is lost or stolen. It’s good then if it’s encrypted; it makes it very difficult for someone who finds or steals that laptop to actually get to the data. It’s also very useful between two points, if someone eavesdrops on the line or the internet connection. In these situations it is very, very useful. However, with the attacks we are seeing today, the attackers actually get into the end point where the data is unencrypted, where you actually write your emails, or where you submit your bank transfer before you type in your password. At that point it has to be unencrypted; and that is where the modern attackers are acting right now.

“DLP is again a useful technology for the unintentional leakage points; but I’m not sure how well it works against a determined attacker who is able to use encryption in his communications.” To illustrate his point, I could do no better than point to the section Analysis of a PDF attack in The Top Cyber Security Risks Report. It includes a series of graphics to illustrate the process of the attack – and I include the final graphic here. It shows the endgame. The attacker has compromised the victim’s network, and is communicating sensitive data back to home base. How effective, we have to ask ourselves, would DLP be if the attacker’s malware is able to encrypt the communications?

pdf attack

The last phase of a PDF attack

And we have to assume that today’s professional criminal is well able to do this.

One of the more alarming trends observed in the previous six months is the increased sophistication of attacks. Attackers have not only become more organized, they are also increasingly subversive and inconspicuous in the way they execute their attacks. The attacks are so sophisticated and subtle that few victims realize they are under attack until it is too late. It is increasingly common to hear of attackers remaining inside a compromised organization for months, gathering information with which they design and build even more sophisticated attacks. Once the desired information is obtained, the attackers launch attacks that are both more devastating and more covert.
The Top Cyber Security Risks Report

“What we’re seeing,” explains Kandek, is that the modern attacker is moving away from emailing threats or malicious attachments and is instead attacking the tools that the user is using: the web browser, all the plug-ins, the web itself, and so on. The modern attacker has decided that the easiest thing to do is to attack the website that the user is going to visit rather than setting up special malicious sites and trying to drive users to them. Incidentally, a little plug here for Qualys: it has several products that will go a long way to mitigating this particular threat. It’s well worth exploring their product range if you’re worried – and let’s face it, you should be – about this new refinement to the drive-by downloading threat. If you are a web owner, you should in particular check out the free QualysGuard Malware Detection (BETA) Service. It’s still beta, but Kandek assures me that it’s all there.We’ve learnt how to recognise bad sites and not to go there – so the bad guys are focusing their attention today on normal websites that people go to anyway, and say that if I could infect that site with a little pointer that then makes that client visitor do my bidding, well, that would be really good. The intent today is not to deface the website, and publish a political message or something like that – but to put a little code or malware on the site that then infects the client browser that visits the websites.”

To prove Kandek’s point, it is worth mentioning that last week (6 September) the popular site TechCrunch was compromised and started serving its visitors with malware. And on 17 September, the day after the Qualys report was published, Websense announced that the music site Songlyrics.com had been compromised. Songlyrics gets something like 200,000 visitors each day, making it a far more attractive proposal (for the attackers) than creating a new site and trying to drive people to it.

click for higher res

The Crimepack exploit kit is available on the internet

Once a user accesses the main page of the song lyrics site, injected code redirects to an exploit site loaded with the Crimepack exploit kit. Attempted exploits result in a malicious binary (VT 39.5%) file that’s run on the victim’s computer. Once infected, the machine becomes another zombie-bot in the wild.

It is interesting to note that the malicious code injected on Songlyrics.com uses a similar obfuscation algorithm as Crimepack – a prepackaged commercial software used by attackers to deliver malicious Web-based code. It appears that the majority of pages served by Songlyrics.com are compromised. Crimepack has become one of the best selling exploit packs on the market due to its huge number of pre-compiled exploits offering a great base for the “drive-by-download & execute” business implication.
Websense report: Singing a malicious song

So, in short, if you want to know what’s really happening out there so that you can work out how to stop it, then I cannot more highly recommend that you get and read The Top Cyber Security Risks Report.

The Top Cyber Security Risks Report

Categories: All, Security News, Vendor News
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s