Feature Story

Enterprise Threat Landscape

To understand how dramatically the security threat landscape has changed in recent years, consider these numbers from Pierluigi Stella, CTO for managed security services company Network Box USA (www.networkboxusa.com). In 2003, when Network Box USA was founded, its network security device ran roughly 20,000 antivirus signatures. Today, it runs 8 million-plus, along with real-time/zero-day antivirus protection. "The sheer idea of zero-day is entirely new compared with nine years ago," Stella says. Today, the company's real-time antivirus protection runs an average of 200,000 zero-day signatures daily. "That's the major change to the threat landscape," he says. Overall, the threat landscape for enterprises and individuals is constantly changing and requires diligent maintenance an updating of security measures. Fail to do so and disaster waits.

Now & Then

Jon Oltsik, Enterprise Strategy Group (www.enterprisestrategygroup .com) security and network analyst, says what hasn't changed much over the years threat-wise are the types of threats at work, including spam, phishing, viruses, rootkits, APTs (advanced persistent threats), and others, all of which are collectively categorized as malware. What's new, he says, is the volume and sophistication of attacks and the footprint: beyond PCs to mobile devices, Internet apps and services, etc.

"The volume of attacks has grown exponentially," Oltsik, says. "Threat vectors have evolved from email and network worms to Web, documents, etc. The attack surface is also much bigger. Five to seven years ago, most attacks targeted Microsoft Windows. Now attackers hack into mobile devices, Web applications, Macs, etc. The attacks are also more damaging. If 500 PCs were compromised it was a productivity and IT operations problem. If my IP is stolen, it's a serious business problem."

Guillaume Lovet, senior manager with Fortinet's FortiGuard Labs (www.fortiguard.com) threat response team, cites 2005 as a turning point. "That's when malware became totally monetized. From then on, close to 100% of malware pieces or viruses had a financial motivation. Cybercriminals started to employ various business models to monetize the infected machines," he says. This ranged from planting adware to intercepting banking credentials, with botnets playing a central role. Botnets are essentially armies of global computers that cybercriminals have infected in order to execute attacks.

In 2003, Stella says, viruses were delivered one email at time. "We had plenty of time to find the virus, create a signature, and push [the signature] out to our devices before the real outbreak took place." Further, threats remained around for a while. Over time, hackers used botnets to launch spam and then viruses. Today, a new virus is sent to the botnet, and the outbreak is launched in massive simultaneous attacks, Stella says. "This exponentially augments the chances of the outbreak being successful because as millions of copies of the same malware are sent from a botnet the chances of getting through someone's antivirus are higher than they used to be, simply because of a numbers game," he says. This leaves antivirus companies little to no time to react.

Another change is that creating viruses once required extensive networking, OS, and computing skills. Eventually, however, hackers built tools to create virus variants in seconds, Stella says. "In 2006, we assisted to the first such example, when in one bad night in June the Bagle worm was released in 256 variations. . . . It was a clear sign of what was to come."

Who Is Targeting You

Most company-related cyber incidents, says Lovet, stem from insider threats, such as a disgruntled employee. Outside threats, he says, generally fall into several types, including "hacktivists," or protesters seeking revenge or to punish a company for "its corporate attitude." Threats often take the form of DDoS (distributed denial of service) attacks that "cripple a company's servers" and network penetration attacks that attempts to compromise customers' records. The goal "is to make as much noise as possible," Lovet says.

Hired hackers, meanwhile, are highly talented individuals or teams hired by rival companies or governments seeking to steal intellectual property and trade secrets. Here, APTs are common. Most companies that are victims "are probably not even aware of it," Lovet says. "It usually involves the use of social engineering, zero-day exploits, and sophisticated Trojan horses." A third threat type involves cybercriminals "in it purely for the money." Although cybercriminals may focus on a specific target by planting a Trojan such as ZeuS, most "employ a strategy akin to throwing their nets as widely as possible to see "what fish get caught in it," he says.

ZeuS operates by using key logging to steal victims' data, such as banking credentials. It can also take and send screenshots of a user's Desktop and intercept second factors of authentication or one-time passwords to immediately initiate fraudulent transactions while simultaneously modifying the account balance in the victim's browser to keep transactions unnoticed, Lovet says.

A computer threat "always boils down to some sort of malware," Stella says. It is most important to understand how threats spread. "The threat varies in terms of how you can actually receive it," Stella says. "Many users are unaware that HTTP (and HTTPS) have become the most relevant vector to deliver threats." For example, a Trojan embedded in an HTML page isn't immediately visible, "often not until the damage is done," he says.

Elsewhere, spam, phishing, and other scams have become common on social networking sites. Examples of major outbreaks are countless, Stella says, including tweets that carry viruses and social engineering schemes whereby attackers pose as friends to get data.

State Of Mind

In general, remember that attackers are typically highly trained, often unscrupulous individuals. "Everyone is a target," Stella says. "We all have information stored in our networks that can be used in some way or another." Thus, don't look at security as "a piece of hardware" but as something to practice daily, Stella adds. Beyond having relevant security gear in place, Lovet says, ensure that all applications are up-to-date; educate users to online dangers; and follow a security program lifecycle that includes constant planning, organizing, implementing, operating, maintaining, monitoring, and evaluating security measures. And Olstik adds, "assume you will be attacked and become very good at incident detection to minimize damages."

Read this article interactively

Return to: 2012 Feature Stories