Thursday, October 15, 2009

Bracing for a New World

In a declining economy, Indian enterprises are waking up to a new world where Mobility, Virtualization and Cloud Computing technologies present new challenges and the employee is now the weakest link in the information security ecosystem

In October last year, Rajendrasinh Makwana, an IT contractor who worked in Fannie Mae (a US government-owned firm), was indicted for planting a logic bomb designed to wipe out data from the firm’s 4,000 servers. Makwana planted the logic bomb in the form of a malicious script embedded within a legitimate code. Had the malicious script managed to execute, it would have resulted in the company being shut down for a week. The reason for Makwana’s action—the company had fired him for a scripting error he made earlier. Angered, Makwana planted the malicious script on the day he was fired.


Makwana’s case is not an isolated one. For companies that feel the heat of the economic slowdown and decide to lay off staff, the ‘trusted’ employee could suddenly become a more potent threat than an external hacker.


This fact is supported by a 2008 FICCI-PwC report, in which a majority of the organizations surveyed believed that employees or former employees are a major source of security threats. Almost 47 percent of the organizations believed that employees were responsible for security incidents and 25 percent attributed them to former employees. Only 39 percent of the companies attributed negative security events to external hackers.


Virtual Threats
With the rise in virtualized environments, CIOs face a new level of complexity, as virtualization introduces another layer that needs to be secured. For example, when a hypervisor is compromised, all the virtual machines that run on the hypervisor will also be compromised.


“With modern virtualization technology, virtual machines can be easily cloned and installed on a different physical machine. The ability to go back to ‘snapshots’ of past images can inadvertently wreak havoc with the patch management process,” says Sunil Rawlani, Executive VP and Head, IT, HDFC Standard Life Insurance. Analysts also believe that a compromise of a single virtualized machine can infect all other virtual machines on a physical server.


While organizations have given employees laptops and smartphones as a means to improve their productivity, this also presents immense risks, as these devices carry critical business information. However, what is shocking is that the data on most of these devices is not encrypted. This can be a security disaster waiting to happen. Additionally, unlike IT assets which are managed by an IT asset management system, a mobile device management policy is still not in place for most organizations.


Wireless security is another weak area, and this has been proved by the increasing number of attacks on wireless networks. A survey by Deloitte Research in India revealed that around 86 percent of the wireless networks in the cities that were surveyed were vulnerable i.e. having no encryption or a low level of encryption which could be easily compromised. Thirty-seven percent of the networks surveyed were found to have no encryption. While weak encryption is the common culprit for security breaches, other security vulnerabilities in wireless networks are a result of mis-configured access points and outdated access point firmware.

Not so social
Social networking sites, which have become so popular with youngsters, are a nightmare for CIOs—especially when it comes to ensuring security. Agrees Rawlani, “Web 2.0 technologies when combined with our ‘work-from-anywhere’ lifestyle have begun to blur the lines between work and private life. Because of this psychological shift, people may inadvertently share information their employer would have considered sensitive.”


A recent survey on Web 2.0 usage in the workplace by vendor Websense highlights the emerging dangers of using social networking websites. The survey found out that in India, Web 2.0 is already pervasive in the workplace, with more than 70 percent of the organizations surveyed allowing access to wikis, and 40 percent allowing access to social networking websites such as Facebook. However, while more than 70 percent of these companies have URL filtering software, only 39 percent block Instant Messaging (IM) attachments, and only 41 percent of the respondents had a mechanism to detect embedded malicious code on trusted websites. This opens up potential doors for attackers to get a foothold into organizations, especially when you consider the fact that websites allowing user-generated content comprise the majority of the 50 most active distributors of malicious content on the Internet.


To tackle these challenges, anti-malware technologies too have grown in depth and sophistication. For example, Websense’s ThreatSeeker Network gives customers the ability to identify and classify spam posted as comments to forums, blogs or social networking sites. Comment traffic is automatically routed through a spam filtering service and every comment can be analyzed and given a ‘spam’ score. This improves the ability of enterprises to tackle spam on their blogs.


Similarly, RSA Security has a solution called ‘Adaptive Authentication.’ This solution monitors user behavior and assigns a unique risk score to the user’s activity. Whenever high-risk activities are triggered, the solution prompts the user for additional credentials. This solution is already in use in HDFC Bank, and has helped the bank reduce a huge number of phishing attacks.


Cloudy security
As more applications move to the cloud, security-related aspects will be put to the test, as increasing access points compound management challenges. Cloud Computing also highlights perceived issues that CIOs have in terms of data loss or data theft. “The key threats are in terms of the security of data at rest, compliance requirements due to outsourcing of data, recovery of data across the cloud in the event of an issue, and support for investigation of data within the cloud,” says Navin Agrawal, Executive Director, KPMG. Additionally, within the cloud, enterprises need to look at standard issues such as user access, authentication, privacy and the location where the data is stored.


It is also interesting to note that even as enterprises are worried about security issues in the cloud, service providers such as Trend Micro are leveraging the cloud for providing security-based services. For example, research indicates that more than 1,500 unique malware variants are generated every hour. If organizations fail to patch up fast enough, they will be extremely vulnerable to attacks. Trend Micro has responded to this situation by launching a cloud-based service, where the actual scanning is done in the cloud.


The new face of cyber threats
With a huge underground market for stolen credit cards, fraudsters are offering specialized toolkits and services. Thus, even common criminals, who have insufficient knowledge of sophisticated hacking techniques, can easily perpetuate online frauds. For example, in an annual online fraud report, RSA Security expects that underground services such as Centralized Trojan infections (offered via a pay-per-infection model) and All-in-One-Trojan packages (allowing people to purchase Trojan servers with corresponding botnets of infected computers) to grow at a fast pace.


Trojans have also become intelligent enough to launch new sophisticated modes of attack. For example, a study by RSA found out that hackers deployed variants of the Zeus Trojan and used the Jabber IM service to quickly transmit compromised user details. This means that as soon as a user account is compromised, it is quickly relayed in real time through IM to cyber criminals. Other techniques involve using Search Engine Optimization (SEO) methods to promote fake antivirus software. Hackers have also been quick to exploit social media such as Twitter to distribute malicious links. Twitter’s facility of providing anonymity by shortening the URL has also helped hackers to gain direct users to websites hosting malware or Trojans.


As is evident, security can never be a milestone. It is a continuously evolving journey, and enterprises have to constantly be on their guard against attacks that are quickly growing in sophistication and intent.

Source:- www.networkcomputing.in; By Srikanth RP

No comments:

Post a Comment