The security threat landscape changes constantly, with malicious hackers developing new ways to compromise your systems as older vulnerabilities are discovered and patched. So it’s important to be aware of the threats to enterprise security that are coming over the horizon and heading this way.
It’s a question the Georgia Institute of Technology addresses in its Emerging Cyber Threat Report 2013, in which researchers identify at least six threats that all security professionals should know about.
Using DRM-like Tech to Hide Viruses
Some music and ebooks files are protected by digital rights management (DRM) systems. These files are effectively locked to particular devices so that they can only be played on these devices and can’t be copied and shared.
Malware can use the same technique. Essentially it locks itself to a particular system by encrypting portions of its binary using specific attributes of the infected system to generate a key. That means that once it has infected a system, the malware will only run on that machine and can’t be copied and run on another.
The purpose of this is to make it much harder for anti-virus vendors to take a sample of the code from an infected machine and run it in their own systems – to analyze it and, ultimately, produce an anti-virus signature for it. Virus authors such as those behind the Gauss Trojan, which was discovered in August 2012, and the Flashback Trojan in 2011 have already used this self-defense technique, and it’s one that’s likely to become common in the future, the report suggests.
What you can do to mitigate the threat: Enterprises should deploy anti-virus products which offer effective alternatives to signature-based protection such as behavioral protection and file reputation based systems.
Targeting OS X
In the past most malware writers have targeted systems running Microsoft’s Windows operating system. This has led many Mac users to believe falsely that OS X is a highly secure operating system that can’t be compromised. As a result, most computers running the operating system have little or no anti-malware protection.
But the Flashback Trojan demonstrated that machines running Apple’s OS X operating system are also now being targeted, and that they are vulnerable.
Aside from vulnerabilities in the operating system, which Apple is often slow to patch, malware writers are also exploiting vulnerabilities in software such Java, which run on these systems. Flashback infected over 600,000 systems running OS X. The report predicts that because most OS X systems have little or no protection and the user base is inexperienced with security, it will increasingly be targeted by attackers in the future.
What you can do to mitigate the threat: Devices running OS X should be protected by the same security measures as Windows machines. That means installing anti-virus software, and ensuring that the operating system and third-party software such as Java is updated with security patches as soon as they are available.
Malicious Hardware/Supply Chain Insecurities
The threat here is that networking hardware made by Chinese companies such as Huawei and ZTE, or counterfeit hardware made in China or elsewhere, may contain malicious hardware or firmware code which provides a backdoor into corporate systems. This has always been a possibility, but in October 2012 the House Select Committee on Intelligence explicitly recommended that private sector entities consider “the long-term security risks associated with doing business with either ZTE or Huawei for equipment or services.”
What you can do to mitigate the threat: At the very least, limit networking hardware purchases to trusted vendors. Additional measures include carrying out network listening to detect hardware acting maliciously, and carrying out random tests on devices to look for indications that they contain extra components or malicious firmware. At the highest level, some companies may choose to assume that all hardware is compromised and continuously monitor it for unexpected behavior.
There’s no doubt that mobile malware is becoming a serious threat. The number of malicious and suspicious Android apps grew to 175,000 at the end of September 2012, up from 30,000 in June, according to security firm Trend Micro.? When employees in BYOD workplaces use their mobile devices to access the corporate network, this clearly poses a serious security risk.
And it’s not just Android devices that are vulnerable. Handsets from Apple and other manufacturers are not immune from malware infections, even when apps submitted to stores such as Apple’s Appstore are checked before inclusion.
Mobile devices present other risks too. Many mobile device screens make it hard for users to see what site their browser is visiting, making users vulnerable to phishing attacks. And Researchers from Leibniz University of Hannover, Germany, and Philipps University of Marburg, Germany, found that 8 percent of free applications improperly implemented SSL and TLS connections, leaving users open to a man-in-the-middle attack, the report points out.
What you can do to mitigate the threat: The most practical way an organization can protect itself from malware on users’ mobile devices is to implement some form of mobile device management (MDM). This can impose security policies and restrict application downloads to a corporate app store which contains approved applications only.
Storing data in the cloud is probably a sensible thing for many organizations to do because most cloud providers offer better than average security, according to the report. But huge repositories of data are very attractive targets for hackers, and it’s inevitable that they will come under attack increasingly often.
It’s also worth mentioning that the security of cloud storage varies widely, and enterprise-class services are likely to have better encryption regimes, authorization systems and overall security than consumer-oriented services such as Dropbox and Evernote — both of which have been successfully hacked in the past.
Because cloud services are becoming less and less expensive, they are also providing a powerful tool for hackers. That’s because many hackers have access to stolen credit card numbers, making it easy to set up large clusters of malicious systems to use for password cracking or other purposes.
What you can do to mitigate the threat: The best way to protect enterprise data is to ensure that it is encrypted before it is sent to the cloud using a key which is not held by the cloud service provider. It may also be prudent to ban employees from using consumer cloud services at work — and to back this up by blocking traffic to these services at the corporate firewall.
Search Engine Filter Bubble Poisoning
Hackers can compromise a user’s system by getting them to visit a malicious site which exploits vulnerabilities in the browser or other software. The problem for hackers is getting users to visit those sites, and one way to do that is to compromise legitimate and well known sites, and then add links from those sites to the malicious destinations. These links give the malicious sites a better “page ranking,” making them appear earlier in search engine results.
But there’s another way to manipulate search results, and that’s connected to the concept of a “filter bubble.” Put simply, most search engines filter the results that they provide by looking at a user’s search history, if it is available. The purpose is to provide results that are likely to be more relevant to the user.
Search profiles are stored online, indexed by a cookie, and in the future hackers may attempt to enumerate and modify them to change the results a given search brings up. It’s already possible to do this; it has been carried out successfully by researchers, according to the report.
Manipulating search profiles in this way can make it more likely that users will be presented with — and thus click on — a malicious link. But it also has another implication: Since the search profile is stored online, any machine accessed by a compromised user may be vulnerable, as their search profile may follow them to any machine they use.
What you can do to mitigate the threat: Train users not to log in to their Google account or any other search engine account when they use the Internet. Clearing browser caches after each session or using Internet Explorer’s InPrivate Browsing mode, Firefox’s Private Browsing mode or Chrome’s Incognito mode may also be helpful.
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.