Information Security Threats: An Ever Changing Landscape
Author: Dan O'Callaghan
March 2007
by Dan O'Callaghan, CISO at Sinclair Community College and VP of the Dayton Chapter of ISSA
When was the last time you read or heard national or international media reports about a significant, worldwide computer virus, worm, or other malicious code? What happened to the “virus writer battles” involving Netsky, Bagle, and MyDoom that were front page news in early 2004? Remember Sasser? Slammer? What about the stories profiling 16-year-old ‘hackers’ breaking into and defacing government or major corporation Websites? When was the last time your email or network was unavailable due to a malicious code outbreak?
Security has been a top priority of CIOs for over 5 years. Much money has been spent, security staff added, laws & regulations passed, and various industry standards developed to defend against those who attack the information and infrastructure that power the world economy—“compliance” has become part of business strategy. Nearly everybody knows—at least vaguely—what terms like phishing, spyware, and Trojan mean. As evidenced by the lack of attack publicity, increased system reliability and availability, and user awareness of common threats, great strides have been made in protecting our information systems.
However, media reports concerning information security have not disappeared. Since January 2005, there have been over 500 data breaches publicly reported in the US involving personal information that could potentially be used to commit identity theft or other fraud. These reported breaches involve over 104 million records. Between January 1 and February 19, 2007 alone, 55 breaches were reported. There is a striking change in these current media reports. The type of information or data compromised in the breach is now the focus of the reports, the method of attack used is a secondary concern. This change in reporting is mainly due to “breach notification” legislation enacted by 35 states (as of January 2007), but is also due to the nature of the tools used to conduct the breach—the method may not be easily determined. The attacker, and the attack environment, has changed.
The ‘traditional’ stereotypical Internet-based attacker profile was an intelligent 14-24 year-old male student, computer obsessed, living with parents, with much idle time and no ‘real’ social life (though often an extensive virtual social life). The motive of this attacker was primarily fame and notoriety—bragging rights in the online communities—my worm is better than your virus! Over the last few years, this profile has changed. The ‘modern’ attacker profile is more mature. He has acquired significant coding skills and systems expertise, and has a different motive. The student has graduated, moved out on his own, and needs to support himself—he now hacks for money.
Hacking for money has resulted in a major shift in methodology. Instead of trying to generate big, highly visible attacks against systems and infrastructure, the attacker conducts low-key, hard-to-detect, code that targets personal and financial information. Individual users have become prime targets. Social engineering scams, such as phishing, are increasingly realistic, sophisticated, and successful. They target individual’s financial accounts or computer accounts to fraudulently collect money. When systems are targeted, the goal is no longer to deface or harm the system, but to gain control or “own” the system so it can be used for attacks. Thousands of “owned” systems are networked (via the Internet) as “Botnets” used for spamming, phishing, and extortion. The successful attacker launches the attack, collects what he is after, and escapes without ever being detected—the most successful also leave an open door to repeat the attack.
These low-profile attacks are not isolated instances. An interesting statistic points to how widespread these low-profile, frequently changing attacks are. In July, 2006, Security firm McAfee added the 200,000th virus signature to its database. The 100,000 mark was reached less than two years earlier—but it took 18 years to reach the 100,000 milestone.
The online “social circles” of the modern hacker have also evolved. Numerous organized crime rings now exist to share malcode (the Internet has plenty of targets to share), sell and rent botnets, organize scams, buy and sell credit card numbers, and facilitate other scams and criminal activity. The organization and ability of the attackers to share information about vulnerabilities, exploits, and data rich targets makes defending against them increasingly difficult.
This threat landscape is likely to exist and continue to evolve for quite some time. It is critical that businesses and individuals using the Internet utilize defense-in-depth measures and stay up to date on their security technology. It is also imperative that technology and security professionals are aware of the current environment and continue to maintain and develop their proactive and reactive skills. One of the most effective ways to do this is through active involvement in professional associations and organizations that foster networking, education, and training opportunities. In Dayton, there are numerous opportunities to do this. The Dayton Chapter of the Information Systems Security Association (www.dayton-issa.org) meets monthly at Sinclair Community College. The Greater Dayton IT Alliance is another valuable asset...check out the Ohio Information Security Conference in March 2007.
About the Author: Dan O’Callaghan is CISO at Sinclair Community College, and is also Vice-President of the Dayton Chapter of the ISSA.
Disclaimer: The opinions or statements expressed here are my own and should not be taken as a position, opinion, or endorsement of Sinclair Community College or the Dayton ISSA.
