Security: Internet Security Trends

Author: John Uchaker

February 2008

2007 brought increased sophistica¬tion to malware. Attackers moved away from the single-shot, specifically designed attack and moved into reusable platforms that can cycle, synchronize and distribute dynamic attacks. Malware is no longer a single-step infection. New attacks are multi-phase – supported, distributed and managed by a well-defined infrastructure.

Spam Still Pays
Also in 2007, spammers conducted trials of more than 20 different file attachment types to determine which had the best success rates. Rapid onset spam attacks became commonplace, with outbreaks spiking in volume very quickly and anti-spam companies scrambling to adapt. This left little reaction time, and many customers found themselves reevaluat¬ing anti-spam products that could not adapt.

Many of the most malicious attacks start as a seemingly innocuous spam message with nothing more than a few words of text and a single URL. These messages often slip past traditional spam engines that are looking for keywords, or for graphics touting the latest stock spam. When they land in the recipient’s inbox they have made it to the most sensitive part of the corporate network. All it takes is one errant click of the mouse and the payload is downloaded – providing full access to the user’s computer, and possibly the internal network.

Malware Platforms
Storm and MPack dominated much of the Internet security news in 2007, but not just because of their size and scope. They both introduced new, more sophisticated techniques that demonstrate the refinement of malicious software. Malware creators are spending more time and resources developing an actual platform that is designed to last and be reused. Delivery methods are also changing, moving toward blended attacks that combine both email and Web services.

Attacks are now originating from directly inside the “protected” corporate network. Many administrators believe they have secured their infrastructures and that spam is nothing more than an irritant. The truth: spam is being used as a gateway, designed to lure users to dangerous sites. A higher frequency of attacks is also being seen – timed to coincide with popular events and major news stories in an attempt to make the message seem more legitimate.

Recommendations:
The multi-phase, multi-protocol nature of these new attacks renders some previous security best practices obsolete. Legacy anti-spam gateways can no longer keep up with the diversity and sheer amount of spam being sent. Companies must deploy advanced email security systems to stop inbound threats, enforce strong classification and scanning of all user-initiated Web traffic and monitor closely for possible internal malware infections. Traditional Web proxies (used for caching and acceptable-use enforcement for Web browsing) are insufficient when it comes to protecting users against many of the new threats being delivered through HTTP.

Secure Web Traffic
Even if a company has deployed a URL filtering solution to control and report on individual Web usage behavior, these databases are insufficient when it comes to preventing malware downloads into its network. A URL filter’s security category maintains a list of web pages where malware has been seen in the past, but does not actually scan Web objects for new infections in real-time. Relying on a reactive security list for malware protection is akin to using only a legacy DNL blacklist in email to protect against spam: totally insufficient. As malware distributors are getting better at inserting their malicious payload into compromised “legitimate” sites, the URL filtering protection becomes even more useless, as the longer-term reputation of (for example) Yahoo as a search engine will trump an occasional user-generated mal¬ware package from keeping people from going there.

Deploy Preventive Protection For Email
With malicious Trojans like Feebs and Storm evolving faster, the “traditional” protocols for virus distribution (email) still need advanced protection. Spam volumes are increasing which calls for scalable, multi-core spam defenses to keep pace with the attacks. Reputation systems that can block incoming attacks at the connection level – without the need to examine the message body – reduce the burden on both the anti-spam gateway and the overall network traffic. Deploy¬ing zero-day defenses that can detect and quarantine possible viral attachments before traditional virus signatures have been published is imperative for complete network detection.

Protect Against Corporate Data Loss
Some of the worst Trojans aim to scan users’ hard drive and send the important information (passwords, corporate documents, financial information) back to their command-and-control centers for use by the criminal gangs financ¬ing the development of these programs. Data loss can occur without a Trojan infection however. 2007 saw nearly 350 publicly reported data loss incidents involving sensitive personal information, most of which happened accidentally through employee error. While defending against outside threats coming into the network to steal im-portant information is critical, scanning outgoing communications for possible policy violations is also extremely important to any organization that deals with any kind of sensitive personal or customer information.

Prevent “Phone-home” Activity
Security personnel must also be vigilant against the risk of laptops and other systems being compromised while on public networks. It is important to scan for and block malicious “phone home” activity from malware-infected computers that may be trying to retrieve new attack commands or upload sensitive data back to their operators.

Track Important Communications
With the increase in threats, defenses are going to get tighter. It is an unfortunate fact of life: as spam becomes more and more legitimate-looking, poor spam engines are going to start (or continue) losing legitimate email messages. Because of this, and the sizable volume of mail that most recipients are dealing with on a day-to-day basis, it is im¬portant for users to have a higher level of visibility and control on their messages than traditional email provides. New technologies give real-time tracking of email messages similar to what used with physical package shipping. For email to maintain its usefulness as a cheap and fast way to foster communication around the Internet, we must take added care that messages of high importance are given a different class of service.

The above article is an excerpt from “2008 Internet Security Trends:  A report on Emerging Attack Platforms for Spam, Viruses and Malware”, published by Cisco and IronPort.  To find out how Cisco and Ironport products can help protect your organization, please contact CDW Berbee, John Uchaker at 513-677-4119.  CDW Berbee, drawing on strategic partnerships with Cisco, IBM and Microsoft and the far-reaching experience of its hundreds of engineers, has assisted clients with a full range of technology solutions.  For other information, please visit www.berbee.com.