The weakest link
Ten years ago the biggest security headache facing the enterprise was an unsuspecting employee clicking on an e-mail attachment and launching a rudimentary virus that would render his computer inoperable. Today, the number of devices connecting into the corporate network — such as smartphones, laptops and netbooks — along with the highly sophisticated practices of hackers create a dangerous storm of security threats, say security experts.
“The most dramatic change is all of the devices people have that are capable of storing data and becoming infected,” said Rob Ayoub, global program director — network security with research firm Frost & Sullivan. “Maliciously or not, employees stand a greater risk of walking out with data that can be compromised.”
At a fundamental level, today’s work force is highly mobile, which poses security risks because devices accessing the corporate network also connect to the public Internet when away from the workplace.
“There may be strong gateway security within the enterprise, but if a laptop is infected with malware, then as soon as the device that contains all of that important information is disconnected from the corporate network and reconnected via the Internet somewhere else, then all of that information [can be pirated],” said Derek Manky, a threat researcher with security firm Fortinet.
Nefarious computer whizzes increasingly are finding a lucrative business in covertly stealing sensitive information via malware, worms and root kits — software systems that consist of one or more programs that are designed to hide a compromised system. For instance, the Conficker computer worm that takes advantage of flaws in Microsoft’s Windows operating systems now is believed to be the largest computer-worm infection. It is designed to be commanded remotely by those who created it, and once it infects a device, it scans for other vulnerable devices, infects them and relays information back, Manky said.
Experts say the black market for corporate information is now worth more than the international drug trade, and these thieves’ practices have become a sophisticated operation that often involves hiring affiliates willing to install malicious software on thousands of devices for as much as $100 per device.
For instance, a hacker known as NeoN in 2008 compromised the database of a cyber criminal scheme — one that involved distributing fake security software. According to Manky, NeoN later claimed in a Web post that the scheme’s top-earners made up to $150,000 per month distributing the software onto machines.
“Ten years ago, it was about making a name for yourself in the hacker world,” said Chris Herndon, managing director and chief technologist with MorganFranklin, an IT consulting company. “Now it has become a monetary incentive.”
The most vulnerable devices, experts say, are the smartphones that are flooding into the enterprise. These devices increasingly are being purchased by workers themselves as a way to stay connected outside of the office. And they are the most insecure devices at this point, experts say.
“One of the areas under-reported as far as threats go are smartphones,” Herndon said. “It is amazing what is out there in terms of malware targeting the mobile market. Once that device is tethered to the Internet … or back to the enterprise, it can provide access for the hackers.”
The flood of employee-owned smartphones coming into the enterprise is becoming a growing headache for IT managers everywhere. Devices such as Apple’s popular iPhone have not been designed with corporate security needs in mind. Since introducing the iPhone in 2007, Apple has made some major changes to address the enterprise, such as a remote-wipe capability that prevents access to data should the device br stolen or lost, but it is still far from secure, experts say. Indeed, hackers have been known to break into the iPhone in a matter of minutes.
“It’s easy for end users to configure their phones to receive corporate e-mail, and there’s a huge demand for full-browsing capabilities, [both of] which come with download threats associated with viruses and malware,” said Jonas Iggbom, product manager with security firm Check Point Software Technologies.
Check Point currently is working with mobile operators to pre-load its encryption software on mobile devices to encrypt the entire device, while other well-known security vendors such as Symantec have developed solutions for smartphones.
However, the problem largely lies with a lack of concern on the part of the enterprise, said Philippe Winthrop, enterprise analyst with Strategy Analytics.
“It’s frankly ridiculous that there is not enough concern,” Winthrop said. “Unfortunately, it may take a huge data breach for enterprises to listen.”
Added Ayoub: “We’ve done a lot of work looking at the mobile-security space. The biggest challenge is that no one sees it as a threat. There hasn’t been a big attack yet. Employees are haphazard with devices, and they don’t see them as a danger.”
The lack of concern largely stems from a lack of awareness. Hackers aren’t stealing information for publicity, while the enterprise doesn’t want to admit when a data breach occurs. “A lot of these large publicly traded companies aren’t going to divulge that their network was compromised via cell phones,” Herndon said.
When Herndon advises corporations on security threats, he often gets what he describes as the “dear-in-the-headlights face,” which changes to horror when they begin to understand just how vulnerable their systems are.
Manky said no security magic bullet exists. “You can’t just beef up security on the Web. Enterprises need multiple protection layers,” he said. Proper anti-virus, Web-filtering, application-control and intrusion-prevention solutions are important, but so is protecting the end points, including smartphones, laptops and storage devices, he said.
A recent survey from Check Point that queried 224 IT and security administrators found that while more than 40% of enterprises have more remote workers connecting to the corporate network, just 9% use encryption for remote-storage devices — such as smartphones, MP3 players and thumb drives — which tend to have large memory stores. The bottom line is that the more memory a device has, the more vulnerable it is.
Also important is developing a security framework that includes policy creation and enforcement, education, security tips and practices of which employees should be made aware, Manky said.
Indeed, Herndon said tools are available but a large part of a security solution is about changing the employee mindset. “That’s a hard market because it’s not a product you sell. The market is saturated with anti-virus, anti-spyware and other software that are integrated in the security presence. But it all comes down to the weakest link. What is the weakest link? It’s the end user willing to click on that [Internet or e-mail] link that allows that payload to come into the enterprise.”
MOTIVE TRENDS IN CYBER ATTACKS
2000s: Monetary gain / stealth
2010s: Monetary gain/stealth + destruction
Source: Derek Manky
Crime services pay affiliates to load malicious software per 1,000 machines. Prices vary by region:
Affiliates are used they have the infrastructure — they control botnets (connected network of infected machines) that can load such software.
They use this infrastructure to make cash by offering a service. Cyber criminals also sell tools (such as exploit kits) to launch attacks, which average around $1,000 USD per kit.
In 2008, a hacker by the name of NeoN compromised the database of a cyber criminal scheme — an affiliate program distributing so-called scareware. He indicated that top earners were making in excess of $150,000 USD per month distributing the fake security software onto machines.
Source: Derek Manky