Simon Heron – SecureNet

Our latest free guide – Securing the Public Sector – discusses the issues that the public sector face when dealing with IT security, and makes key recommendations on how these issues can be tackled.

It won’t surprise you to know that the biggest cause of security breaches is human error. After all, people are not perfect and mistakes will happen. However, with the right procedures in place many of these errors can be discovered before they become a security issue. Other major issues facing the public sector are budgetary pressures (on IT departments as much as anyone), increased use of remote working and a higher number of web-based applications. These are all areas where the traditionally closed public sector work environment becomes open and in turn opens itself up to more areas where security can be compromised.

The guide, which is available from the Network Box site, covers areas of best practice that all areas of the public sector should be implementing. These recommendations include:

o    Ensuring that systems are updated and patched.
o    Remembering that security is about more than just email.
o    Regularly reviewing what applications and systems are used across the organisation as part of ISO9001 or about once per quarter.
o    Ensuring that all data is routed through the appropriate channels and that nothing bypasses security systems (this is one of the most common causes of vulnerabilities).
o    Educating employees – keep them informed about their role in keeping data secure and limit access rights.

We’ve just released our January threat stats, and they make sobering reading. This month, more than half of all malware sent via email was an attempted phishing attack. At Network Box, we’re used to seeing threat stats leap before Christmas, and they did again last year, but they have stayed consistently high throughout January, which is not something that we see that often.

The threat stats also reveal that the number of viruses originating from the UK has increased slightly from December 2009. With that, and Germany’s first appearance in the top ten spam and virus sources list, perhaps we are seeing the start of a new trend of European produced malware?

It could be that the difficult economic climate and the popularity of online shopping have combined to create the perfect environment for hackers, phishes and fraudsters to ply their illegal trade. Clearly, we all need to remember to keep our systems updated with the latest patches and security updates. Yes, this is common sense, but cyber-crime would not exist if people were not profiting from vulnerabilities in our computer security and our networks.

Recently I attended the BETT show at London Olympia, where we had a presence on the stand with our customer, award-winning Learning Possibilities. The show, billed as the world’s largest educational technology event, seemed to me to be somewhat less security-focused than it has been in recent years. There was, however, a great deal of interest in Virtual Learning Environments – or VLE’s – (systems which take education out of the classroom and allow students and teachers to log on to submit or check work from anywhere where they have PC access). When you consider the popularity and convenience of virtual working and the increased use of collaborative software and technologies to aid this, the popularity of virtual learning does make sense.

However, the increasing popularity of VLE’s could present a problem. Some have been known to have their security flaws, with older versions of some systems being exploited by spammers. In one case, this involved linking the name of the effected school to porn sites in web searches. Children carrying out searches while at school were protected from this attack by their school’s firewall, but did the children who searched from outside school premises have the same level of protection?

One thing that is abundantly clear is that whatever the new technology of the day is, it will come with its own security flaws. The systems will need to be patched and updated regularly; and organisations will need to have rigorous security measures and guidelines in place to defend both the network, and the people using it – particularly when those people are children. Popular trends in technology, whether a passing fad or not, must be monitored by security companies, and the people and organisations that use the systems, if we want to enjoy using the new technology, and not expose ourselves to greater security threats.

There needs to be a change to email security if we want to stop seeing high profile security breeches such as the ones that hit Hotmail and Google in 2009, and the America law firm Gipson Hoffman & Pancione over the weekend.

The pattern of the attacks is simple enough. The attacker sends you an email which looks like it’s from a contact, someone you trust, which prompts you to open the email which contains a link, which, when clicked on, will lead you to a malicious program which could infect your computer or network and steal your personal or corporate data. The problem is, most email filtering systems will trust the email address and therefore allow it through.

What’s needed is a new approach to preventing spam. We need intelligent systems that can learn the behavior of the sender and the recipient and predict behavior. In short, as the attacks get more sophisticated, so must the defense.

In 2009 Network Box released a system called ‘eMail Relationship Manager’, which tracks the features of the sender by envelope analysis to provide additional identifers like source IP address and country of origin. So, a fake email would be automatically blocked because the IP address of the sender would not be the same as the one stored in the system.

eMail Relationship Manager analyses and learns from the behaviour of the sender and recipient of an email, and gives a score to the email which is applied in addition to traditional anti-spam filter analysis. It works by:

1.    Maintaining a central database to store existing email accounts managed by Network Box on behalf of the email recipient (so genuine email from addresses kept in a users address book will be white-listed, assuming their content passes the traditional filter analysis which naturally includes the reputation of the sender). This records and analyses historical information about the relationship in order to judge the likelihood of that email containing malware or unwanted content. The database can be queried and adjusted at any time by Network Box, the organisation’s administrator, or the user. It’s continually updated with every email passing through the system, and will challenge new behaviour, flagging up when a white-listed email address changes its shape – e.g. if a contact in Hong Kong suddenly starts sending emails from Russia.

2.    All relationships are defined using a score based on sender + recipient + type analysis, and given a score based on the trust and strength of the relationship.

3.    The system learns from user behaviour. For example, if the email user A sends an email to email user B, then the system understands that user A trusts user B, and therefore will strengthen the score of trust in that relationship.

4.    If an email relationship is scored as low, then there are number of options open to the system, depending on its configuration. It can quarantine the email and notify the recipient (it can be released with a single click from the recipient if required); challenge the sender to confirm their identity; or defer the email.

To discover more about ‘eMail Relationship Manager’ or for more information about other Network Box products and services, please visit the Network Box website.

Our analysis of 2009 threat stats has revealed some worrying trends:

o    Three million new threats were identified in 2009 (which equates to almost one every 10.8 seconds).
o    2,905,697 threat signatures were released to protect against new or variant threats (and increase of 6.9 per cent from 2008).
o    Most spam and malware originates from botnets and compromised hosts.
o    There’s been a move away from mass-mailed spam and malware of old, to more targeted vulnerability exploits (ones specific to applications, web browsers and servers for example) as cyber-criminals look towards more efficient means of carrying out their attacks.
o    Organised gangs continue to dominate the threat landscape, a trend which is expected to continue into 2010.
o    2009 also saw more security patches from providers other than Microsoft, as these providers begin to realise the Microsoft are not the only target of cyber-crime.

Examples include:

•    Adobe, who announced multiple vulnerabilities in its PDF and Acrobat software systems; and in its SWF Flash software.
•    Wordpress blogs, which have been susceptible to multiple vulnerabilities, leading to passwords being compromised.
•    Several major web frameworks (including the popular Drupal web content management system) have had vulnerabilities leading to remote code execution and SQL injection.
•    Web browsers such as Apple Safari, Mozilla Firefox and Opera have all announced critical vulnerabilities.

These examples highlight the need for all companies to review security policies for the applications and software that they permit people to access via their corporate networks or work computers. Most of us use some form of internet-facing application or collaboration software for work, especially those who work from home, and these applications must be secured, otherwise corporations leave themselves vulnerable to attack.

Christmas heralded a dramatic increase in the number of phishing attacks – predictably, some would say, given these economic times. In the same way that burglaries increase when houses are likely to be empty over Christmas, hackers use what should be a celebratory time of year to exploit the vulnerable. 

Online shopping increases year by year, and at Christmas we spend more than at any other time. The pickings are rich for online criminals. This year, there were some high-profile cases of bogus online stores discovered and shut down by the police before Christmas, notably the Metropolitan Police Central eCrime Unit’s closure of more than 1200 bogus shopping websites. This shows how sophisticated cyber criminals have now become and to what lengths they will go to dupe shoppers into handing over cash.

I am heartened to see the UK police taking the threat of online fraud so seriously. But there is a bigger problem that we are facing. Today, more than 20 per cent of all viruses come from Brazil, with other major sources of malware including the US, Korea, India, China, Russia, and Poland. This is an international problem and national actions while laudable, will not be enough to protect us from an increasingly fragmented world of cyber crime. The EU has come together to combat this crime but without co-ordinating with countries like China, Brazil and even the US the effect is not significant.

A more detailed breakdown of December’s online malware figures is available on our website.

2009 has seen new technologies being improved, adapted and adopted on a massive scale, with over 350 million active users of Facebook, downloads of iPhone Apps recently topping 2 billion, and more that 1.6 billion devices being used to access the internet, including PCs, mobiles and online gaming consoles. There has also been an increase in the number, and sophistication, of internet threats being produced by cyber criminals.

Trojans

Trojans have been around for some time now, but the level of sophistication and the improvement in their development has been of particular concern in 2009. One’s to watch in 2010 include; ZeuS which steals user data, ranging from passwords to social networking sites to financial log-in details, Urlzone which re-writes your online bank statement to cover its tracks once the money has been taken and Clampi which steals banking log-in details. With the ability to mount man-in-the-middle attacks, users are increasingly vulnerable to account takeover without having the slightest idea that something untoward is happening.

Phishing and Botnets

We have also seen an increase in the deployment of increasingly resilient botnets (responsible for most of the spam we see these days), intelligent clients and the development of creditable emails and websites that are believable to even the most wary of us.

Secure Applications?

Also of concern is the way that some of these new technologies are being developed. Is enough time given to develop in a secure fashion? 2009 has seen numerous attacks against Twitter, Facebook and other social networking sites, which suggests that more time and attention needs to be paid to the security of these sites. Furthermore, greater consideration must be given to the data being stored, the latest Facebook fiasco where accounts were created with ‘everyone’ permissions allowing the world outside of Facebook to have access to information. It is crucial that greater attention is paid to security at all levels.

Corporate Data Breaches

The number of data breaches throughout the year has been a major concern; there is still a problem with keeping electronic data secure. These breaches not only have a serious impact on people’s security but also on developments like cloud based solutions that go beyond email and web scanning.

Targeting the Cloud

Working ‘in the cloud’ is becoming ever more popular as businesses realise the economic and environmental benefits of home working; some analysts predict that businesses using the technology will double to 9 per cent by 2012. It seems likely that, as with application development, in the rush to get to market that security will have been sacrificed to some extent.  And whilst the security of these solutions is likely to be better than the,majority of small to medium sized companies, they will present an attractive and lucrative target for hackers. The benefits of using the cloud may outweigh the risks involved, but all companies and individuals should seriously consider the risks before they make the leap.

Macs under threat

Apple sold 3.5 million Macs and 7.4 million iPhones in the fourth quarter of its fiscal year. Whilst PC’s still have the predominant share of the market, and therefore are at the greatest risk of attack, the rapid growth and the ability to connect and share data between Apple products, combined with the aura of security that surrounds Mac’s has made Apple products an attractive target for malware writers.

2009 has seen Macs increasingly targeted, with a number of malware programs being written or being effective against a Mac (with a small Mac botnet being detected in April). Although threats against Macs are likely to increase in 2010, we can still expect Windows to be the main targeted as it still holds around 90 per cent of the desktop market.

2009 has been a year of cross platform communication. People want to call, text, work and communicate over many platforms from a simple mobile device, They want to be able to plug this device into their computer at home or work and transfer their work instantly. Many also want to do the shopping, or check their bank accounts from their mobiles or computers. Unfortunately, this increased collaboration between devices, applications and platforms will mean that malware writers, who may have previously targeted PCs, now have a plethora of devices, websites and applications available to target and a diverse amount of increasingly sophisticated methods to employ with which to bamboozle their victims.

The one good trend to come out of 2009, the increase in international co-operation that has seen Egypt and the US collaborate to catch one gang, will need to be strengthened and formalized if the international community is serious about tackling cyber crime.  When a spammer can hide in New Zealand from a penalty that has been handed out in the US, the gap that is yet to be covered is revealed. We can also see this in cases like Gary McKinnon – if extradition treaties are not reciprocal or punishments not measured, then international co-operation is going to be obstructed and cybergangs, who may be three individuals in separate countries, will remain free to exploit new technology and the trust we place in it.

It’s been just over two months since more than 10,000 Hotmail passwords were stolen and posted online, now, just in case we needed a reminder about the security of our online accounts, online application powerhouse RockYou has fallen victim to an SQL attack, which has prompted Techcrunch to urge over 32 million RockYou users to change their passwords after hackers gained access to passwords and email addresses that were stored in plain text.

Unfortunately, RockYou are far from alone in storing password details in plain text, which makes it even more important for us as the user to take personal responsibility for the security of our data.

If you access any accounts online, you should follow these basic steps:

1.    Create unique passwords for each account
2.    Change all of the passwords regularly
3.    Don’t use dictionary words or overly simplistic passwords (earlier this year one site’s most popular password was revealed as 123456)
4.    Create passwords that are over 10 characters long
5.    Although it may seem original, using a dictionary word, or someone’s name and replacing the i with a 1 and the e’s with a 3, it doesn’t fool anyone

However, the service providers also have a duty of care and should examine their own security policies.

Do they store user data in plain text?
Should they introduce extra factors of authentication?

Our guide on authentication discussed the possibility of ‘identity 2.0’. The introduction of a system which would remove the need for users to think up and remember multiple, unique and complex passwords for their online services, and provide them with one online identity that all online services recognise. But, as we noted in the guide, there are also draw backs to this approach.

The one thing we can be certain about is that hacking incidents and data theft will not go away, and those users who use the same password for multiple accounts are putting themselves and their data at risk by not adopting a more stringent attitude to password security.

Managed security services have traditionally been adopted by large companies in an attempt to combat growing internet threats in the most cost effective way possible. By outsourcing security management to companies which specialise in the area, these companies can have both a successful security solution, and free up their IT departments to focus on other areas of the business. Over the last 12 months in particular, we’re seeing medium sized and small businesses taking advantage of the same benefits, as internet threats get more sophisticated and so the cost of providing expertise in-house mounts. Likewise, as a market matures, the cost of outsourcing is reducing.

I find it encouraging that SMEs are starting to take the view that their larger counterparts take – that is understanding that a short term expense may be required in order to take advantage of future benefits. Our experience, like others in our market, shows that companies that install a managed security service have saved between 20 and 40 per cent compared to those that still use in-house security processes.

SMEs face many of the same security issues as large companies, but potentially have much smaller budgets. However, once you examine the cost savings made over time, a managed security solution proves to be excellent value for money.

We discus how SMEs can benefit from a managed security solution in our latest white paper, ROI of managed security services, which is published today and free to download from the Network Box website.

Today’s news that a New Zealand national has been ordered to pay $15.5 million US dollars in fines due to his participation in an international spam network, highlights the seriousness with which authorities are starting to take malware production. But it also reveals the problems with enforcement that currently pervade the system, as the man in question will not have to pay the fine unless he sets foot on American soil.

Last month we highlighted how malware production was dispersing. The traditional centres of production (such as Brazil, the US and Korea) were starting to produce less malware, whereas other countries like India and Vietnam were beginning to produce more.

Now, Vietnam has become the number one source of spam – being responsible for more than 10 per cent of the worlds spam emails – and the UK has entered the virus production charts, being responsible for 2.79 per cent of the world’s viruses. (Brazil, the US and Korea still dominate when it comes to virus production.)

As we have said before, it is incredibly important that there is effective international policing and enforcement when it comes to cybercrime. Yes, it’s good news that governments are willing to levy such massive fines against perpetrators, but what is the use of such a fine if it the offender can simply choose not to pay it?

Although we have developed strong measures to track and trace production, and we can do a considerable amount to protect the end user, there needs to be a substantial international effort from the authorities to educate the end user and co-operate over the policing and enforcement of malware production.