Simon Heron – SecureNet

Our most recent threat stats analysis reveals that viruses have increased by a massive 300 per cent in the last three months. We have also seen a large rise in the level of phishing attacks, rising from five per cent of all viruses in June, to 36 per cent in July.

It’s interesting (but unsurprising) that India is starting to emerge as a significant source of threats (now the fourth largest source behind the US, Brazil and Korea). India is a major economic force, has a thriving IT industry, expanding middle class and increasing up take of home computers. But the economy remains difficult to regulate and there are significant numbers of pirated copies of operating systems, which never get patched or updated, thus making the users of this software a prime target for viruses. These in turn infect their computers, before moving on through the network to infect other vulnerable targets.

Also noteworthy is that Global levels of spam has long surpassed similar levels to before the data centres, such as McColo, were shut down, as the perpetrators shift operations to less regulated areas of the world such as Brazil, China, Korea and India.

I read recently an interesting blog post by Ilya Bogorad of Bizvortex Consulting http://blogs.techrepublic.com.com/tech-manager/?p=991, writing for Tech Republic earlier this year. Bogorad makes the point that often IT departments are limited by principles held high up in the organisation (ie. non-technologists making technology decisions that don’t work), or by not having the resource or specialist skills in-house to do everything that the organisation needs. So much of what a business does now is underpinned by IT of one sort or another that it would require most businesses to double the size of their workforce if they were to retain an expert in every area.

The job of an IT department has shifted significantly in the last few years. IT is widely seen as a strategic, not a tactical, function of the business. The job of the IT team is to set and implement an IT strategy to meet a business need, rather than developing the tactical technology to support the business need – which, more and more, is left to specialist experts.

Nowhere have we seen this more than in security. There was a time when it was considered enough to put a firewall in, decide which major AV company to go for (probably based on cost alone), and then let security run itself.

Fast forward a few years – through some high profile security breaches; a whole range of compliance legislation; an army of sophisticated hackers, spammers, phishers, and other scammers; and the advent of ‘Web 2.0’ with its social media, mobile Internet, and ‘always on’ connectivity – and the security landscape looks very different. We’re finding that, increasingly, companies are opting to outsource their security. Not just to solve a resource issue, or as a cost saving measure (as with the early days of outsourcing offshore), but because it isn’t the job of the IT department any more to have the level of specialist knowledge required. Their role is more strategic than tactical.

Technology decisions shouldn’t be taken by non-technology personnel, but should look like this:
1.    Business unit head (CXO) sets business priorities to meet company strategy and objectives
2.    Head of IT sets IT strategy and objectives; sets priorities and makes appropriate IT decisions to support business requirements
3.    Specialist technology teams implement the necessary technology to deliver the systems required, including how to secure them
4.    IT department supports the business use of that technology

It is at point 3, above, that outsourced experts come in – brought in as part of a strategic process, but working with the teams who will support the business day-to-day. The advantage of an outsider, in my view, is that they’ll have a wide view of what’s possible, will have experienced what needs to be done in countless other companies (and so can effectively advise with the benefit of hindsight). They will also be aware of the impact of the latest technologies and platforms, understand where the newest security threats come from, and know where to look for system and network vulnerabilities (and how to fix them).

But most importantly, a security expert in a managed service company will take responsibility for the proper implementation and operation of the defences. The company’s IT team should not be dealing with the minutiae of the operation, like downloading the latest patch, or setting a firewall rule. That really isn’t what they are paid for.  By delegating those tactical tasks they can focus on the strategic planning that drives the business and makes the IT department a business benefit, generating profit and not just a business overhead.

SQL Injection attacks (where a hacker ‘injects’ malicious code into an application, exploiting a vulnerability in that application) have continued to increase in recent months. As a result, it is vital for companies to review their applications for any vulnerabilities and patch them where possible.

These attacks are extremely difficult to stop at the gateway because they emanate from errors in the coding of a genuine application that allows that application to be exploited.  These attacks should be differentiated from attacks that focus on a browser like the recent discovery of a bug in Firefox 3.5 can crash the browser and is independent of the application running in the browser.

Security firms, like Network Box, operate sophisticated Intrusion Detection and Prevention systems that can block many exploits, (such as public web applications), but even these type of systems can only offer a limited amount of protection in the case of private, internal applications. This is why companies must review application scripts and ensure they are kept up to date with the latest patches, on a regular basis.

In the advisory that we have just issued, we provide the following example of an SQL Injection attack:

A web server runs a news search application (called, for example, news.cgi), that uses a single parameter ‘id’ to retrieve a news story from a data source. The application is genuine, and the data source is used to receiving instruction from it.

A hacker exploiting a vulnerability in the application is able to change the ’id’ value, to instruct the application to do something different. So, for example, if a hacker was to insert ‘XX;truncate%20table%news’ into the parameter field, an application that does not validate or protect itself will compare the id with ‘XX’ and then execute the command ‘truncate table news’ which could delete news from the data source.

We would advise these methods to prevent such attacks from occurring:

1.    Use ‘parameterised’ SQL statements – put clear parameters into SQL instruction.
2.    Validate each parameter ID. For example, the ID parameter must be a number, or is restricted to certain terms.
3.    Use ‘escape’ parameters before insertion to the SQL statement. This ensures the commands inserted by the hacker are treated as a variable rather than a command.  So instead of comparing the id with ‘XX’ and then executing ‘truncate table news’, the id is compared with ‘XX; truncate table news’ which is not a legitimate id and is rejected.

Bing.com, the successor to MSN Search, is now in beta and already seeking to distinguish itself from Google and Yahoo! by adding new features such as video thumbnail previews and displaying instant answers to questions. Like its competitors, Bing provides SafeSearch functionality and uses pretty standard filtering levels:

Strict – filters sexually explicit text, images and videos from search results

Moderate – filters sexually explicit images and videos, but not text, from your search results

Off – doesn’t filter any sexually explicit text, images or videos from your search results

Until recently, search terms that should have brought back results under the moderate setting, such as “mature adult”, only resulted in a message which refused to display results because your search setting was strict.

But, as we all know, issues such as these are far from uncommon in beta releases, and Bing seems to have resolved the issue now (for that particular search term at least).

Network Box has now extended its policy engine-integrated Safe Browsing to include Bing.com (it already covers Google and Yahoo!) meaning that all clients will be able to enforce a safe search level of their choosing throughout the corporate network for all three search engines.

We’ve just published a new guide for IT managers on the most common Internet hacks and hoaxes they are likely to encounter. Scams are getting harder to spot these days than they were a few years ago, as these pictures of two Natwest login pages – one fake, one real – show:

Hackers and con artists have had to get cleverer – with so much publicity about Internet fraud about you’d be hard pushed not to know that you had to watch out for scams. But they can be hard to spot. There are more applications associated with  social networks, for example, that are developed without using a Secure development lifecycle (SDL) – and can leave themselves open to hacking. We have to be vigilant; and changing user behaviour by raising awareness is a very effective way of doing that.

The idea behind the guide is that if users are aware of the scams, and how to spot a fake site, for example, they’ll be less likely to put themselves, and their companies, at risk.

If you’re interested, you can get a copy from the Network Box website.

We’ve just released our threat analyses for June, and although the US is back at the top of the virus charts (producing 21.3 per cent of viruses, up from 17.2 per cent in May), Brazil is not that far behind.

There has been a rapid surge of Trojan attacks as well, leaping to 27.23 per cent from last months 3.7 per cent of malware, which may be partly due to malware writers exploiting the recent deaths of Farah Fawcett and Michael Jackson to send emails that would infect the recipients computer.

Full details can be seen over at the Network Box website.