Simon Heron – SecureNet

Our latest free guide – Securing the Public Sector – discusses the issues that the public sector face when dealing with IT security, and makes key recommendations on how these issues can be tackled.

It won’t surprise you to know that the biggest cause of security breaches is human error. After all, people are not perfect and mistakes will happen. However, with the right procedures in place many of these errors can be discovered before they become a security issue. Other major issues facing the public sector are budgetary pressures (on IT departments as much as anyone), increased use of remote working and a higher number of web-based applications. These are all areas where the traditionally closed public sector work environment becomes open and in turn opens itself up to more areas where security can be compromised.

The guide, which is available from the Network Box site, covers areas of best practice that all areas of the public sector should be implementing. These recommendations include:

o    Ensuring that systems are updated and patched.
o    Remembering that security is about more than just email.
o    Regularly reviewing what applications and systems are used across the organisation as part of ISO9001 or about once per quarter.
o    Ensuring that all data is routed through the appropriate channels and that nothing bypasses security systems (this is one of the most common causes of vulnerabilities).
o    Educating employees – keep them informed about their role in keeping data secure and limit access rights.

We’ve just released our January threat stats, and they make sobering reading. This month, more than half of all malware sent via email was an attempted phishing attack. At Network Box, we’re used to seeing threat stats leap before Christmas, and they did again last year, but they have stayed consistently high throughout January, which is not something that we see that often.

The threat stats also reveal that the number of viruses originating from the UK has increased slightly from December 2009. With that, and Germany’s first appearance in the top ten spam and virus sources list, perhaps we are seeing the start of a new trend of European produced malware?

It could be that the difficult economic climate and the popularity of online shopping have combined to create the perfect environment for hackers, phishes and fraudsters to ply their illegal trade. Clearly, we all need to remember to keep our systems updated with the latest patches and security updates. Yes, this is common sense, but cyber-crime would not exist if people were not profiting from vulnerabilities in our computer security and our networks.

Recently I attended the BETT show at London Olympia, where we had a presence on the stand with our customer, award-winning Learning Possibilities. The show, billed as the world’s largest educational technology event, seemed to me to be somewhat less security-focused than it has been in recent years. There was, however, a great deal of interest in Virtual Learning Environments – or VLE’s – (systems which take education out of the classroom and allow students and teachers to log on to submit or check work from anywhere where they have PC access). When you consider the popularity and convenience of virtual working and the increased use of collaborative software and technologies to aid this, the popularity of virtual learning does make sense.

However, the increasing popularity of VLE’s could present a problem. Some have been known to have their security flaws, with older versions of some systems being exploited by spammers. In one case, this involved linking the name of the effected school to porn sites in web searches. Children carrying out searches while at school were protected from this attack by their school’s firewall, but did the children who searched from outside school premises have the same level of protection?

One thing that is abundantly clear is that whatever the new technology of the day is, it will come with its own security flaws. The systems will need to be patched and updated regularly; and organisations will need to have rigorous security measures and guidelines in place to defend both the network, and the people using it – particularly when those people are children. Popular trends in technology, whether a passing fad or not, must be monitored by security companies, and the people and organisations that use the systems, if we want to enjoy using the new technology, and not expose ourselves to greater security threats.

There needs to be a change to email security if we want to stop seeing high profile security breeches such as the ones that hit Hotmail and Google in 2009, and the America law firm Gipson Hoffman & Pancione over the weekend.

The pattern of the attacks is simple enough. The attacker sends you an email which looks like it’s from a contact, someone you trust, which prompts you to open the email which contains a link, which, when clicked on, will lead you to a malicious program which could infect your computer or network and steal your personal or corporate data. The problem is, most email filtering systems will trust the email address and therefore allow it through.

What’s needed is a new approach to preventing spam. We need intelligent systems that can learn the behavior of the sender and the recipient and predict behavior. In short, as the attacks get more sophisticated, so must the defense.

In 2009 Network Box released a system called ‘eMail Relationship Manager’, which tracks the features of the sender by envelope analysis to provide additional identifers like source IP address and country of origin. So, a fake email would be automatically blocked because the IP address of the sender would not be the same as the one stored in the system.

eMail Relationship Manager analyses and learns from the behaviour of the sender and recipient of an email, and gives a score to the email which is applied in addition to traditional anti-spam filter analysis. It works by:

1.    Maintaining a central database to store existing email accounts managed by Network Box on behalf of the email recipient (so genuine email from addresses kept in a users address book will be white-listed, assuming their content passes the traditional filter analysis which naturally includes the reputation of the sender). This records and analyses historical information about the relationship in order to judge the likelihood of that email containing malware or unwanted content. The database can be queried and adjusted at any time by Network Box, the organisation’s administrator, or the user. It’s continually updated with every email passing through the system, and will challenge new behaviour, flagging up when a white-listed email address changes its shape – e.g. if a contact in Hong Kong suddenly starts sending emails from Russia.

2.    All relationships are defined using a score based on sender + recipient + type analysis, and given a score based on the trust and strength of the relationship.

3.    The system learns from user behaviour. For example, if the email user A sends an email to email user B, then the system understands that user A trusts user B, and therefore will strengthen the score of trust in that relationship.

4.    If an email relationship is scored as low, then there are number of options open to the system, depending on its configuration. It can quarantine the email and notify the recipient (it can be released with a single click from the recipient if required); challenge the sender to confirm their identity; or defer the email.

To discover more about ‘eMail Relationship Manager’ or for more information about other Network Box products and services, please visit the Network Box website.

Our analysis of 2009 threat stats has revealed some worrying trends:

o    Three million new threats were identified in 2009 (which equates to almost one every 10.8 seconds).
o    2,905,697 threat signatures were released to protect against new or variant threats (and increase of 6.9 per cent from 2008).
o    Most spam and malware originates from botnets and compromised hosts.
o    There’s been a move away from mass-mailed spam and malware of old, to more targeted vulnerability exploits (ones specific to applications, web browsers and servers for example) as cyber-criminals look towards more efficient means of carrying out their attacks.
o    Organised gangs continue to dominate the threat landscape, a trend which is expected to continue into 2010.
o    2009 also saw more security patches from providers other than Microsoft, as these providers begin to realise the Microsoft are not the only target of cyber-crime.

Examples include:

•    Adobe, who announced multiple vulnerabilities in its PDF and Acrobat software systems; and in its SWF Flash software.
•    Wordpress blogs, which have been susceptible to multiple vulnerabilities, leading to passwords being compromised.
•    Several major web frameworks (including the popular Drupal web content management system) have had vulnerabilities leading to remote code execution and SQL injection.
•    Web browsers such as Apple Safari, Mozilla Firefox and Opera have all announced critical vulnerabilities.

These examples highlight the need for all companies to review security policies for the applications and software that they permit people to access via their corporate networks or work computers. Most of us use some form of internet-facing application or collaboration software for work, especially those who work from home, and these applications must be secured, otherwise corporations leave themselves vulnerable to attack.

Christmas heralded a dramatic increase in the number of phishing attacks – predictably, some would say, given these economic times. In the same way that burglaries increase when houses are likely to be empty over Christmas, hackers use what should be a celebratory time of year to exploit the vulnerable. 

Online shopping increases year by year, and at Christmas we spend more than at any other time. The pickings are rich for online criminals. This year, there were some high-profile cases of bogus online stores discovered and shut down by the police before Christmas, notably the Metropolitan Police Central eCrime Unit’s closure of more than 1200 bogus shopping websites. This shows how sophisticated cyber criminals have now become and to what lengths they will go to dupe shoppers into handing over cash.

I am heartened to see the UK police taking the threat of online fraud so seriously. But there is a bigger problem that we are facing. Today, more than 20 per cent of all viruses come from Brazil, with other major sources of malware including the US, Korea, India, China, Russia, and Poland. This is an international problem and national actions while laudable, will not be enough to protect us from an increasingly fragmented world of cyber crime. The EU has come together to combat this crime but without co-ordinating with countries like China, Brazil and even the US the effect is not significant.

A more detailed breakdown of December’s online malware figures is available on our website.