BUSINESS INSIGHTS | WINTER 2009/2010 EFFECT

A Look Back and the View Ahead

by Mark Eich

As we look back at information security concerns of 2009, we saw old school hacking making a big (and profitable) comeback, while new school hacking morphed into more effective (and profitable) methods. Let’s look back at the top three issues we faced in 2009 and look forward to what we might see in 2010.

Issue #1—Web and office application vulnerabilities

Web applications by their very nature can be accessed easily by the public. It’s simple really, if you want to do business on the Web you have to open part of your IT infrastructure to the public. However, doing so opens up these applications to attack. Cyber attacks that take advantage of vulnerabilities in Web-facing applications and desktop office applications sky-rocketed in 2009 as attackers realized these systems are far more “reachable” than other systems. Traditional targets, such as production servers and file servers sit protected behind firewalls, intrusion detection systems, and other defensive measures.

SQL injections and cross-site scripting are perhaps the most common types of hacker attacks that take advantage of Web and desktop application vulnerabilities. In fact, perhaps the most high profile attacks in 2009 used SQL injection methods to attack Web servers. Albert Gonzalez, recently indicted in federal court in New Jersey for data breaches at Heartland Payment Systems, Hannaford Brothers supermarkets, and 7-Eleven, used SQL injection techniques to penetrate these systems.

Hacker Ehud Tenenbaum, who pled guilty in connection to charges of fraud that netted more than $200 million from banks in Indiana, Florida, Texas, and California, also used SQL injection techniques in attacks that exploited vulnerabilities in Web-facing database servers. Businesses that rely on such systems should implement sound development practices that embed security into the development process. They should also include Web applications in penetration tests that are designed to identify these vulnerabilities, so they can be fixed before they are exploited by attackers.

Issue #2—Social engineering

Social engineering is an old school hacking method that had its heyday in the 1980s and is making a significant comeback today. Social engineering involves tricking people into divulging information or somehow assisting the attacker.

For example, a pretext telephone call may be designed to trick users into providing their password to an attacker posing as someone in authority. An email attack may trick users into clicking a link to a Web site that returns malicious code. Someone dressed as a repairman may be allowed access to a sensitive data center.

Social engineering has some inherent challenges. It is a risk that is hard to quantify since often the end result (such as loss of data or compromised systems) is not linked to the initiating event (such as the pretext phone call or the suspicious email). In addition, the actual tactics used are virtually unlimited, making this a very difficult threat to identify and mitigate.

But the threat is real. Last year attackers posing as bank customers used pretext phone calls to execute fraudulent wire transfers at dozens of banks and credit unions. Attackers dressed as maintenance personnel planted monitoring devices inside companies to harvest user credentials (IDs and passwords) and other sensitive data and intellectual property.

These types of attacks put a great deal of pressure on end users and frontline employees. Frequent education is key to creating a proper and effective culture of awareness that can spot these types of attacks and mitigate the threat.

Issue #3—Insider threats

As the economy worsens, employees face financial stress. This puts pressure on the motive component of the classic fraud triangle: motive, opportunity, and rationalization. Our forensics practice has seen a dramatic uptick in requests related to insider fraud, a trend representative of the situation nationwide.

Companies should review user access policies and internal monitoring strategies. They should also review policies related to the use of external hard drives and writeable media (such as CD or DVD drives). These strategies diminish the opportunity element of the fraud triangle.

What to look for in 2010

With the speed of Web development combined with a bottomless consumer appetite for Web applications, additional issues will unfold in the coming year. While predicting the future is an inexact science, there are some areas that will stand out more than others. Here a few things to watch for in 2010.

Social networking threats:

In 2009, Twitter and Facebook experienced service outages due to hackers. As companies adopt marketing strategies that embrace social networking sites, attackers will continue to breach systems by leveraging these sites.

Less than zero day vulnerabilities:

Hackers realize that when they discover a vulnerability that allows them to penetrate networks, it will be patched very quickly and thus the universe of threats will diminish rapidly. Look for hackers to be far more protective of vulnerability information, creating an increase in so-called “less than zero day vulnerabilities,” which are threats known only to the hacking community and not to the public at large. These are very dangerous threats since they have the possibility of bypassing the defensive measures that we rely heavily on (such as intrusion detection systems).

Emphasis on third party assurance:

As businesses become more connected and more willing to share sensitive data about customers and intellectual property, they will look for ways to evaluate the security practices of the business partners with whom they share this data.

The PCI Data Security Standard (PCI DSS) is one example of such assurance. And while the current version of the PCI DSS certainly has value, breach analysis indicates it is far from a fool proof standard. In 2010, look for businesses to begin to demand more robust standards to evaluate the security practices of potential business partners.