Threats 2.0: changes in Internet based risks calls for a new defensive approach

Internet based threats have changed significantly in the past five years. The domain of hacking and viruses, once dominated by a few dedicated crackers and script kiddies, has given way to a scourge of new threats. The term Threats 2.0 characterizes this entirely new class of threats. They include:

• Zero day attacks. Once the realm of theory, we are now seeing zero day attacks on an almost monthly basis.
• Online fraud. Phishing attacks are commonplace, and they’re fooling many people into giving up private information that leads to identity theft and fraud.
• Organized crime. Once the pervue of small gangs of profiteers, large organized crime rings have developed, and existing organized crime rings have moved into online activities. The U.S. Treasury department has stated that organized crime now makes more money from online activities than from selling illegal drugs.
• Identity theft. With the proliferation of information being stored online, increasingly in online applications with Internet access, identity theft has blossomed into an epidemic with no end in sight. Identify theft is a means to an end: cash and free services.
• Bot armies. Scores of large bot armies are in operation, many with tens of thousands of bots, and some with over one hundred thousand. These bot armies are being used to relay spam, host websites, and conduct distributed denial of service (DDOS) attacks.
• Root kits. Advanced techniques for hiding malware have been developed, making malware more difficult to detect than at any time in the past.

This is substantiated by the most recent Symantec Internet Security Threat Report which states, “Instead of exploiting high-severity vulnerabilities in direct attacks, attackers are now discovering and exploiting medium-severity vulnerabilities in third-party applications, such as Web applications and Web browsers.” These threats are becoming more potent, as individuals and groups that write and perform these attacks are working together. The Symantec report states, “…attackers are now refining their methods and consolidating their assets to create global networks that support coordinated criminal activity.”

Many “advances” in technology have resulted in an explosion of vulnerabilities that are difficult and costly to control. Among the vulnerabilities:

• Sensitive information online. An explosion of online applications that provide access to sensitive information. Previously only available in hardcopy or on organization premises, information is increasingly available online for anyone who knows how to access it.
• Mobile devices. Smart phones, PDAs, and laptops are growing in popularity. Software and storage capabilities make it more likely that these devices will have sensitive information stored on them. Theft of laptops and similar devices used to be motivated by their physical asset value, but increasingly they are stolen for their information potential.

More than an evolution of past techniques, the methods used in Threats 2.0 are creative and more difficult to contain and control than before. Traditional defenses like firewalls and anti-virus are ineffective against these new threats and do little to mitigate these vulnerabilities. An entirely new generation of defensive and proactive measures are required, including

• Application firewalls. Traditional firewalls are designed to filter only on source address, destination address, and port number. This is wholly inadequate for repelling application-level attacks or denial of service attacks.
• Application vulnerability scanning. More than just infrastructure pen testing, application vulnerability scanning identifies vulnerabilities in web-based software applications such as cross-site scripting, script injection, buffer overflows, information disclosure, and so on.
• Defense in depth application architecture. Organizations are adopting new application architectures that separate presentation, business logic, and data into separate tiers, frequently with multiple layers of firewalls in between.
• Defensive data architecture. Rather than exposing an entire database to a web application, designers are restricting what an application can see and do, by limiting access through views and by permitting only certain queries and updates. Applications need not have full unfettered access to the database as they did in the past.
• Encryption of sensitive data. Information that is sensitive in nature can be encrypted at rest while stored in databases. Challenging just a few years ago, encryption of data at rest is more widely available and easier to implement than before.
• Active server and application management. Real-time tools are now able to keep a much closer eye on the operating systems than at any time in the past, permitting nearly instantaneous notification of changes on servers.
• Application level analytics. More intelligence around the detailed usage of online applications, particularly where financial transactions are concerned, will help application owners to be in a better position to detect fraud, whether perpetrated by insiders or outsiders.

Organizations must re-think their threat management strategies in order to stay ahead of the hazardous Threats 2.0 landscape that puts their operations at risk. Only through careful analysis and implementation of more advanced controls can they hope to effectively manage new and more sophisticated risks.