2010 Trend Watch

Stephanie Jordan — Thu, 01 Apr 2010 22:46:40 +0000

Security is an ever-evolving game and enterprises must strive to stay one step ahead of those that seek to attack them. Evolving mobile technologies, adapting malware and a new breed of attackers are all trends that enterprises should be paying attention to.

Mobile Changes the Game

Everyone is focused on Apple’s battle with Adobe and their refusal to include Flash on the iPad just as it has done so on the iPhone. Whether that battle is technical or political is of little consequence. Of importance from a security perspective is that mobility is now shaping the future of Web technologies and it will also shape the future of Web attacks. For the past decade it has been commonplace for Web sites to require the download of separate technologies in order to be accessible. Whether it was ActiveX controls, Java applets or browser plug-ins such as Flash, we simply accepted that we had to adapt to the Web site, rather than the other way around. That model will no longer be acceptable in a mobile world in which no single operating system rules the industry. Mobile devices are also less open when it comes to installing third-party software, so browser plug-ins are generally not an option. Forcing Web technologies to work cross-platform and across all Internet accessible devices will accelerate the pace of Web-based attacks. Viruses coded as executable binaries are not effective in this realm. Instead, attackers will continue to shift toward Web application attacks such as Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF) and Clickjacking, which do not discriminate when it comes to the target being exploited.

Web-based Worms

Everything has moved to the Web. Communication mediums such as email, instant messaging and peer-to-peer applications that traversed the Web via alternate protocols now do so leveraging HTTP(S). Desktop applications such as photo editing and document creation have also moved to Web-based platforms thanks to the ease of deployment and enhanced collaboration capabilities that they offer. Malware, likewise has moved to the Web. Increasingly, worms are driven not by executable binaries downloaded to desktops but rather vulnerabilities in Web applications. Worms move not from desktop to desktop, but rather from profile to profile within a Web application, most likely a social network. We’ve seen numerous examples over the years such as the Samy worm that impacted MySpace and the StalkDaily worm that hit Twitter. These worms do not target a particular operating system. They require only a Web accessible device and a vulnerable Web application. Traditional desktop AV products can do little to protect against such attacks and as employees store more and more information online, a successful Web-based worm can have devastating effects, accessing and altering confidential information.

APTs Become a Household Term

The attack on Google and 30+ other companies, which hit the media in January should not be seen as a new threat, but rather one that is finally flying above the radar. The ‘big bang’ worms that we saw five-plus years ago are dead. Attackers are not leveraging vulnerabilities to write worms that spread simply for the sake of spreading. Vulnerabilities are valuable commodities that can be exploited to achieve financial and political gains. The attacks on Google went mainstream because Google chose to put them there. Similar attacks happen on a regular basis but we rarely hear about them as corporations fear the negative repercussions of admitting to a security breach and do their very best to hide the details. More and more, we’re hearing the term Advanced Persistent Threats (APTs) attacks such as those that targeted Google. While there is no universally accepted definition of APTs, they can be defined as prolonged attacks by knowledgeable and organized adversaries to achieve a specific goal. Organized crime syndicates or foreign governments generally back the attackers and as such, access to need resources is not a problem. This understandably raises the bar for enterprise security. If there is a weak link in the security chain of an entity, the attackers will find it and exploit it.

Attacks and attackers continue to evolve and enterprises that fail to adapt are sure to become the next victim. The challenges to remain secure are significant, but achievable. Enterprises must look at these and other trends and shift budget dollars toward appropriate technologies and training to ensure that they’re staying one step ahead in this fast-paced game.

—

Michael Sutton — Vice President, Security Research; Zscaler

Michael Sutton has spent more than a decade in the security industry conducting leading-edge research, building teams of world-class researchers and educating others on a variety of security topics. As VP of Security Research, Michael heads Zscaler Labs, the research and development arm of the company.