Upload File

the changing nature of malicious attacks

3
June 2008 Computer Fraud & Security 15 The changing nature of malicious attacks Andy Jones Andy Jones takes a look at the changing threat horizon. History has taught us that the world is turbulent – and the information world is no different. Since the advent of comput- ing or, more particularly, since the start of the Internet, people have been motivated to attack information at the heart of businesses, organisations and individuals. From the Morris worm of 1988, to the ILOVEYOU worm to botnets, the infor- mation world has been similarly stormy. For an attack of any type to take place, four elements have to be in place – people, motive, opportunity and means. This quartet is also found behind most attacks in the information world. People In the past, organisations were construct- ed like castles, with impenetrable outer defences. This meant that to launch a suc- cessful attack, you generally needed to be within the defensive perimeter – an insid- er – employed by the organisation. While the insider threat has certainly not gone away, the increasing connectivity and erosion of network barriers means that we now have to consider an outsider to be as capable of launching a successful attack as an insider. And unfortunately, there are a lot more outsiders than insiders. Motive Fortunately, most people don’t want to attack organisations – they simply don’t have the motivation to do it. When peo- ple do choose to attack organisations they are generally motivated by three things: data, not only to protect against data theft but also internal misuse of legiti- mate privileges. For example, by separat- ing the functions of key management from key usage, for example, businesses can easily introduce additional layers of access control. Malicious or tampered application code can side-step the use of encryption but this can be overcome by running critical software – such as processes that truncate PAN information, authenticate users, scan or filter sensitive data – in a secure hardware environment. The protection of encryption keys used for protecting cardholder data against disclosure and misuse when stored or in transit is fundamental to PCI DSS and the effectiveness depends on strong key management. Keys should be stored securely in the fewest possible locations and forms. It is widely recognised that storing keys in software leaves them vul- nerable to attack at many levels so the best practice is to store and manage cryp- tographic keys within a tamper-resistant Hardware Security Module (HSM). However, secure key protection is only part of the challenge. Controlling access to keys is also vital; allowing keys to be accessed by anyone with system privileges is a violation of the PCI regu- lations. To combat this requirement, organisations need a powerful array of controls that satisfy large-scale deploy- ments, where the number of custodians is unavoidably large. This includes strong authentication of administrators, support for dual control where multiple administrators can be required to cross supervise key management activities, and tight definition of key usage rights. Policy, procedures and compliance PCI DSS states: “Fully document and implement all key management processes and procedures.” This requirement lists a number of specific sub requirements associated with key management. In particular, this section of the PCI DSS regulation calls for tighter controls on key security, the periodic changing of keys, the deletion of old keys and immediate replacement of compromised keys. Although all key management tasks can be performed securely with an HSM, in the case of large scale deploy- ments, the number of physical devices will force system architects to look beyond manual key management proc- esses to more centralised and automated systems. When it comes to using encryption – fundamental to data protection – some companies are struggling with PCI DSS’s cryptographic key management require- ments, simply because they are not clear what they are and how to implement them. Many believe that if they have an encrypted database it is enough. While cryptography may be considered a black art, the tools and technologies to meet PCI DSS requirements are readily available. About the author Richard Moulds is the executive VP of product strategy at nCipher. ATTACKS

Upload: andy-jones

Post on 19-Sep-2016

216 views

Category:

Documents


2 download

Report

TRANSCRIPT

Page 1: The changing nature of malicious attacks

June 2008 Computer Fraud & Security15

The changing nature of malicious attacksAndy Jones

Andy Jones takes a look at the changing threat horizon.

History has taught us that the world is turbulent – and the information world is no different. Since the advent of comput-ing or, more particularly, since the start of the Internet, people have been motivated to attack information at the heart of businesses, organisations and individuals. From the Morris worm of 1988, to the ILOVEYOU worm to botnets, the infor-mation world has been similarly stormy.

For an attack of any type to take place, four elements have to be in place – people, motive, opportunity and means.

This quartet is also found behind most attacks in the information world.

People

In the past, organisations were construct-ed like castles, with impenetrable outer defences. This meant that to launch a suc-cessful attack, you generally needed to be within the defensive perimeter – an insid-er – employed by the organisation. While the insider threat has certainly not gone away, the increasing connectivity and

erosion of network barriers means that we now have to consider an outsider to be as capable of launching a successful attack as an insider. And unfortunately, there are a lot more outsiders than insiders.

Motive

Fortunately, most people don’t want to attack organisations – they simply don’t have the motivation to do it. When peo-ple do choose to attack organisations they are generally motivated by three things:

data, not only to protect against data theft but also internal misuse of legiti-mate privileges. For example, by separat-ing the functions of key management from key usage, for example, businesses can easily introduce additional layers of access control.

Malicious or tampered application code can side-step the use of encryption but this can be overcome by running critical software – such as processes that truncate PAN information, authenticate users, scan or filter sensitive data – in a secure hardware environment.

The protection of encryption keys used for protecting cardholder data against disclosure and misuse when stored or in transit is fundamental to PCI DSS and the effectiveness depends on strong key management. Keys should be stored securely in the fewest possible locations and forms. It is widely recognised that storing keys in software leaves them vul-nerable to attack at many levels so the best practice is to store and manage cryp-tographic keys within a tamper-resistant Hardware Security Module (HSM).

However, secure key protection is only part of the challenge. Controlling access to keys is also vital; allowing keys to be accessed by anyone with system privileges is a violation of the PCI regu-lations. To combat this requirement, organisations need a powerful array of controls that satisfy large-scale deploy-ments, where the number of custodians is unavoidably large. This includes strong authentication of administrators, support for dual control where multiple administrators can be required to cross supervise key management activities, and tight definition of key usage rights.

Policy, procedures and compliancePCI DSS states: “Fully document and implement all key management processes and procedures.”

This requirement lists a number of specific sub requirements associated with key management. In particular, this section of the PCI DSS regulation calls for tighter controls on key security, the

periodic changing of keys, the deletion of old keys and immediate replacement of compromised keys.

Although all key management tasks can be performed securely with an HSM, in the case of large scale deploy-ments, the number of physical devices will force system architects to look beyond manual key management proc-esses to more centralised and automated systems.

When it comes to using encryption – fundamental to data protection – some companies are struggling with PCI DSS’s cryptographic key management require-ments, simply because they are not clear what they are and how to implement them. Many believe that if they have an encrypted database it is enough. While cryptography may be considered a black art, the tools and technologies to meet PCI DSS requirements are readily available.

About the author

Richard Moulds is the executive VP of product strategy at nCipher.

ATTACKS

Page 2: The changing nature of malicious attacks

Computer Fraud & Security June 200816

• Greed – the desire to gain something from the attack; usually financial, but may also be power.

• Malice – the desire to cause harm, often as an act of revenge.

• Fear – where the attacker is being coerced or blackmailed to make the attack.

Opportunity

Once a person is motivated to launch an attack, they need to have the opportuni-ty to commit a harmful act. Opportunity can be provided through vulnerabilities such as control weaknesses, poor segrega-tion of duties, inherent technical vulner-abilities, or special circumstances such as uncontrolled access to the Internet.

Means

Once opportunity is present, a person must have the tools – the means – to cause harm. Means turn motive and opportunity into a harmful act and can include both knowledge and access to the necessary technology. Once all these four elements are in place then an attack is likely and can take many different forms or vectors.

The different forms of attackAttack vectors can vary from the highly technical through to the mundane and everything in between. A highly tech-nical attack may involve probing the vulnerabilities of an organisation’s IT systems and writing a coding exploit for those weaknesses. Traditionally, a high degree of technical knowledge has been required but this has been reduced as readily available attack kits have now become available, even over the Internet.

The mundane attack can be the result of a scam, or social engineering opera-tion where an employee is tricked into committing an attack – sometimes termed the ‘doh’ factor. Social engineer-ing techniques are often highly successful and should not be underestimated.

There are also many different forms of attack between these two extremes and a perpetrator can have an increasingly large arsenal of weapons to choose from when planning an operation.

How are people and motive changing?Until fairly recently most attacks on organisations were either from an exter-nal attacker whose motive was to disrupt the business operation for reasons of personal notoriety or from an internal employee wishing to commit a fraud.

However this simple model is chang-ing. Certainly people have become more technology aware and more mobile; but generally ‘people are peo-ple.’ The more important changes have taken place in the motive.

As the information age takes hold and all types of business increasingly takes place in the information world, then criminal elements have refocused their attention away from the traditional bank robbery or money laundering scam to the theft of electronic identities in order to steal or launder money. In doing so they are more likely to employ a techni-cal expert to steal information quietly and efficiently. The motivation has changed from disruption to undetectable theft from an organisation, perhaps over an extended period of time.

How are opportunity and means changing?As the motive has changed, so have the opportunities. Information systems are accessible through the Internet; they are much more complex; and they are likely to have more vulnerabilities that can be exploited.

The target of attacks is changing from a random nature – such as an Internet worm designed to cause damage to any organisation it can find – to a highly targeted attack, where the criminal element will select and research the organisation to understand its particular

vulnerabilities and then commission a customised attack. This may range from a specially written code based attack, to infiltrating the organisation and social engineering.

The type of attack selected will depend on which vulnerabilities can be exploited the most easily; but the attack is likely to have a high degree of success.

Together with a change from random targeting to highly specific organisational targeting, attacks can also be planned against a specific private individual or set of individuals. Typically this includes – but not exclusively – the high net worth individuals who have access to significant amounts of money. Again this attack target will be researched and their vulnerabilities identified and exploited.

The form of attack is more likely to be a social engineering attack, through a highly customised and targeted spear-phishing email for example, or another form of scam to gain access to identity information or banking facilities.

A highly customised and researched attack of this nature can be extremely credible and has a high chance of success.

Responding to the new threatsOf course organisations have not stood by idly and ignored the changing modes of attack. Particularly in the financial sec-tor, there have been important initiatives in educating customers and strengthen-ing Internet-based authentication, with a move to strongly authenticated customer transactions.

This will undoubtedly raise the height of the barricades, but the amount of money transacted through Internet chan-nels makes the prize of subverting those channels irresistible. Therefore, we should expect to see very sophisticated techni-cal attacks aimed at defeating strongly authenticated transactions. For the crimi-nal element, attacking commerce through the information world is very low risk compared to robbing a bank and it is likely to prove too attractive to ignore.

ATTACKS

Page 3: The changing nature of malicious attacks

June 2008 Computer Fraud & Security17

History demonstrates that there is nothing new under the sun and while we expect to see a significant change in the focus of attacks and new types of sophisticated technical attacks, the four elements of the quartet – people, motive

opportunity and means – still provide the key. Remove or reduce the risk from any one of the elements of the quartet and the threat of malicious attacks can be significantly reduced or diverted elsewhere. Getting the quartet to play

in tune will be the difference between doing business and losing business.

About the author

Andy Jones is a senior research consultant at the Information Security Forum (ISF).

WAR & PEACE IN CYBERSPACE

Now for the good news – scientists and educators are keeping the flame aliveDario Forte and Richard Power

Forte and Power delve into breaking research at Carnegie Mellon after digesting a few industry surveys.

The news is rarely good. And whenever it is “good,” we are suspicious (and usually for good reason). Consider the findings of a recent report conducted for (ISC)2 by Rob Ayoub at Frost & Sullivan: “The major data breaches that have received mass media coverage are driving so-called ‘C-level’ executives to become actively involved in their organization’s security policies … ‘CEOs are asking their security professionals important questions about how they’re prepared to not become another TJX,’ Ayoub explained. ‘We’ve heard a lot in the past about upper management taking a role in security; this time it is validated.’

“Ayoub also said the report indicated companies planned to spend more money on security training, and that security professionals are ‘optimistic’ about their job.

‘“All this points to the conclusion that more C-level executives are ‘showing actual concern about what their security

professionals are doing and not just pay-ing lip service,’” Ayoub said. (SC Magazine, 9 March 2008)

Why aren’t we impressed? Well, let’s just say we have developed a healthy skepti-cism over the years. Sometimes it seems as if the “C” in C-level stands for cynicism.

Another interesting study was recently released, this one was con-ducted by Deloitte Touche Tohmatsu: “The 2007 Technology, Media and Telecommunications (TMT) Survey indicates that 46% of more than 100 respondents have no formal information security strategy. However, 69% of the respondents surveyed said they’re “very confident” or “extremely confident” in their abilities to deal with security challenges.”

Excuse me? No, you heard it right.Less than half of the organisations

responding to the survey have any for-mal information security strategy and yet almost 70% of them are feeling good about their chances.

Now that sounds more like the upside down world we know. And the findings of this study strike us as particularly illustrative of the kinds of companies surveyed, i.e. technology, media and telecommunications.

According to Rena Mears, who leads Deloitte’s privacy and data protection team: “‘When you look at the survey, 38% say they have the skills and capabili-ties to respond effectively to security chal-lenges – that’s less than 40%,’ she said.”

“Forty nine percent of respondents said they’re falling behind on security threats. Just seven percent replied that they thought their security situation was improving, and only five percent said they had increased security spending by 15% or more. A major problem, Mears explained, is that many organisations consider security to be an IT initiative only. Thirty-eight percent of respondents said their senior executives do not con-sider security to be a strategic issue.” (SC Magazine, 7 February 2008)

Richard Power Dario Forte


Injection Attacks Reloaded: Tunnelling Malicious Payloads

PROTECTING AGAINST COVID-19 CYBER ATTACKS...PROTECTING AGAINST COVID-19 CYBER ATTACKS A review of COVID-19 related attacks and how to spot and prevent them. Learn the different malicious

Preventing and Profiling Malicious Insider Attacks · UNCLASSIFIED . Preventing and Profiling Malicious Insider Attacks . Agata McCormac, Kathryn Parsons and Marcus Butavicius . Command,

Cyber Attacks, Threats, Espionage and Hacking · Cyber Attacks in India • “ommon Wealth Games in India, had over 8000 attacks in their ticketing networks, all malicious, all in

Adaptively Detecting Malicious Queries in Web Attacks

HOME ANTI- MALWARE PROTECTION - selabs.uk · Windows PCs, tricking users into running malicious files or running scripts that download and run malicious files. .. and targeted attacks

Preventing malicious attacks by diversifying Linux …ceur-ws.org/Vol-1525/paper-15.pdf · Preventing malicious attacks by diversifying Linux shell ... we apply diversi cation to

DETECTING DERIVATION FAKE AND PACKET DROP ATTACKS IN ... · detection packet drop attacks, Sensor Data, malicious attacks. I. INTRODUCTION In a wireless sensor network, data are produced

Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d) Presented by Erion Lin

Detecting Malicious False Frame Injection Attacks on ...sxz16/papers/sensors-19-02424.pdfsensors Article Detecting Malicious False Frame Injection Attacks on Surveillance Systems at

Detecting Malicious Attacks Exploiting Hardware

Maximization of Network Survivability against Intelligent and Malicious Attacks (Cont’d)

Types of Attacks and Malicious Software

Date Issued: 3/5/2018 Date Modified: 1/16/2020 …...o Client-side attacks Application exploits Browser exploits o Server-side attacks o Mobile Malicious apps Malicious texts Hijacking/rooting

MANAGED CYBER SECURITY€¦ · ENTERPRISE MOBILE OVERALL 56% 12% 20% SUPPLY CHAIN ATTACKS FORMJACKING 78% ATTACKS 33% MALICIOUS EMAIL 48% of malicious email attachments Are office

Attacks and Malicious code AWS/WIS Dr. Moutasem Shafa’amry 1 Lecture 8

Malicious Attacks By Katya, Grace, Lachlan, Sairus and Eric!

On Malicious Data Attacks on Power System State Estimation

Malicious Management Unit: Why Stopping Cache Attacks in … · Malicious Management Unit: Why Stopping Cache Attacks in Software is Harder Than You Think Stephan van Schaik, Cristiano

(System) Integrity attacks - people.unica.it · • (System) Integrity Attacks – Legitimate inputs, malicious goals • Application-specific: not covered by TOP 10 OWASP – There

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s

Attacks Using Malicious Hangul Word Processor Documents Jaebyung Yoon @ KrCERT/CC

HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs · Web Security, Malicious JavaScript, Adversarial Attacks, AST ACM Reference Format: Aurore Fass, Michael Backes, and

Cybersecurity Update - Amazon Web Services...DDoS attacks email propagation of malicious code “stealth”/advanced scanning techniques widespread attacks on DNS infrastructure executable

Discovery of Malicious Attacks to Improve Mobile Collaborative Learning (MCL)

Defending Against Collaborative Attacks by …itechprosolutions.in/wp-content/uploads/2015/09/... · Web viewDefending Against Collaborative Attacks by Malicious Nodes in MANETs:

Attacks and Malicious Code Chapter 3. Learning Objectives Explain denial-of-service (DoS) attacks Explain and discuss ping-of-death attacks Identify major

Investigating Malicious Office Documents: Analyzing Macros Malwares used in Cyber Attacks

Preventing and Profiling Malicious Insider Attacks · Preventing and Profiling Malicious Insider Attacks . Executive Summary . Insider threat presents an ever increasing problem within

Effect of Changing Support Conditions by Erosive Attacks

Malicious Management Unit: Why Stopping Cache Attacks in ... · In this paper, we present a new class of attacks (in-direct cache attacks), which can bypass all the existing software-based

Adaptively Detecting Malicious Queries in Web Attacks - … ·  · 2017-11-29Adaptively Detecting Malicious Queries in Web Attacks Ying Dong a, ... (DT) [5], and Remote File Inclusion

Malicious attacks on ad hoc network routing protocolsallan/dtrust/Malicious attacks on ad hoc... · Keywords: Routing protocols, network security, mobile networks. 1. Introduction

Web Security: Injection attacks · • SQL Injection – Browser sends malicious input to server – Bad input checking leads to malicious SQL query • XSS – Cross-site scripting

Malicious Code: Attacks & Defenses