Tag Archives: threats

ITNow – Upcoming Threats and Countermeasures

The following article was originally published in the Information Security section of the BCS ITNow Magazine, Spring 2012 issue (Volume 54, Issue 1), which was on the topic of Upcoming Threats and Countermeasures:

Gareth Niblett, Chairman of the BCS Information Security Specialist Group, takes a glimpse into the future* to see what emerging threats we might have to contend with.

Cloud computing offers many benefits over the traditional approach of owning, growing and maintaining a network of computers. It also brings complications and risks related to multi-tenancy hosting, off-shoring, consolidation and jurisdiction.

With such growth in this area, attackers are likely to increase their targeting of both cloud-based services and their underlying platforms, as well as leverage their scalable processing power, e.g. to break encryption.

Extraterritorial application of laws, such as the US PATRIOT Act can undermine, for example, even EU data protection rules and trust if a cloud provider is in scope.

The scale of compromises may be massive when they do occur and the scope for forensic examination of complex platforms is severely restricted by contracts, accessibility, capability and jurisdiction; thereby hampering investigations and prosecutions.

Those putting their, and their customer’s data, on cloud services should ensure that they are able to meet their legal, regulatory and contractual obligations to all parties in contracting, operation, incident response and migration.

Ghosts in the wires

So-called advanced persistent threats (APT), or continued state of ignorance (CSI), will continue. These are large-scale compromises, over a long period of time, possibly state-sponsored or condoned, aimed at extracting commercially or personally sensitive information from the targets.

They will reconnoitre, infiltrate, establish a beachhead and back doors, conduct whatever espionage they have in mind and then exfiltrate data. Social engineering / blagging, spoofing, spearphishing, blackmail/bribery, infiltration, break-ins, dumpster diving, bugging, hacking etc. can all be part of the repertoire.

If even journalists can find out information from phones and computers of celebrities, police and politicians, what do you think your chances are against a suitably motivated, technically capable and well-funded attacker?

Use of targeted attacks and malware will grow, sometimes deniable and sometimes for publicity. Stuxnet and Duqu may have been the tip of an iceberg and based on flexible attack toolkits that can be tailored for specific targets and carry specialist payloads, e.g. for espionage or disruption.

Hacktivism, where a specific message is aimed at the target group and often the intent is as much to embarrass and drive home the message as to compromise systems or information, is also gaining traction.

Not forgetting mass attacks, using vulnerabilities that affects popular software and affects many organisations; this is low hanging fruit for an attacker.

Simply keeping patches up-to-date is clearly insufficient to counter this threat, as recent attacks have used multiple zero-day (0-day) vulnerabilities. If you are running a system that holds customers’ personal and financial data, encryption needs to be both utilised and effective.

The adage of defence in depth should be de rigueur, as competent attackers will come quietly, with patience and persistence.

Your organisation needs the right personnel, policies, technology and procedures to detect, repel, contain and respond, in short order, to minimise downtime, data losses, embarrassment and costs when it does occur.

Online blockades

Excuses for filtering and blocking will carrying on growing, adding to the regime of ineffectual prevention of web access to material related to child sexual abuse, terrorism, religious and racial hatred, sedition, defamation and libel as well as blocking offshore services providing online gambling, copyright infringement and sale of controlled or duty-paid goods, such as drugs, alcohol and tobacco.

Laws and agreements with unintended consequences are the result of addressing the symptoms rather than root causes, i.e. sources – SOPA, PIPA, HADOPI, ACTA, as well as court orders requiring ISPs to block.

Breaking DNS, for example, to render websites inaccessible, undermines the security of the internet and fails in the face of technical competence. Only by removing content or services can they be truly blocked.

International rules should recognise the cross-border nature of the internet and understand that local laws might not work well in an environment that doesn’t have physical borders.

We need better agreements, cooperation and action in tackling harmful and illegal online content and services; those in child safety have had great success in taking down content, services and rescuing those being harmed with international cooperation and assistance from ISPs and others.

Lawmakers should be encouraged not to legislate in areas they don’t understand, especially when based on one-sided arguments put to them by lobbyists. The issue will remain difficult to resolve while there is a disparity in legal and moral positions between countries.

Cyber wargames

The military has traditionally favoured growth and the adoption of new technologies; a bigger empire with more weapons. ‘Cyber’ is no different. The main difference is the unresolved issue of attribution as plausible deniability is much easier in a cyber context.

An attacker’s computers don’t need to mass at a border, nor are they marked so that independent observers can identify them; indeed compromised systems may be used to further obfuscate things.

Cyber arsenals are being built up, not only by the usual suspects of US, UK, Russia and China, but by Israel, Japan and smaller countries.

Cyber warfare capability is a force multiplier and provides the potential for asymmetric warfare. Israel and others have said that they will treat a cyber attacker in the same way as a physical attack and may respond kinetically, rather than simply in kind. Bits vs bombs, if you will.

Rules of cyber conflict, broadly similar to traditional rules, are starting to emerge. This needs to continue and ensure that some of the trickier questions are answered.

Surveillance nation

The false zero sum game of security vs. privacy will continue to play out, with the enforced information sharing of personal and financial data, in the name of protecting life and liberty.

As everyone is a suspect, who needs to be monitored to ensure compliance, we need a panopticon for all communications – so say an increasing number of governments, trying to suck up everything to find needles.

Without transparency, oversight and being made to justify and temper ambitions, governments, law enforcement and intelligence agencies will continue to take liberties with our privacy, and abuses will stay hidden, unless citizens take a stand.

Trap and trade

Where miscreants are identified, we will see increased use of mutual legal assistance, international arrest warrants and extradition even where the suspect may not have committed an offence in the jurisdiction where they are sought from.

Nationals that would not be extradited by their home country will be tricked into, or tracked, travelling to more co-operative countries where they are then seized.

This will not just be for criminal hackers and fraudsters but also whistleblowers, copyright infringers and online gambling site operators etc.

International rules in this area should be equitable and extradition requests should be based on the same level of evidence required for a prosecution in the country holding the subject in question; preferably for a crime recognised there also.

Media Muddle

Writers will continue to conflate and confuse denial of service with hacking and downloading with sharing.

The fear mongers will repeat long in the tooth scare stories about terrorist hackers taking down all the technology and services we take for granted.

There will often be seeds of truth and fact behind the dark sinister tales, but should not be taken as gospel without supporting evidence.

Identity matters

UK citizens will fail to realise the benefits of a robust service-focussed digital identity, due to past government mistakes on the national ID card, whereas, in the US, NSTIC may create a two-tier internet in relation to online identity.

ID cards and online identities need not be bad things, provided the intentions of those providing them can be trusted and the necessary checks and balances are in place and used.

Problems arise when your information is gathered without clear informed consent, analysed, sold and used ‘against’ you. Users can gorge on cookies, becoming the product that is marketed to advertisers, whilst adding increasing amounts of personal detail and value to their social profiles.

Use of social logins and sharing will exacerbate this. ‘Do not track’ will fail to gain significant traction, due to technical reasons and user adoption, as have other web privacy and security standards.

What can be done? Well, I don’t think people are going to suddenly stop using Google, Facebook, Twitter and LinkedIn, but the new EU Data Protection reforms may well finally make non-EU entities play fair with data belonging to EU citizens.

You’re unique

People share passwords between accounts. It is human nature, especially when long and complex passwords are required.

The brain can only cope with so much, and there’s only so much space for Post-Its. If you register with any online service you need to be mindful that many attacks have exposed client information (including personal details, passwords and credit cards).

This can lead to further compromises, especially when an email address is used as the user ID and the password is reused.

Use a password manager. Long, Unique, Complex and Kept safe – you make your own LUCK. Password reminders and resets are often sent to your registered email account.

Never use your email password with another online service; otherwise you may be gifting an attacker with another route in. If you have control of your own domain name(s) and email accounts, you have the option of using a different email address for each online service.

Combined with unique logins, this would mean that a single compromise doesn’t undermine all your accounts.

*Risk can increase as well as decrease. Past security performance does not guarantee future success. We suggest you seek advice from a qualified security advisor etc.

A PDF version of the magazine is available online to BCS members at:

https://wam.bcs.org/wam/sentinelcheck.exe?/20799/20802/20964/20967/pdf/mar12.pdf

ISNow – Future Threats

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2010 issue (Volume 5, Issue 2), which was on the topic of Future Threats:

“The start of each New Year brings festive cheer and thoughts about what security related treats we might see in the coming year. I think 2011 may bring:

Targeted malware – next generation spear-phishing. The emergence of Stuxnet, which combines traditional malware techniques with a specially crafted targeting mechanism and payload parameters, may signal a new form of deniable attack. Even with the required time and resources required to develop the intelligence and programming that feeds into such software, it could still be a much more cost effective and politically acceptable virtual approach versus physical alternatives. This attack vector is likely to be picked up by other online ne’er- do-goods.

Secrets revealed – exposing truths. Wikileaks, Crytome, The Smoking Gun and others have a track record of exposing the secrets of governments, corporations and individuals. State and court sanctions are unlikely to deter all those seeking to expose unlawful, hypocritical and immoral activities. Once details are released on the internet it is too late, however good your censorship capabilities are and if the traditional press get hold of it too it’s as good as over. As people learn the effectiveness of such exposure we may see more whistleblowers emerge.

Personal intrusions – self-exposure. From airport security officials wishing to either irradiate us or touch our junk; governments wanting to know about our worldwide banking arrangements, health, happiness and online activities; social networks wanting to know where you are, who your friends are and what you’re saying; advertisers wanting to know where you are and what you’re interested in; employers wanting to know if you’re a suitable hire or risk to the business.

Happy New Year – hopefully.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/ISNOW-Winter2010.pdf

ISNow – Coming Threats

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2009/10 issue (Volume 4, Issue 2), which was on the topic of Coming Threats:

“The start of each new year brings the promise of a bevy of unwelcome threats. Many will be variations on an existing theme, some may rely on the growth of a particular medium, and there could be an occasional new but predictable attack that leads us to smack our foreheads and wonder why we didn’t see it coming.

I’m no soothsayer, but I have a few ideas of threat-related trends we may well see in the coming year:

Business Change

The global downturn, recession, comeuppance for greed and risk ignorance, or whatever you wish to call it, threatens business. This could be through redundancies, liquidation, jettisoning failing companies and mergers, all of which will bring significant business changes that have to be managed securely, ensuring that critical business assets are properly protected.

Cloud Computing

Bringing together all the benefits and pitfalls of outsourcing, off-shoring, virtualisation, co-location and rapid application development. Great when it works, but when it doesn’t there may well be issues of legal jurisdiction, enforcing contract and audit rights, forensic investigation, data migration and so on. Make sure the cloud doesn’t become a basket to hold all your eggs.

Social Networking

Website, email and instant messaging wrapped up into one. Already allowing ready personal and business information leakage through to providing a new platform for malware distribution and botnet command and control, the social networking phenomenon offers unrivalled growth for interaction, both good and bad, which is likely to continue unabated.

I’m sure this only touches the tip of the iceberg, and we may well see more large-scale politically motivated attacks, new vulnerabilities in core internet services, smartphones get hit hard, growth in internet governance (read interference, control and surveillance) along with new ways to avoid it.

Happy New Year.”

A PDF version of the magazine is available online at:

http://www.bcs.org//upload/pdf/isnow-winter09_1.pdf

ISNow – Emerging Threats

The following introduction was originally published in the BCS Information Security Now Magazine, Winter 2007/2008 issue (Volume 2, Issue 2), which was on the topic of Emerging Threats:

“I’m sure we all have a perspective on what threats we expect to see come to the fore over the coming year(s). If we listen to the vendors, all manner of dooms await us around each corner and we should buy their latest technology to cure our ills. I too have a few ideas of what might cause us some pain in 2008…

Individuals

  • Not allowing policy, procedure, technology or common sense to get in the way of doing daft things (like exposing customers’ personal information)
  • Not understanding the value of personal information, and putting it online or leaving it lying around – for others to make use of
  • Continuing to click on attachments and links which expose them to increasingly effective malicious software

Virtualisation

  • Moving from a physical to logical architecture will complicate security and resilience if not properly considered and catered for in (re)design
  • Responding to incident will need to recognise that logical system can be collocated on shared hardware, or distributed (even internationally)
  • Legally admissible forensics will be hampered by ephemeral nature of virtual machines, combined with jurisdictional problems if off-shored

Applications

  • Developing becomes more rapid, with less focus on a robust software development lifecycle methodology than get the latest beta online
  • Attackers will increase their focus on finding vulnerabilities in applications, rather than at systems and networks, which are now more security aware
  • Web 2.0, mash-ups and other haphazard application development will make interesting targets for those wishing to expose weak security

May I wish you a happy, safe and secure 2008.”

A PDF version of the magazine is available online at:

http://www.bcs.org/upload/pdf/isnow-winter08.pdf