Sophos Mid-Year Threat Report
Sophos, a UK-based security company, released their Mid-Year Top Threats report a few days ago. I found it to be very informative and focused. If you are not subscribed to their Naked Security blog yet, I suggest you do.
The report, as the title implies, focuses on the major IT security threats that their researchers have found. The numbers they give are frightening---although not surprising for anyone keeping an eye on the state of security---Sophos has seen 150,000 malware samples every day and an increase of the web as a vector for threats, like malicious URLs. In fact, a new web threat is detected every 4.5 seconds.
The interesting part is that a huge majority (80%) of these websites sending malicious payloads belong to legitimate companies. How come? Well, they simply have been hacked. If your motivations are not hacktivism (the report has a special section for LulzSec), but instead money, you might want to keep your hacking quiet, so that you can infect even more people. And the hacked servers are not in third-world countries, either. Most of them are in the U.S.:
Now if 19,000 new websites everyday are hacked and modified to infect PCs, what does your company do? Here’s to hoping you not only have inbound anti-virus scanning---Unified Threat Management platforms are now reaching the 10 Gbps mark, and some even more, so you should be covered---but also outbound. You don’t want to be hacking the computers and phones of your visitors, now do you?
Threats from Social Networking
Another interesting part of the report is the section about Social Networking. I try to keep an eye on the threats that you can catch on those, and sometimes it’s bafflingly simple, like an application requesting permanent access to your personal data, and you’ll just allow it because you don’t really read what Facebook tells you. Or, worse, crafted status updates containing Cross-Site Scripting (XSS) code redirecting you to a page that’ll inject a payload in your browser---using a 0-day in the very worst case, hoping you didn’t upgrade your browser in a slightly-less-worst case---and redirect you then again to the original page. Here, too, Facebook seems to be a big playing field for those kinds of attacks. It’s not easy to be the leader.
The next section moves onto email-based attacks. Interestingly, email usage is decreasing at a huge speed – almost 60% less this year than the one before for the younger age period (12-17 years old). Attacks using this vector don’t use the good-old infected attachment so much anymore. It’s best to use HTML here again (allowing XSS or Cross Site Request Forgery, CSRF). That doesn’t mean you should suddenly trust every attachment, mind you. The chart below illustrates the families of e-mail based attacks. Make sure you’re testing your IPS, UTM or AV appliance against those, using the Avalanche Vulnerability Assessment or something similar.
The report contains much more information, and you can never be too careful when it comes to hackers and threats. Some will go after you just for the kicks or to make you look bad. Some will go after you with the intention to steal confidential data. Some will even go after you just to let you know you have vulnerabilities. The point is: you need to be sure you’ve done the best you can to protect your own as well as your customer’s data. It’s very hard to put a price on your reputation, and even harder to recover from a bad reputation. Ask Sony.
I should conclude by saying that all of this being true, there’s an extra layer to take into consideration: Virtualization, or Cloud Computing. I love this technology; I think it’s a major evolution. But it can also potentially lead to disasters. When you put all your eggs in the same basket, you have to make sure there’s no rotten egg in it. Now that there is no more physical separation between servers, it’s even more important to protect them and pick the right tool. Fortunately, the Avalanche Vulnerability Assessment is also available in a Virtual Edition, so you will be able to test your infrastructure, using the same test cases for Virtual and non-Virtual scenarios, therefore testing end-to-end with a unique tool.