As the nature of Internet threats has morphed, IT systems professionals and security providers have adapted their response tactics.
Part 1 of this two-part series takes a look at how the security threat landscape has shifted. This second installment considers what strategies the experts are cooking up to prevent and protect against the latest onslaughts.
Increasingly, organizations are developing comprehensive security strategies and implementing a variety of online and on-demand security applications and services across the entire range of their IT operations.
The need for fast, efficient and unobtrusive protection has led some security systems developers to become managed security service providers (MSSPs). In addition to delivering patches and system updates via automatic or on-demand downloads, MSSPs are broadening the range of security management services they provide.
The first six months of 2006 brought considerable change to the IT systems threat landscape, according toKaspersky Labs’ semiannual security review. The monthly count of new malicious programs increased by 8 percent compared to the first half of 2005.
“We’re seeing a continued increase in [the] use of Trojan applications designed to steal personal and e-login information,” reports Shane Coursen, senior technical consultant for Kaspersky Labs in the U.S.
“Internet crime is still a relatively recent development,” he tells TechNewsWorld, “so the use of cunning programs that help to steal personal and confidential information is just beginning; in fact, we have yet to see truly innovative methods by attackers to trick us into running their app, visiting their malicious Web site, etc.”
The use of rootkit malware is one area of concern, Coursen continues. “Rootkits are very powerful tools that allow a person to hide their malicious activities and programs. We are still seeing an increase in them; however, their development is lengthy and involved. Unlike viruses and Trojans, rootkits aren’t a dime a dozen, and not yet easy enough for your basic script kiddie to employ. Most often, we see Trojan applications with one or two basic rootkit-like characteristics.”
One of the most dangerous trends of recent months is holding data hostage. “Malicious users use a program to modify data on a victim machine and then blackmail the user. Many of these programs are very similar to one another and are either designed to impair the victim machine’s functions, or to block access to data,” states the Kaspersky Labs security bulletin.
Trojans, in their many manifestations, were the preferred tool of cyber-extortionists in the first half of the year. The number of new malicious programs — including modifications — each month increased by an average of 8 percent compared to the same period in 2005.
Trojans represent the lion’s share of malicious programs. Whereas Kaspersky’s figures for viruses and worms exhibited a slight decline (1.1 percent) compared to the first six months of 2005, Trojans are the only kind of malicious program that demonstrated growth in the number of new modifications over the first six months of this year (9 percent), according to the Kaspersky security review. “The increased number of Trojans plays a large role in determining the growth of malware as a whole,” the authors stated.
“Of the many different types of Trojan programs, the most common are Backdoor (30 percent), Trojan-Downloader (26 percent), Trojan-PSW (12 percent) and Trojan-Spy (13 percent). How do these Trojans differ from others? The answer is actually much simpler than it would seem at first glance: It all depends on money. These Trojans are the key element when it comes to stealing personal data or creating a botnet. This is the reason why these are the most popular among malicious users, who are increasingly profit oriented,” they explained.
The use of malware — Trojans in particular — for extortion is an emerging threat, they added. “One of the most dangerous trends seen over the past months is the growth in the number of incidents where malicious users use a program to modify data on a victim machine and then blackmail the user. Many of these programs are very similar to one another and are either designed to impair the victim machine’s functions or to block access to data.”
During the first half of this year, the number of Trojans used for blackmail increased from two to six. At the peak of their development, their attacks were limited mainly to Russia and the CIS (Commonwealth of Independent States). However by the end of the July, the authors or users of these programs had clearly branched out — similar blackmail cases were seen in Germany, the UK and several other countries.
These days, threat protection is embedded in nearly every element of an IT department’s operations, given the nature of IT security threats and their evolution. MSSPs have expanded and are seeing their businesses mature, partly as a result.
“MSSPs are moving toward providing services that cover more elements of the vulnerability management lifecycle, such as internal and external scanning for vulnerabilities; threat intelligence to identify emerging exploits; richer correlation of asset data with vulnerabilities, threats and attacks; and blocking or shielding capabilities to stop attacks,” Kelly Kavanagh of Gartner’s Internet security and privacy group tells TechNewsWorld.
Meeting evolving organizational IDS (intrusion detection systems) and IPS (intrusion prevention systems) needs is a challenge, however, he notes.
“The ability to offer technology that promises faster reaction in stopping attacks — including targeted attacks or those not based on known vulnerability signatures — is a selling point. However, the MSSPs must overcome customer concerns that routine business activities will be mistakenly blocked — and that as outsiders, the MSSPs will be too slow to realize and react to that situation. This will require MSSPs to become more aware of and connected to their customers’ IT operations, network operations and business functions in order to fine tune their services to each customer’s requirements.”
Recent acquisitions among MSSPs, such as IBM’s purchase of Internet Security Systems, is one indication of the maturing market, Kavanagh noted. Growth in the MSSP market, he said, is increasingly driven by more activity in outsourcing basic security operations — with a current focus on firewall management and IDS monitoring, and interest growing for outsourcing IPS in the future.
Compliance with government and industry regulations and standards, such as Sarbanes-Oxley and the credit card PCI standard, has created demand for MSS that can provide documented processes and reporting that span vulnerability management cycles.
Moreover, demand is building for more-frequent vulnerability scanning delivered as a subscription service within a larger monitoring effort — rather than as a one-time professional services engagement. Increasingly, the subscription model is viewed as a viable alternative to maintaining tools and expertise in-house.