HEAT Security Blog

2010 Predictions Redux- 2nd Half Predictions and Looming Threats

As we ended 2009 and entered 2010, many predicted that 2010 was poised to go down in history as “the year of insider threats”. It was not a risky prediction to make considering our economic peril and our industries continued unwavering albeit misplaced focus on the gateway rather then endpoint security.

The Worldwide State of the Endpoint Survey 2010 highlighted the reasons why the neglect of the endpoint is poised to increase enterprise risk:

  • Organization’s increasing use of technologies that improve productivity and reduce costs but create endpoint risks. These include open source software, Web 2.0 applications, cloud computing, virtualization and others. Moreover, the use of these technologies is expected to become more prevalent over the next 12 to 24 months. Especially in the areas of cloud computing, Web 2.0 applications and virtualization.
  • Employees connecting their own computing devices, such as laptops and PDAs, to the organization’s network or enterprise system. A very small percentage of organizations in the study have a policy that permits this practice. As a result, organizations may not have control over who is accessing the network with illegal and unauthorized applications.
  • Endpoint management systems are complex. According to the study, on average 3.7 software agents are installed on each endpoint to perform management security and other operations. In addition, they have on average 3.9 different or distinct software management consoles for endpoint operations.
  • Respondents reported a lack of skilled or knowledgeable personnel, followed by the misalignment of IT and business objectives and difficulty integrating multiple technologies as contributing to the challenge of managing the endpoint.
  • The endpoints are constantly under siege by virus or malware network intrusions. According to respondents, this was the most frequent security incident during the past year.
  • In many cases, not having adequate budget to invest in technologies and other resources, such as trained and knowledgeable employees, necessary to protecting the endpoint.
  • Collaboration between IT security and IT operations in many organizations does not happen as frequently as it should. According to the findings of the study, these two groups tend to have different perceptions about such critical areas as knowing what technologies are used that could put the endpoint at risk and what the major security risks are to the network.

Midway through 2010, we find ourselves in a very precarious position. The continued neglect of the endpoint and focus on the gateway for defense along with the increase in “add-on” software vulnerabilities has enabled cybercriminals more than ever before and they are now targeting their attacks directly at the user’s desktop using the browser and its add-on software as the new gateway to the enterprise.

The continued growth of add-on software vulnerabilities and the pervasive use of social media by malicious hackers will clearly define the second half of 2010:

  • Signs of the add-on vulnerability trend were beginning in December of 2009 with Forbes publishing an article proclaiming “Move over Microsoft – This year Adobe took center stage for cybercriminals” and was reinforced at the end of Q1 2010 with a report from Kaspersky Labs noting that nearly half of exploits were targeting Adobe vulnerabilities.
  • Social website security issues combined with the seemingly blatant disregard for user privacy has made social websites a literal shopping bazaar for would be cybercriminals to gather the personal data necessary for successful targeted attacks.

While it is difficult to defend a vendor and their zero-day issues, one has to have at least a little sympathy for Adobe in that they are experiencing the same dilemma as Microsoft did over Conficker. Like Microsoft with Conficker, the patches for many currently and regularly exploited Adobe vulnerabilities have been available for users for some time now.

As we approach the second half of 2010, the economy is showing some signs of recovery.  Clearly our focus must be adjusted to mitigate endpoint risks, the growing issue of add-on software vulnerabilities as well as the pervasive use of social websites by would be cybercriminals. In fact, the SANS Institute has ranked patching “client-side software” as the top IT security priority.

1.    Cybercriminal use of obfuscation has made bypassing gateway defenses such as signature based AV, IDS and IPS trivial at best. It is crucial to end our reliance only on gateway defenses and refocus our efforts in securing the endpoint.  Bottom line – get control of your endpoints before they control you.

2.    The solution to add-on software risks requires rethinking our flaw remediation strategy. Simply turning on WSUS is not the solution as the add-ons are simply missed. A re-evaluation of the patch management solution used needs to be accomplished to ascertain if in fact the solution offers coverage that is both broad enough and deep enough to mitigate our risks in the current environment.

3.    With respect to the social website dilemma and not to be overly harsh on users but simply put, we must recognize that you cannot stop stupid, hence you need to work toward containing it. It is important to remember that the end game for the bad guys in a targeted attack using personal details harvested from a social website is to run unauthorized malicious software on the victims computer. There is no disputing that antivirus solutions alone are no longer an acceptable risk mitigation tools. Complimenting your AV with application control (application whitelisting) is no longer a luxury, it has become a necessity. There is simply no better mitigation for unauthorized malicious applications than pairing the two technologies to not only block known bad but to prevent execution of any software that is not first validated and then determined to be administratively permitted but policy.