Pedro Bustamante from web security firm Malwarebytes calls for better education about security threats for public sector ICT staff.
In January 2010, the Western world got a rude awakening when Google publicly recognized that it, and a few dozen other high-tech and Fortune 500 companies, had been hacked and were being actively spied on for about six months by a Chinese hacking group. In addition to Google, companies such as Adobe, Apple, Symantec, Yahoo!, Morgan Stanley and many others were amongst the affected by the ongoing cyber-espionage campaign which syphoned high value intellectual property over long periods of time. This would later be known as “Operation Aurora” and it marked the beginning of massive public awareness about the industrial cyber-espionage wars between China and the Western world.
Since then, numerous other nation-state linked cyber-espionage campaigns on industrial and government bodies have emerged. This often happens despite the latest antivirus and anti-malware security software being installed.
The common denominator for these types of advanced attacks is often that they abuse vulnerabilities in well-used software applications as a method of access. Financial cyber-crime, industrial cyber-espionage and state-sponsored hacking nowadays relies largely on using tailored exploits to target vulnerable applications such as Internet Explorer, Java, Flash Player, Silverlight, Adobe Reader, Microsoft Office Word and Excel in order to remotely execute malicious code in the target machine.
This code will often allow the attacker free reign over the target machine and, if advanced enough, the payload can stealthily communicate with its human controller, allowing it to receive instructions and transmit stolen data back. Advanced targeted attacks will often move sideways through various parts of the network, seeking additional targets of opportunity. For a large government department, especially those in sensitive areas such as critical infrastructure or defence, this is the ultimate nightmare.
The issue is that traditional endpoint security, protecting laptops, desktops and other devices, is reactive in nature. Although these specialize in detecting millions of malicious pieces of software using a number of methods, they need to have previous knowledge of the threat before they can protect against it. These come in the form of either a physical binary to create a signature, a few binaries of the same family to create a generic signature, a heuristic algorithm or previous knowledge of the attacker’s infrastructure in order to block them on the web.
The reactive nature of endpoint security means only one thing – they are ineffective against advanced and determined attackers using exploits.
Traditional network security such as intrusion detection and prevention systems, firewalls and email/web filters are also reactive in nature and also have inherent problems, for example they do not protect clients outside of the corporate perimeter and are ineffective against unknown or zero-day vulnerabilities. More modern approaches to perimeter protection which defend against vulnerability attacks are still in their infancy, and either only monitor a fraction of the corporate communication traffic or have high false positive rates.
The Windows operating system has advanced a lot in terms of security against software and application vulnerabilities. The inclusion of data execution prevention (DEP) and address space layout randomization (ASLR) has made the OS fairly resilient to attacks, at least in theory. However, users install tons of third-party software applications and attackers target non-ASLR compliant libraries to launch their attacks. There are also numerous techniques to bypass DEP nowadays and who knows what other techniques might exist in the hands of a so-minded military or government agency.
There is a new approach to security that while in its infancy, counters issues facing reactive methods. This is tasked with shielding or hardening vulnerable applications such as browsers, PDF readers, Office applications, media players and other applications typically targeted by advanced hackers in state-sponsored hacking campaigns. These do not care WHAT is being delivered to your computer but rather HOW. For example, if your Adobe Acrobat Reader tries to download and run an EXE from the web in a certain way after opening a PDF, this is a clear giveaway that it is a malicious PDF exploiting Adobe Acrobat Reader in order to infect the PC. Such technologies can provide a vital additional layer of security against these specific attacks, and should be deployed alongside existing security measures to provide defence in depth.
There needs to be education around the threat from exploits for those in the public sector. They are growing in usage and often leave existing security measures sorely lacking. For a sector which is responsible for protecting state secrets and other critical infrastructure information, they are a modern threat which must be addressed. In a world where cyber-attacks often mirror global political tensions, I would urge those in charge of security to consider the exposure to exploits on their endpoints, because if they don’t, someone else almost certainly is.