Predicting the future is a tricky but necessary part of any kind of strategic planning. Unfortunately the security landscape can move so quickly that even short term planning can feel like it requires a crystal ball.
If you’re lucky, things are a little slower in the summer season. This can be a good time to regroup and consider your plans for autumn.
To help give you some ideas let’s start by taking the long (in IT terms at least) view on vulnerabilities.
Running a public website on Microsoft IIS was a terrifying prospect. The bad guys didn’t need to spend much time anywhere else – chances were, if they tried, they could get straight onto one of your critical servers.
Luckily things got better. Zero-day exploits in common internet-facing services are a merciful rarity nowadays and sophos tend to do a better job of firewalling everything else.
Unfortunately the bad guys had plenty of other options. Clients soon proved to be a massive weak point. Browser vulnerabilities came to the fore in the late 2000s. Gaining access was simply a case of luring a user to a malformed web page and IE6 would quite happily install any malware you asked it to, usually without giving the user any warning.
Again, sophos got their act together. Now browsers compete on speed and security rather than fancy features. Every feature is a potential entry point, so – very sensibly – modern browsers have a lot less turned on by default.
Thanks to improved defence-in-depth, even if an attacker finds a way in he’ll likely need to batter down a few more doors before getting to the juicy stuff.
Browser plugins are the current battleground. Flash, Java, Adobe Reader and others provide a great way for an attacker to sidestep all the hard work put into browser security.
Even Oracle are promising to finally address some of the underlying problems with Java. I wouldn’t wait for that though – disabling Java altogether or using click-to-play is a far more reliable and immediate solution.
So what’s next?
Moving swiftly from observation to speculation, here are a few possibly-emerging issues to consider.
Put yourself in an attacker’s shoes. You’ve scanned your target’s perimeter services and it’s all looking quite tight. You then tried a phishing attack to lure them to a web page with a drive-by-download exploit but they’ve got a well-patched browser with no vulnerable plugins. So where next?
Social engineering perhaps? A few trends are making this easier and more effective.
Firstly, in the rush to the cloud we’ve forgotten some of the basics. When everything was protected by a VPN most companies enforced some form of two-factor authentication. A password alone was not of huge value to an attacker. But nowadays, the majority of cloud services rely on nothing more than that and if you can persuade a user to divulge their password it’s likely all you need.
The persuasion part is easier than ever. Due to cloud services, users are regularly used to providing passwords to external websites, so it would follow that they might be reasonably easily persuaded into doing the same for a site they don’t know.
Secondly, social networking makes target reconnaissance much easier. After a quick browse of someone’s LinkedIn profile it’s not hard to come up with an attention grabbing subject for your attack.
Thirdly, although highly exposed software – such as internet-facing services and web browsers – is getting quite tricky to attack, the rest of your applications are unlikely to be quite so robust.
Few people patch their CAD software as regularly as their browser. A job title from LinkedIn is all that’s required to take some educated guesses about exactly what software someone is likely to be running. Even a user wary of email-based attachments might let their guard down when receiving a file via cloud storage/collaboration tools such as Dropbox.
There are quite a few signs that this advanced targeted phishing is already well underway on an industrial scale, and it’s certainly not just a concern for defence contractors.
Just recently GCHQ, part of the UK intelligence services, advised that it intercepts around 70 attacks against UK companies a month. Targeted phishing appears to be the weapon of choice in these attacks. This is only likely to escalate as techniques filter down from intelligence services to the criminal underworld.
So what can you do?
It’s up to you to assess the trends and how they apply to your business, but here’s a few sensible steps to think about.
Firstly, single-sign-on and strong authentication gateways are not just nice-to-haves!
Secondly, investment in defence-in-depth will always pay off. Maintaining well-patched systems everywhere, rather than just for the exposed stuff, will become more important. If you don’t already, extending your vulnerability scanning to cover internal systems may help you assess internal exposure.
Firewalling your servers correctly can also really help limit your exposure to a malicious intruder who already has a foothold in your network.
Lastly, education is becoming even more important. Cloud services have made it harder than ever before for users to spot the difference between valid and malicious emails and websites. So educate your users on threats, and make sure they’re clued up on how to avoid falling for them.