Vulnerable applications and mutating spam

The Cisco Annual Security Report noted that 2007 saw OS vulnerabilities decline as applications became the new target. There was a drop in worms and Trojans, directory traversal attacks, exploited misconfiguration and symbolic links accompanied by a rise in software vulnerabilities and buffer overflow attacks. As e-commerce and concomitantly CRM and Web applications grew in popularity they came under attack. These applications not only had a fair few vulnerabilities they had also been written in languages that had serious vulnerabilities. Business applications such as Microsoft Office and Open Office and Adobe Acrobat were not spared either. Attacks relied on social engineering fooling users into opening documents containing payloads. The year saw the emergence of subscription-based attack services of which the report noted the 76service portal through service provider Russian Business Network (RBN) that was built around the Gozi Trojan and offers a functional Web portal through which subscribers can pay for access to user information on Gozi-infected systems. Then there was the growing availability of exploit toolkits such as MPACK, an exploit tool that compromised more than 10,000 Websites worldwide. Last but not least a panoply of phishing tools included Flash animations to duplicate legitimate Web sites that evade most antiphishing defenses.

Spam mutated in 2007 with the emergence of PDF and later Excel spam.

The report recommends that companies focus on defending themselves against high-severity vulnerabilities, protect themselves against new OS and application vulnerabilities, closely monitor and log applications, be vigilant about patching, educate users and continually reinforce education, redouble efforts to secure Web application code, continually monitor security intelligence for attack trends, employ host-based IPS solutions and monitor Web sites for infiltration by malicious code.

This year we will see malware attacks exploiting application vulnerabilities continue to grow. Enterprises should expect more sophisticated attacks from professional attackers; malware executing in system memory; malware targeting smartphones, portable media and gaming devices; and multiplatform attacks.

Organizations should strive for a holistic operational approach to security and address potential vulnerabilities in physical security solutions running on the IP network. Their contingency plans must address employees as well as infrastructure. “Defense in depth” is as necessary for physical controls as for network security.

The report advises companies to implement robust defenses against insider attacks. Improved employee vetting and partner due diligence are all part of the big picture. Trust issues will continue to present a significant problem. Businesses will need to devote more resources to mitigate internal threats.

Identity theft is becoming a big deal. This is enabled by poor security controls, flawed payment card industry standards and the lack of prompt and full disclosure. Identity theft is expected to remain a cause for concern this year.

Phishing is on the rise. Today you cannot visit the Web site of any Indian bank without reading a message warning against it. The answer? The report advises employing security policies that govern user behavior, educating users against social engineering risks, take even seemingly insignificant attacks seriously and use technologies that can slow down attacks.

prashant.rao@expressindia.com