This time of year, we pontificators always try to wrap up the year that was with a cutesy theme. I'll keep mine simple: 2010 was a year of wake up calls.
We began the year fascinated by the concept of the advanced persistent threat. Operation Aurora successfully infiltrated Google Inc., Adobe Systems Inc. and about 20 other organizations.
Aurora, like most APT-style attacks, used a combination of zero-day exploits and known unpatched software flaws to penetrate traditional defenses and maintain long-term access to sensitive data and mission-critical systems to monitor internal communications, steal trade secrets and ultimately seek to damage a business beyond repair.
APT was certainly overhyped this year -- not every attack qualifies as an APT -- but it's no coincidence that we're wrapping up the year with what appears to be another APT event, the recent Gawker Media attack. As it turns out, the Gnosis attack group had access to Gawker's systems for weeks or perhaps months before Gawker's IT staff realized something was wrong and its business leaders decided to do something about it.
As the Gawker attack proves, more businesses are being targeted by advanced persistent threats, and it isn't just industry titans like Google. Nearly every organization has enemies, and a Gawker-style combination of information security ignorance and arrogance, as we've seen, can result in disaster.
The APT helps make clear that the traditional paradigm for information security needs updating. As our information security threats expert Nick Lewis wrote, enterprises must assume they have a gaping hole somewhere in their network that only attackers can see, and they should be prepared to defend it by restricting user privilege levels, carefully considering which Web browser it uses, revisiting outbound traffic monitoring procedures, and even thinking about PCI-style network segmentation. And, if an attack should happen, be prepared to conduct detailed DNS log analysis or have experts on call to do it for you.
Similarly, we can't ignore this new generation of virulent malware, including Trojans like Zeus and Stuxnet. Zeus has been around the block a few times, but with new and increasingly dangerous Zeus variants popping up all the time, it can't be ignored. Stuxnet emerged in July of this year, initially targeting Siemens SCADA system software and successfully infecting 100,000 systems, according to Symantec Corp., by spinning together a combination of zero-day attacks. It has been so successful that it may become a blueprint for malware writers going forward.
Why are we in the midst of what may be a malware renaissance? Some like to blame software makers. After all, or so it goes, such malware wouldn't be so effective (and profitable) if software makers put greater emphasis on secure software development best practices.
The reality is that software will always be flawed. Perhaps no commercial software vendor has invested more in secure software development than Microsoft, and yet it has released more software patches in 2010 than ever before, and attackers continue to find and exploit new zero-days with no end in sight. If a vendor as diligent regarding security as Microsoft can't plug all the holes in its software, no one can.
Enterprises, in turn, must assume their applications are vulnerable and always will be. To borrow from SANS Internet Storm Center Director Marcus Sachs, not only do companies need to practice defense-in-depth security and maintain multiple security layers, but they should also consider a variety of new and different technologies and tactics for those layers, including vulnerability management, in-house penetration testing, host-based intrusion detection and segregation of duties and machines, to name a few.
To be clear, these themes aren't exactly breaking new ground, but attackers are doing just that with the above-mentioned methods and many others that are equally malicious. As 2010 comes to a close, perhaps the overarching wake up call for all of us should be that new breeds of attacks that blow past today's traditional defenses have become commonplace. Instead of heeding their own wake up calls, Google, Adobe and Gawker all hit the snooze button, and they paid the price. In 2011, other enterprises will make the same mistake. Don't let yours be one of them.
About the author:
Eric B. Parizo is senior site editor of TechTarget's Security Media Group. His rants can also be heard on SearchSecurity.com's Security Squad podcast.