QUESTION & ANSWER

WebSense: PortAuthority deal, Web 2.0 apps reflect changing threat landscape

By Michael S. Mimoso 05 Feb 2007 | Information Security magazine

Digg This!     StumbleUpon     Del.icio.us

RSA Conference 2007 Can't make it to the show? SearchSecurity.com staff members are on the RSA floor, on hand to deliver the latest RSA Conference 2007 news and updates.

Do you expect other acquisitions involving data leak prevention vendors like Port Authority?

Hodges: I would over time. Our industry is driven by pressure bad guys bring. As that pressure shifts, it's going to be harder for legacy vendors like Symantec and McAfee to justify their value solving yesterday's problems. I'm sure they'll shift too. They're smart guys and this is a segue to newer threats.

Threats have become targeted and data-centric. How do Web 2.0 apps threaten corporations?

Hodges: We're starting to see an intensification of the chance for financial wrongdoing with Web 2.0 apps, especially intercompany 2.0 applications. Most of these are business-to-consumer today. Obviously, the business-to-business interaction between value chains is important. The chance for compromise of business process packets, like purchase orders, by malware is very concerning.

It's interesting to think back to the LexisNexis compromise [account holders were infected with a Trojan that logged LexisNexis login information]; as an indicator of how bad guys target the value chain and steal various pieces of information walking up and down the value chain.

By Web 2.0, I'm focusing on XML-scripted transactions; I think that's a fairly commonly accepted piece of the definition. Fundamentally, these are new collections of application capabilities for structured information or transaction exchange off a Web site. It's not just HTML anymore.

If you take Ockham's razor principle, there are pieces of Web 2.0 that open an immense number of vulnerabilities that have not been exploited yet. I think we'll continue to see sophisticated uses for these attacks. For example, we have not seen any instances of cyber arbitrage. What if a hacker could get real-time pump data from oil vendors? Could they do better playing on the commodity oil prices that way? They could also generate fake transactions. That's a nice way to get money in your pocket. There's still plenty of room left for attackers to use this stuff in creative ways.

"Hackers have thought about who they wanted to attack and applied demographic-specific social engineering. I'm surprised we're surprised..." Gene Hodges, CEO of Websense

Information Security's recent Priorities survey indicates that malware remains a major concern for IT. How sophisticated has targeted malware become?

Hodges: I like to call targeted attacks and spyware the center of the market. I think what we're seeing is market segmentation by hackers. This is standard commercial behavior visible in hacker elements: segmenting businesses and customers of a business. In the U.S., for example, the most frequently targeted vertical in the last six months is small- and medium-sized credit unions.

Here are a group of people who generally don't have the resources for security and customers who tend be less Internet savvy. It's damn good market research. Hackers have thought about who they wanted to attack and applied demographic-specific social engineering. I'm surprised we're surprised. This is what any commercial organization in the world would do.

An interesting musing...I wonder when we'll see competition between these guys? They're acting more like companies every day, yet they're not tripping over each other yet. At least it's not visible to us.

Websense sells endpoint security. How do you define it?

Hodges: I've always been interested in the term. An endpoint is a computer, isn't it? Fundamentally, we've come up with a fancy word for computer security. The gearshift occurred when dialogue around NAC got serious. The concept of making a real-time decision before having a computer join a federation is interesting. That gave rise to the question of whether machines should be able to self-evaluate and report on what state they're in. But, what if a machine is compromised and is being spoofed? Hackers have the NAC APIs too; they're easy to write.

But the key question is not the number of technologies stacked on an endpoint, but on what set of threats to place your not-so-growing dollar bet. The answer lies in what is on the endpoint that bad guys are trying to get: your critical data resources.

So I think that set of problems needs a new buzzword. Endpoint today focuses on blocking inbound attacks. I think we're moving much more to blocking new waves of attacks and regulating a device's use of information. Egress control--you expect this laptop should be doing this type of stuff and you're able to describe its state precisely with regard to its application and OS level, but also data structures.

What threats haven't made it most people's radar yet?

Hodges: There are two areas of the most immediate interest: What are the impacts of user-generated content, and what will be the new vehicles for propagation?

Users are becoming more complicit in messing each other up. What we've seen is almost every significant user-contributed content site [e.g., MySpace, YouTube] has massive amounts of compromised attacks embedded in them. For a long time, porn sites were compromised at a high level; more than 75 percent contain malware.

That's not what you have in mind for your primary "hang site." But these primary hang sites are muddy and dirty, filled with spiders. This bodes ill for computer security on the consumer side.

The second emerging set is streaming media and protocol attacks--RSS, or attacks embedded in VoIP, for example. We all scoffed a couple of years ago when Vint Cerf started talking about SPIT (Spam over Internet Telephony), but I'm starting to get them and it's a pain.

Here's a funny story. My wife went to the site for the movie "Snakes on a Plane" and generated a phone call for me from Samuel Jackson: "Yo, Gene, you gotta see 'Snakes on a Plane.'" It's brilliant viral marketing, but some may consider it SPIT. Imagine if you start getting 10 or more of those a day advertising mortgage offers? That's probably something for 2008.

<< Return to our special coverage of RSA Conference 2007

Sound Off! -   Be the first to post a message to Sound Off!

Tags: Web Application Security (Also see Web Access Control),  Viruses, Worms and Other Malware,  Endpoint Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us