Why information security basics are key to managing threat landscapeDate: Jul 21, 2014
Over the last decade, Microsoft and other software vendors have continually raised the bar for security with the addition of address space layout randomization and data execution prevention (ASLR and DEP) and other controls. Apple Inc. also has locked down its iOS devices so that multiple vulnerabilities need to be exploited for legitimate users to jailbreak their iPhones and iPads, while highlighting the security benefits of a contained ecosystem with its app store model. That's before one considers the large investments in security technology many companies are making to protect sensitive data and users. Despite those efforts, attackers are having as much success now as they ever did, and are costing enterprises worldwide billions of dollars every year. What gives?
According to Chester Wisniewski, senior security advisor at Abingdon, U.K.-based antivirus vendor Sophos Ltd., attackers are evolving along with the defense mechanisms trying to fend them off, and they now often exploit multiple vulnerabilities as part of a single attack.
"There was a zero day in Flash that, in order to actually make that vulnerability work in this watering hole attack that it was used in, also relied on a flaw from either Microsoft Office that was fixed three months ago, or a flaw in Java 6 that was fixed three years ago," Wisniewski said. "So, strangely, even when we have a zero day … it still relied on other things."
In this interview, recorded at the 2014 RSA Conference, Wisniewski explained how the most sophisticated attackers are taking inspiration from such targeted incidents as the high-profile Target Corp. breach and nation-state-sponsored malware to craft their own exploits. For instance, Wisniewski said that antivirus vendors found certain vulnerabilities taken directly from Stuxnet in everyday exploit kits within 24 hours of it being publicized.
The speed with which attackers adopt the latest exploit techniques, said Wisniewski, means companies should adopt such information security basics as regular patching, which is vital for maintaining any organization's security posture.
"The Flash zero day needed an ASLR bypass for it to work [the outdated Office and Java vulnerabilities]. So, that meant that you had the opportunity to be patched against it, because in order to force you to do the ASLR bypass, they used two old vulnerabilities that arguably you should have already fixed," Wisniewski said. "These mitigations are never bulletproof. What they do is buy you time and they increase complexity, and if you can increase the complexity for the attackers, you're buying yourself more opportunities to stop the attack chain."