IT Security Supplement: Why is everyone out to get me?
Written by David Adams
Sometimes security professionals at financial institutions can make themselves paranoid worrying about the threats - both internal and external - to the security of their networks, forever fretting over the cloud, mobile technologies, and other new spectres on the horizon. David Adams looks at the latest attack vectors and tries to provide some reassurance
As ever in the world of network security, you have every right to remain paranoid, because they really are out to get you. UK companies, including a great many in the financial sector, suffered millions of pounds' worth of damage and fraud in 2009 (see news page five for more), due to security breaches created deliberately, or unwittingly, by external attackers, disgruntled or malicious employees, human error and the technical shortcomings of software and systems. No change there, then. But a growing number of cyber attacks are now targeted at specific organisations and are more sophisticated and better planned and resourced than in the past. Some are the work of foreign companies engaged in corporate espionage. Others are state-sponsored attacks designed to breach network security perimeters.
This trend became front page news in January, when Google and more than 30 other companies were hit by attacks that used a combination of 'zero day' vulnerabilities (not known to the software supplier) in commonly-used software, along with malicious links hidden in cleverly disguised emails and instant messages sent to company employees.
Most security experts would concur with the assertion by Eli Jellenc, head of cyber intelligence at iDefense (part of VeriSign) that: "Most financial sector companies in the UK and other more digitally developed nations are doing better each year at fending off what were the most dangerous threats from two to three years ago."
However, recent actions by the US and UK governments show that the threat is still real and evolving, with the UK's Office of Cyber Security, launched in March 2010, created at least in part as a response to this issue. "The single most important threat at the moment is a targeted attack," says Jellenc. "These are coming from dedicated, focused groups that spend an enormous amount of time researching their targets and use several different techniques, including zero day vulnerabilities and various trojans. They usually have some specialist in social engineering to target people too." Recent attacks have involved the use of advanced malware like updated versions of the unpleasant old favourite Grey Pigeon, which enables an attacker to gain remote control of a computer inside a target organisation.
A denial of service (DoS) attack may also be used, while Jellenc knows of attacks in which malicious software is employed to falsely incriminate innocent employees, thus creating a distraction that throws the target organisation's security team off the scent.
Size of the problem
The tools used by attackers continue to proliferate and become more sophisticated. MessageLabs Services detected 73 million variants of malware in 2009, along with 30,000 unique internet domains hosting malware, according to the company's Annual Security Report. Figures from the IBM X-Force Trend and Risk Report for 2009 shows a huge uplift in the number of malicious web links being used globally (up by 345 per cent compared to 2008).
These weapons are not just trained on financial organisations themselves. Attackers may also approach a target indirectly, perhaps by compromising systems or machines used by a supplier, notes Paul Wood, senior analyst at MessageLabs Intelligence. "That could be a small to medium sized enterprise (SME) that may not have the same levels of defence in depth as a financial company," he explains. "If their email account becomes compromised attackers can piggyback on an existing email conversation between that supplier and the target. That's very hard to protect against." An attacker might also target firms advising financial institutions, such as lawyers or accountants, as a stepping stone to their clients.
A few companies in the security industry have begun to develop services designed specifically to defend against these kinds of targeted attacks. One example is the Targeted Attack Detection Service (TADS) developed by Context Information Security, an IT consultancy that includes high profile financial sector companies among a roster of blue chip and government clients. TADS is based on an approach that incorporates both static and heuristic techniques: a continually updated database of IP addresses, hostnames and malware linked to countries and organisations, alongside advanced behavioural analysis. The service is available as an emergency response service or on a periodic basis.
There are steps every organisation should be taking to try to defend themselves in any event. iDefense's Jellenc sees the presence of a talented team of security professionals as the single most important element of a company's defence against the most sophisticated threats. "The banks that are best at protecting their network and assets are the ones with smarter people than the attackers," he says.
Security teams need the right tools, of course, and the ability to enforce a security policy that contains key elements, such as restrictions on internet use, and usage restrictions on mobile and USB devices is fundamental. Security tools should include not just the usual intrusion detection measures but also exfiltration anomaly detection systems that identify data leaving the network that ought to be safely tucked away inside. IT assets and devices need to be strictly managed, perhaps through an approach like Intelligent Infrastructure Management (IIM), which identifies device connections and tracks changes to the physical layer of a network, revealing unauthorised devices. Strong event management software, such as that provided by LogRhythm, which identifies individuals accessing specific devices or systems, may also be useful.
But security requirements are becoming so demanding that some financial institutions, especially smaller ones, now rely to some degree on third party service providers, from the skilful penetration testers supplied by security companies and consultancies to managed and outsourced services for email filtering. For MessageLabs' Wood the key advantage of the latter is the economies of scale, processing power and broader perspective, which he claims are offered by a service provider drawing intelligence from ISPs and other sources around the globe. These services do not store any of a client's data unless requested to do so, and then the client usually has absolute and exclusive control over access to such data, protecting your chain.
Protect your customer
Network security threats can also be related to security breaches at the customer level. Unfortunately the pace of development is still rapid in this area too. One success story for the criminals during 2009 was the URLZone Trojan, which embedded itself on consumers' computers then sprang into action when they were using online banking websites, executing a pop-up that told consumers their banking session had terminated unexpectedly, asking them to retype their user credentials and password into a link supplied by the fraudster, with predictable consequences.
In November 2009 a gang of five fraudsters was convicted of stealing around £600,000 from UK bank accounts through the use of a Trojan that encouraged customers to input personal data. UK online banking fraud losses rose by 14 per cent in 2009 to £59.7 million (see page five for more), according to figures released by the UK Cards Association in March 2010, a rise it attributed to malware targeting consumers' computers rather than banks' networks.
"We are seeing increasing use of Trojans that can hijack the online banking session despite multifactor authentication systems," confirms Grega Vrhovec, research consultant at the Information Security Forum (ISF) trade body. He cites a case in Germany in September 2009 where a Trojan was even able to mask its own activity by amending the details of victims' bank statements. "They stole money from a lot of different accounts, only taking minimal amounts from each and altogether they stole €300,000 in 20 days," he recalls. "I don't believe they were caught." The perpetrators are believed to have been based in the Ukraine.
Meanwhile, increased use of mobile technologies by customers or clients, as well as by employees, adds another dimension to the security challenge. "I know some of the banks, such as NatWest, have launched iPhone applications for online banking - personally, I wouldn't use them," says Gary Wood, also a research consultant at the ISF. "Partly that's because I'm not sure how you would keep these things up to date. Browsers have flaws, but most have mechanisms in place to keep security up to date. If you're starting to diversify the number of platforms you're using there are more holes to plug. There are already Trojans on mobile devices. Not many, yet, but they pose a threat."
The appearance of the undeniably lovely iPhone in boardrooms across the country is creating headaches for security managers, concurs Alex Church, technical director at Context Information Security. "Unfortunately, in terms of enterprise grade security, the security provided by Apple for the iPhone is inadequate to protect corporate data," he says. "So if you were to sync your corporate email or link it to a file server to download important documents there would be a risk." He believes the problem is simply that the iPhone was not designed as a business tool. By contrast, Research In Motion's BlackBerry was always intended for business use and has incorporated enterprise grade security from the start. With a few modifications the BlackBerry is now even used by some government agencies that require very high levels of security.
Little fluffy clouds and social networking
Another major trend in business IT at the moment is the use of cloud computing for various purposes. The idea of a third party having at least partial control of data and/or applications has caused consternation in some quarters, but proponents insist there is no reason why this should create any extra security problems provided companies apply the same levels of rigour to security and controls as they would in an internal solution. The ISF's Wood is actually quite optimistic about the security implications of the cloud. "The additional attention people pay to securing cloud applications will for many organisations make them more secure," he claims. "There's an assumption that something in the internal system is already secure, but this isn't always the case, whereas if you push something into the cloud there will be additional checks."
But there's another source of security problems for financial companies that should be mentioned: social networking. This offers almost limitless scope for customers and employees to make life easier for criminals by revealing personal information that could help dupe them or their colleagues into downloading malware and by getting too used to informal means of electronic communication with friends or colleagues. Networking sites, or messages and attachments in messages sent by these associates can all easily be compromised by a determined attacker.
Financial institutions still need to be largely self-reliant as they fight this battle. There are resources available from the UK and EU governments and of course from vendors, but the competitive conditions in the sector lessen the likelihood of effective collaboration between financial companies and their peers. It's true that given the right conditions and relationships, individuals will share information for mutual benefit, about security breaches, for example; but in general financial institutions will do themselves most good if they communicate the importance of improving and adhering to security policies within their own organisations and ensure there is a talented leadership guiding the security strategy.
"I think the financial services sector is probably better than most in terms of having skilled people who make the right decisions," says Jay Abbott, the director in charge of threat and vulnerability management, at PricewaterhouseCoopers' UK consultancy. "But I still sometimes find companies that have all the things you would expect them to have, they've spent good money on best practice, but when, as happened to me the other day, you ask them what the potential avenues of attack are and whether the kit they have would help them deal with those vectors - they don't have an answer." Any financial company needs those answers, because the attackers are going to keep asking more and more difficult questions. It's not paranoia, it's just protecting yourself.