Sir Winston Churchill once said, “Those who fail to learn from history are doomed to repeat it.” Those are wise words, and a sentiment that applies nicely to information security.
As we begin 2012, it is a great time to reflect on the significant security events that occurred over the last year, and identify trends that can help you prepare for the threats to come this year. With that in mind, let’s take a look at what 2011 served up.
The Low-Hanging Fruit
Attacks have traditionally targeted flaws related to specific operating systems – mainly Microsoft Windows. But, malware developers prefer the path of least resistance. They want the simplest means of developing an attack with the largest potential pool of victims and odds of success.
Adobe products and Web browsers are just the sort of low-hanging fruit malware developers love. Products like Adobe Reader, Adobe Flash, and Adobe Air, and browsers like Firefox, Chrome, and Internet Explorer are virtually ubiquitous across all platforms.
In April, Adobe Flash was hit with back to back zero day attacks – the first using a malicious file embedded in an Excel spreadsheet, and the second relying on a file attachment embedded in a Microsoft Word document. In either case, opening the malicious attachment would infect the PC.
Qualys CTO, Wolfgang Kandek noted in his Laws of Vulnerabilities blog, “This all happens so fast that a normal user would not notice the attack.”
That was just the beginning for Adobe, though. Flaws in Adobe products are believed to have played a key role in high-profile attacks targeting RSA Security, Pacific Northwest National Laboratories and numerous other victims. There are rumors that the attack used against RSA was also used against 760 other organizations, including many global marquis organizations.
Damages from cyber attacks have been hard to estimate up to now. But 2011 saw the shutdown of a company due to cyber attack. That was just the beginning for Adobe, though. Flaws in Adobe products are believed to have played a key role in high-profile attacks targeting RSA Security, and Digital certificate authority Diginotar was attacked in August. Soon Microsoft, Mozilla, Opera, Apple, and others revoked trust in certificates issued from Diginotar, and this eventually resulted in Diginotar closing down for good.
Web browsers are another attack vector that are present on virtually every PC and mobile device. Many users also install a variety of third-party plugins and add-ons – complicating the effort involved in keeping it all up to date. An extensive review of browser security by Qualys found that a majority are running out of date versions of commonly targeted tools – like Adobe Flash.
No Such Thing As Perfect
While there are many applications that seem to be full of holes and provide an easy target for malware developers, it is equally important to realize there is no impervious application. Most software is comprised of tens of thousands, or even millions of lines of code. Even with secure coding practices, and diligence on the part of developers, it is virtually inevitable that a flaw (or many flaws) exist somewhere just waiting to be discovered.
For evidence of the frailty of operating systems and software applications, you don’t need to look any farther than the information security conferences that occur throughout the year. One shining example is the annual Pwn2Own contest at the CanSecWest conference. Security researchers compromise fully patched and updated systems in a matter of seconds – demonstrating that someone with sufficient time and skill can always succeed in finding an exploit.
Don’t Believe the Hype
Zero day exploits are like the bogeyman of information security. They are scary – in theory – and make for sensational headlines, but the reality is that they aren’t really that insidious.
A recent Microsoft Security Intelligence Report (SIR) drilled down to analyze the flaws and vulnerabilities responsible for the most infections and compromised PCs, and found that zero day exploits barely come into play at all. Kandek stressed in a blog post, “This is not really a surprise as zero days are a much too expensive a component to be included in mass-malware, which tend to use older, well understood vulnerabilities for propagation.”
Of course, the “never say never” principle also comes into play. Soon after Microsoft released that report, two threats equipped with zero-day exploits – Duqu and Beast – were discovered targeting previously unknown vulnerabilities in Microsoft products. The moral is that zero day flaws pose a very real, and credible threat for precision, targeted attacks, but that history illustrates there is little chance of any malware pandemic starting from a zero day.
Batten Down the Hatches
There is no silver bullet for security, and there is no impervious software, but that doesn’t mean that there aren’t things that can be done to improve security and thwart attacks. Microsoft was vigilant in 2011 when it came to taking proactive steps to strengthen security.
With the February Patch Tuesday, Microsoft pushed out an update that changes the behavior of the “AutoRun” feature in Windows to prevent malware infections through USB or network drives. The update was available as an option prior to that, but Microsoft forced the update to mitigate a common attack vector.
Microsoft also built on what it started with the Coordinated Vulnerability Disclosure (CVD) program, and made changes to its vulnerability exploitability index to provide more valuable information. Microsoft separated out the exploitability index for the current version of software like the Windows operating system, and the Internet Explorer Web browser because legacy software is generally less secure and presents a greater risk for organizations.
In December, Microsoft unveiled plans to start silently updating Internet Explorer to the most current version. The move follows in the footsteps of rivals like Google and Mozilla, and will help make the Internet at large more secure by creating an environment where more users have the most up to date, most secure browsers possible.
Qualys’ Kandek noted, “Being on the newest possible Internet Explorer (IE8 on Windows XP, IE9 on Vista/Win7) brings a significant increase in security and robustness to malware infections due to better architecture, sandboxing and the included URL filtering feature.”
2011 was a busy year in information security, and 2012 will most likely continue the trend. What is important is for organizations to understand the risks, stay aware of emerging threats and vulnerabilities, and take proactive steps to avoid attacks.