Inside the perimeter

When Hollywood finally latches onto a technological innovation it's usually a pretty good sign that the idea itself is no longer new - that it is, at least in practical terms, more likely to be on the decline. The fact that Harrison Ford is starring in a movie called Firewall should send a message to IT managers everywhere that the age of perimeter protection is coming to an end. The perimeter will still need to be patrolled, of course, but firewalls are not cutting-edge technology anymore; they are routine. And today's cybercriminals - well-organized, well resourced and ruthlessly profit driven - routinely circumvent them.

Over the last few years AusCert general manager Graham Ingram has noticed a general shift from random hacking and other "ad hoc attacks" to work that bears the hallmarks of organized crime.

"The nature of cybercrime is changing," Ingram says. "In the past, hackers would break into your system for kudos or bragging rights among other hackers. Today, attacks are all about profit. Illicit financial gain is probably the number-one issue on the Internet at the moment."

Servers are no longer attackers' first choice. These days, it is a company's client computers that tend to be the target of attacks. Today's sophisticated attack code is mobile and modular, and it targets PCs using spam, Web sites and a range of other mechanisms. Malicious code in Web sites, for instance, attacks vulnerable browsers instantly. Once code like this gets onto a client machine, attackers are able to use that client as a launchpad for a range of other nefarious activities.

"First, they'll profile that machine and conduct reconnaissance," Ingram says. "If it's a home machine, it could be on an ADSL line and could then be used as a spam relay or hosting site. If it's on a corporate network [attackers] are going to find their way to where the file servers are, and learn what sort of usage there is, look for corporate applications and find user IDs and passwords."

Most corporate defences are all about stopping attacks at the perimeter. Defending against client attacks on the network is difficult because they are launched from inside that perimeter.

"For years IT security has been trying to prevent people getting through the firewall, but if an activity is initiated internally on the network then that is a legitimate connection for all intents and purposes," Ingram says.

"Social engineering is now a really significant part of the attack process. It's no longer hackers like Kevin Mitnick calling up someone at the company and convincing them to give him their password. Today it is an e-mail that looks like a legitimate message from a company that you know and trust."

A lot of businesses have developed a dependency on the Internet and they are now exposed by that dependency. According to Ingram, this also means that IT managers have a large challenge ahead of them. "I'm not sure a lot of network administrators realize the capability of this code, and a lot of them probably haven't experienced it before," Ingram says. "The environment has changed so much that our whole view of how we defend against it needs to change as well."

Meanwhile, the stream of new malicious code continues to flow unabated. According to a recent report from the Computer Emergency Response Team in the US, when the recent Microsoft Windows Metafile (WMF) vulnerability was found in January, some 57 worm variants appeared almost immediately.

"It's quite clear that the bad guys jump on IT vulnerabilities quickly," Ingram says.

"Now that the blood is in the water the shark isn't going to leave. The days when you had six months between a vulnerability and somebody working out a worm are gone. We're getting very close to vulnerability today, exploit tomorrow and hacked the next day. And for most enterprises that's a hideously short lifecycle to be working in."

Join the newsletter!

Error: Please check your email address.

More about AusCertBMW Group AustraliaComputer Emergency Response TeamEdge TechnologyExposureFrost & Sullivan (Aust)IPSMicrosoftNetwork BoxVIA

Show Comments

Market Place