Cisco, Verizon Business and SonicWall have all released their predictions on the top security threats of the next 12 months. Here are the vendor’s top threats to look out for.
Verizon Business, in its Data Breach Investigation Supplemental Report has fingered RAM scraping, a fairly new form of malware designed to capture memory data from a system and produces a formatted output file for attackers, as a threat to watch out for in 2010.
Through sourcing groups of card numbers of a country and card type via a RAM Scraper then bundling it together, the information can be sold together as a group on the information black market, according to the company.
Mark Goudie, principal, forensics practice from Verizon Business Asia Pacific, said from an attackers point of view, RAM Scrapers avoid having to deal with encrypted data as data is processed unencrypted in memory.
“Many standards, such as the PCI-DSS, have mandated that protected data should be encrypted at rest or when transmitted across open, public networks,” he said. “When data is processed by a system it is unencrypted, and the RAM scrapers dump memory into a file to search for the interesting data, therefore bypassing encryption of data at rest and across the network. In essence, the attackers have responded to the increased security requirements of encrypted data by attacking the next 'weak point' - system memory.”
Goudie said a RAM scraper is typically very hard to defend against as it is often custom written software and therefore undetectable by anti-virus software.
“This is true, but when you look at how the RAM scraper came to be on the system in the first place you can see many security failings occurring before the malware was even executed,” he said. “Typically there are MANY security failures necessary for an attacker to plant the RAM scraper, capture data and then escape with the stolen data.”\
SQL injection A popular technique in 2009, will continue in 2010 to exploit the weakness of web pages to gather information from back-end databases, Goudie said.
According to Goudie, SQL Injection is an attack technique that is used to exploit how web pages communicate with back-end databases. An attacker can issue commands in the form of specially crafted SQL statements to a database using input fields on a website.
“This is a great way to bypass database security systems as the web server must have credentials to communicate with the database, so the attacker is using an authorised account to communicate with the database server,” he said. “SQL Injection has three main uses: 1) query data from the database, 2) modify data within the database, and 3) cause the server to download malware from remote sites. The versatility and effectiveness of SQL Injection make it a multi-tool of choice among cyber criminals.”
Goudie says this is reasonably easy to prevent, but SQL Injection is often overlooked due to a lack of knowledge from the web developer, or a lack of thorough testing in the interest of getting the new release out to the market.
Abuse of system access/privileges
With uncertainty in the employment market, disgruntled or retrenched employees may use their privileges granted to abuse resources or systems, says Goudie.
“Many of our recent cases have involved former employees that were terminated due to a business downturn as a result of the GFC,” he says. “The terminated employees were permitted to work out their notice period and stole corporate data to ‘ensure their financial future’. In one case a former employee did not return their remote access token and the company had not terminated his VPN account. It was found that he was logging in and data mining the companies new research and handing it to his new employer. He was arrested within hours of this discovery.”
Goudie says pre-employment screening and not hiring known felons or those shown to be untrustworthy during screening process will greatly assist in preventing this type of attack.
“Adhering to principles of least privilege to minimise data loss and separation/rotation of duties makes it hard for the data thief to go undetected for long periods of time,” he says. “The typical profile is a hard working person that works alone and does not take very much leave. Probably the most valuable preventer for this type of attack is good employee termination procedures that immediately remove access to sensitive data when an employee is terminated. Data Loss Prevention tools and egress filtering are also valuable in preventing or detecting this type of attack.”
Over the page, social media threats, Christmas scams, smishing, and vishing