New frontiers in the information security arms race

The growing complexity of malware and the Bring your own Device (BYOD) trend demand new ways of thinking from those responsible for securing corporate information and networks.
2 January 2013
photo: Karolina KomenderaEndpoint protection is top of mind for South African organisations at the moment, says Andrew Potgieter, business unit manager at Westcon Security.

South Africa’s information security market is seeing a surge in activity as local companies struggle to come to grips with the challenges of consumerisation of IT, the advent of new information privacy laws and regulations, and the changing nature of the threats they face from malware and hackers.

Vendors and systems integrators working in this space highlight the advent of sophisticated new threats like W32.Flamer, the looming introduction of legislation such as the Protection of Personal Information (POPI) Bill, and the proliferation of personally owned mobile devices as the major reasons for investment in information security among South African organisations.

A changing regulatory environment is spurring industries that were once lax about information security into action, says Samresh Ramjith, GM for technology and operations at Dimension Data Security. POPI and the Payment Card Industries Standard, for example, are prompting retailers and other organisations that manage consumer data to become as serious about data protection as banks and the public sector.

With trends such as mobility and the cloud bringing new threats and opportunities to bear on the market, the IT department’s focus should no longer be on building and maintaining defensible perimeters, says Ramjith. The role that information security should play within the organisation should shift from reactive protector to proactive enabler of new ways of doing business, he says.

Multiplying malware

Endpoint protection is top of mind for South African organisations, judging from the requests for proposals in the market at the moment, says Andrew Potgieter, business unit manager at Westcon Security. It’s not just antivirus software that companies are asking for, but also data leak prevention (DLP), data encryption, and secure connectivity back to the corporate infrastructure.

Martin Walshaw, F5, says the challenge lies in implementing security in a user-friendly manner.

One of the major challenges enterprises face is that – even after years of consolidation – no single vendor has all of the functionality needed to secure its information systems and networks, says Potgieter. At best, a single vendor can provide 80 percent of the features and tools an organisation needs to secure its environment.

The surge in information security activity comes at a time when the nature of the information security threats is evolving. The petty, random attacks of the past haven’t disappeared – if anything, they have become more numerous. But security researchers point to a rise in the number of attacks that appear to be more precise and sinister acts of theft, espionage and vandalism as a trend that enterprises need to watch.

Attackers today are extremely organised, skilled and well-funded, says F5 senior systems engineer Martin Walshaw. The attacks are often multi-layered and constant, deliberately targeting customer data, intellectual property and other sensitive information.

One major shift is the rise in targeted attacks on organisations. Although most malware incidents are still random, driveby attacks, the proportion of targeted attacks is rising steadily each year, says David Emm, senior security researcher at Kaspersky Lab UK. Targeted attacks use social engineering and customised malware to gain unauthorised access to sensitive information.

These advanced attacks traditionally focussed on the public sector and government, but this pattern started to change last year, says Gordon Love, Symantec’s regional director for Africa. The 2011 Symantec Internet Security Threat Report found that nearly 20 percent of targeted attacks was directed at small to medium enterprises. No one with anything of value on an online system is safe.

Multiplying malware

The information security industry needs to take a page fromthe medical sector’s book and share information more freely. Doros Hadjizenonos, Check Point
According to the Symantec report, the number of unique malware variants Symantec is aware of has climbed to 403 million in 2011, while the number of attacks the company blocks per day increased 36 percent compared to the previous year. One reason for the explosion in the number of malware variants is the free availability of online development kits that allow programmers without any high-end skills to create their own malware, says Love.

But it’s not only the number of malware variants that is growing, but also their complexity. Botnets, for example, are polymorphic in nature, mimicking normal application and traffic patterns, making it difficult for traditional signature-based solutions to combat them, says Doros Hadjizenonos, sales manager for South Africa at Check Point. Bots are designed to be stealthy, so many companies aren’t aware that their networks have been infected, and security teams often lack proper visibility.

One threat in particular – called Flame – has prompted a rethink of information security among many enterprises around the world. The discovery of Flame – detected mostly in Iran and certain areas in the Middle East and Eastern Europe – shows how high the stakes are growing in the global information security market.

Flame is special for a number of reasons: the sophisticated way it uses multiple components to conceal its malicious functionality; the fact that it seems to have been developed by a nationstate for purposes of espionage (commentators speculate that Israel, the US or China might be responsible); and its apparently precise targeting.

Flame is at least as complex as Stuxnet and Duqu, arguably the two most complex pieces of malware analysed to date, according to researchers from Symantec. Where Stuxnet was designed to sabotage industrial processes, the primary function of Flame is to obtain data. It has the ability to steal documents, take screenshots and even record voice inputs, like a VoIP call.

The malware is spread by removable drives and it disables the installed security products. Kaspersky reckons the malware had been out in the wild for at least two years before its detection in April 2012. Although most businesses are not the apparent targets for Flame, the frightening thought for enterprises is that malware authors could reverse-engineer the program and make use of its techniques for routine fraud and information theft.

The information security industry needs to take a page from the medical sector’s book and share information more freely, says Hadjizenonos. With malware such as botnets growing in sophistication, companies should share information about new threats as soon as they are identified to stop them from spreading.

Organisations need to look at security in a three-dimensional manner that incorporates people, policy and enforcement, adds Hadjizenonos. One important aspect of this lies in end-user education. Information security policies should be set out in plain language so that end users understand the potential risks of losing a mobile device or clicking on a website.

Modern warfare

The growing use of mobile devices in enterprise workforces and the move to the cloud have opened up a new front in the arms race between enterprises and those that would attack their information and networks.

It’s not the network that is being attacked, but the application. Martin Walshaw, F5
Jeremy Matthews, country manager at Panda Security, says the traditional concept of the enterprise network is obsolete, with the move to the cloud, the rise of mobility and a proliferation of peripherals and storage media. But many organisations still have an old-school mindset when it comes to how they structure the business in terms of security.

“We are shifting to the individual as the perimeter,” says Kaspersky’s Emm. “The user could be accessing the network from home or the airport. That has implications. You need follow-me security that goes with the individual.”

In the past, CIOs knew where their information and network perimeters were, but today, the perimeter and the information could be anywhere that the end user is, says Joe Ruthven, security sales leader for IBM Middle East and Africa.

That means organisations need to take a more multidimensional approach to security than they did in the past. Protecting the traditional perimeter is no longer enough – organisations need to pay more attention to end-user access control, data protection and application security, he adds.

The web application is one area to which organisations should be paying more attention – it is the open door in the perimeter for hackers, says Ruthven. “The majority of breaches we have seen in recent years were application breaches using simple techniques like changing URL redirects,” he says. “This is very simple to fix – we have known how to do this for seven or eight years.”

Unsurprisingly, with tablets and smartphones accounting for a growing proportion of network and internet traffic, these devices are becoming an attractive target for malware authors and hackers.

According to Symantec, mobile vulnerabilities increased by 93 percent in 2011, with a strong rise in threats targeting the Android operating system. Android, as a relatively open platform, makes it easier for developers, including malware writers, to write and distribute applications, than does the closed Apple iOS ecosystem.

User experience

There is no shortage of tools to protect information on end-user devices – including encryption, antivirus suites, URL filtering tools, and more – but the challenge lies in implementing security in a manner that is as user-friendly as possible, says Walshaw.

Although the technologies to manage mobile devices in BYOD environments are maturing, they are far from foolproof, says Jeff Fletcher, co-owner of three6five. One particular challenge lies in the fact that Microsoft access control technologies don’t play well with mobile platforms like iOS and Android.

And given the rapid evolution of the smartphone market, CIOs have little visibility into which platforms will be popular among their workforces in two or three years’ time. One way that enterprises could manage this threat is to start thinking about network security in the same way as ISPs do, says Fletcher.

ISP networks are suspicious of everyone, while enterprise networks come from the angle of trusting devices on the networks, he adds. But enterprise networks will need to start treating all devices and traffic with as much distrust as ISP networks do to keep ahead of emerging threats in a BYOD world.

“You monitor the device and start blocking it as soon as it looks like it could cause problems,” says Fletcher. “We may have different levels of trust for different devices accessing the corporate network. For an iPad, for example, we may require two layers of authentication.”

One of the major growth areas in information security is the next-generation firewall – a high-performance network appliance designed to stop threats before they reach the network. Such appliances are designed to scan network traffic for threats using deep-packet inspection, and to do so without becoming a bottleneck in network performance.

Next-gen firewalls

These firewalls are meant to be able to inspect any form of traffic that can pass into the network, from any device or source, including smartphones, tablets, the cloud, the web and even via a virtual private network (VPN). Next-generation firewalls are able to screen all levels of content from web applications, websites and e-mail – including text, images, banner ads, clickable links, audio or video files – to determine whether it is safe.

“Today, it’s not the network that is being attacked, but the application,” says Walshaw. Old-school firewalls are not up to the challenges of defending corporate networks from sophisticated new attacks, he adds. As a result, organisations are beginning to look at implementing next-generation XML and application-aware firewalls.

With data throughputs growing, organisations are beginning to recognise the importance of next-generation firewalls that are able to efficiently scan threats in voice, video and other protocols, says Potgieter. Although the number of threats coming into the network through VoIP and video traffic is still small, it is growing exponentially, he adds. Organisations need to look beyond traditional perimeter protection to stay ahead of the trend.