Infosec: One Step Forward, One Step BackAnalyzing IBM's X-Force 2012 Mid-Year Trend and Risk Report
Malicious phishing attacks on organizations utilizing trusted URLs or websites continue to pose greater risks for organizations, says IBM's Rick Miller, who details the attacks and strategies to mitigate them.
Miller, director of IBM Managed Security Services, says that these attacks, specifically targeted e-mail schemes, are one of the primary methods being used today. "You don't have to necessarily find a way to crack the company," Miller says in an interview with Information Security Media Group's Eric Chabrow [transcript below].
"If you can find a way to crack one individual, once you have that access and that person takes their laptop back into the corporate network, then you have a way in and you can start escalating privileges," he says.
Miller pulls his analysis from IBM's recently issued X-Force 2012 Mid-Year Trend and Risk Report.
These attacks ultimately come down to social engineering, Miller explains, and with their evolution and sophistication, these malicious links and e-mails can appear to come from trusted individuals and parties that an organization works with. "Even people who are reasonably security-savvy if not careful could hit one of these links," he says.
To mitigate the risks, organizations need to develop a program that trains individuals on the occurrence of these threats, how to identify what a malicious URL might look like, and encourage them to not click if something "seems wrong," Miller says.
He highlights IBM's efforts, where it's 400,000-plus employees all on a periodic basis need to sit through training that includes information on the type of attack, what can happen and the steps that need to be taken.
In the interview, Miller also discusses:
- The current state of IT security;
- How to prevent prevalent cyberattacks;
- The increase of exploits targeting the Mac operating system.
At IBM, Rick Miller is responsible for business leadership and operations of multiple IBM Security Operations Centers worldwide. His team works with thousands of global customers, manages billions of security events a day and regularly contributes to the X-Force Threat reports.
An early pioneer in managed security services, Miller founded the Internet services company Netrex, a regional Internet service provider during the early days of corporate Internet connectivity. He designed some of the very early customer premise managed security offerings for firewall, scanning and intrusion detection services.
ERIC CHABROW: Please take a few moments to tell us what the IBM X-Force is?
RICK MILLER: The IBM X-Force is our team of cybersecurity researchers who primarily are looking for vulnerabilities in systems. They're collaborating with other such groups around the world, but we also take everything that we've learned through that research, through our managed security services team and the many thousands of devices in over 133 countries and 15 billion events we're getting per day, and we look for trends and patterns in that information. We publish a report twice a year called the X-Force Trend Report that speaks to customers about what the trends are that we're seeing in the security industry.
The State of IT Security
CHABROW: How would you characterize the current state of IT security? What's the difference about 2012 than say 2010 or 2011 when it comes to cybersecurity?
MILLER: There are a couple of broad trends. Number one is you're seeing that the total number of reported vulnerabilities has been decreasing, while at the same time you also see a trend in the industry with very specific, very targeted, very financially motivated or state-sponsored attacks that are not sweeping all customers but are very targeted to each individual customer. We see this as the evolution of what has been happening in terms of some of the more annoying types of problems that happened earlier, the targeted types of attack. The industry uses the term advanced persistent threat, and you can call it that, but a lot of times it's as simple as just finding the lowest common denominator weakness that an individual company has and taking advantage of it.
CHABROW: When you say that the reported vulnerabilities are decreasing, is this because they're not happening or because organizations are able to handle some of these type of problems, and what you're hearing about are the more serious ones that you just made reference to?
MILLER: I think it's a combination of a couple of things. On the positive side, vendors that were being exploited the most for vulnerabilities - because of the popularity of the application or the popularity of the operating system - you're seeing that their programs to shore up the security holes have been working. But I think the second part of that is you have security vulnerabilities that are more valuable, if you will, so I think this is being kept a lot closer to the vest and you're having very well organized organizations in cybercrime that are also doing research into vulnerabilities. When they find things, they're not exactly disclosing those. They're not disclosing what they find because obviously there's a financial gain to be made or some sort of gain to be made by having that information.
Cyber Crime Increasing
CHABROW: Are we seeing an increase in cyber crime or is it just becoming more of an awareness of it?
MILLER: I think you certainly are seeing an increase in cyber crime. It's certainly a hard thing to gauge. I remember seeing a Department of Justice publication a while back that indicated that cybercrime has exceeded physical crime in terms of the dollar value.
CHABROW: The report highlights a number of vulnerabilities organizations and individuals face. Your research shows that there's a continuing trend for attackers to target individuals by directing them to a trusted URL or site that has been injected with malicious code. Our audience is primarily those charged with safeguarding their organizations' IT systems. What can they do to protect their stakeholders, their customers, from such attacks?
MILLER: You've seen that evolution and the sophistication now of these e-mail-based attacks where they want to hit a specific link and download the malware, and these things could end up coming from people you trust in your organization or a party that you work with legitimately, and that's the evolution that has happened with that. Even people who are reasonably security-savvy if not careful could hit one of these links. I think this ultimately comes down to what it has always come down to, which is social engineering, and there has to be programs that really raise the awareness that this goes on, to be very careful about what you're doing, to take a look at that URL and if it just seems wrong, pass it by. For example, IBM, with its 400,000-plus employees around the world, every single employee on a periodic basis has to go through training on the digital IBMer which includes information about this type of attack, what can happen to you and steps that you can take.
CHABROW: Any metrics on how successful that is?
MILLER: No metrics, but we believe it's one of the primary ways that cyber crime is happening right now. You don't have to necessarily find a way to crack the company. If you can find a way to crack one individual, once you have that access and that person takes their laptop back into the corporate network, then you have a way in and you can start escalating privileges, and that's very common.
CHABROW: SQL injections as the means of attack have been around for years. What's different about the SQL injections today versus the past?
MILLER: SQL injections have been around forever. It wasn't really taken advantage of strongly until a couple of years ago. There was always that potential, sort of like mobile devices today. You don't hear a lot about security problems, but it's one of those things that it's there and it's just a matter of time before that catches on and becomes more pervasive. SQL injection today is still a primary way that applications and networks become compromised. Making sure that e-commerce systems are coded correctly and doing application testing on a periodic basis, these are all necessary steps for any company to take to make sure that they're safe from that type of attack.
CHABROW: Are SQL injections being used more than in the past?
MILLER: Yes. We really saw it take off in 2007 and 2008. Prior to that you didn't see it all that often, but it's one of the top three of four ways that a company gets attacked. You look at it sort of like a flu shot. Every so often, you've got to go take a look at your applications and you have got to do some testing against them.
Apple Increasingly a Target
CHABROW: The report shows that the Apple MAC operating system, which has traditionally escaped the aim of hackers, is no longer the case. Why so and what threats do MACs face?
MILLER: Lots of us in the security industry expected this to happen. Prior, it wasn't necessary because the MAC OS had fewer vulnerabilities, but it was simply a business decision. If you're writing software to go break into computers, what are you going to write it for if you have limited resources? You're going to write it for the most popular operating systems or the most popular applications that are pervasively used. You saw a lot of attacks against those types of systems, and not so much against MAC OS which didn't have a lot of market share, but times have changed and Apple has become the company that it has become. You see the MAC OS in terms of its market share rising and to the business opportunity that represents, now you're seeing a lot more exploits being written against vulnerabilities from MAC OS.
CHABROW: Any specific kinds of exploits?
MILLER: I don't think there's anything specific that hasn't been seen before in the Windows world or Linux world if you will, but just things that take advantage of the fact that it's a very popular operating system and a very popular platform.
Upcoming Security Concerns
CHABROW: What's on the horizon in the coming months and years that those charged with securing their company's digital infrastructure should be aware of?
MILLER: There are a couple of areas, including bring-your-own-device, and how you're going to deal with the reality that these things will be used for both personal and business. How do you want to grant access if you want to grant access, and do you want to segment your population with privileged users or not privileged users, all these sorts of things?
Also on the horizon certainly is cloud and virtualization. Whether it's private cloud or public cloud, companies are wrestling with not only the utility and the economic value of such a thing, but also what are the security implications of putting in important processes in the cloud and what are the certifications, assurances and security that are going to be provided in that cloud.
The fact that while security has become a board issue and it's become that way because of a lot of the deep targeted, high-profile and disclosed attacks that have happened, it also has elevated security positions, whether that be the chief information security officer at a company or a type of risk officer. It's true that in surveys that we've conducted, only about half of the companies have this position, and those who have such a position, to a large degree, most of the people who are in that position have only held the position for a year or less. Sometimes these people can come from more physical security environments.
There's certainly finite resources and how to implement those resources in the most effective way to not completely eliminate the risk - because nobody can do that - but know which things you can focus on to reduce your risk most effectively.