Welcome Back, Breach Report Faithful.
Sorry to say, despite my best efforts, it’s still a world chock full o’ FUD as it relates to IT security and data protection. Below is a brief respite from your FUD so you can soak up and, hopefully, learn from the FUD of others. Enjoy. -ME
Malware, Malware… Everywhere
The Q3 McAfee Threat Report states, “average daily malware growth has reached its highest levels, with an average of 60,000 new pieces of malware identified per day, almost quadrupling since 2007.”
PCWorld Article Full Report (PDF)
What You Can Do With This
Take heed of recent reports (Symantec, Imperva, McAfee, etc.) that speak to average daily malware growth as astounding and accept the fact that it’s only going to get worse. That said, you need to focus on what you can control, which is finding malware faster with a solution that can identify complex patterns of behavior and correlate strange events with file or system changes.
Note the word “identified” in the PCWorld story. Signature-based detection, while a vital component of any Defense-in-Depth strategy is only catching what can be identified by or attributed to a signature.
Gain greater visibility into true threats
Without the ability to see threat behaviors in action and correlate those series of events in near-real time against any change in data or system integrity, you’re only finding what attackers want you to find. In today’s world of O-days and counterfeiting of signatures, it’s a smart play to augment signature-based detection with a more behavioral approach to finding threats through correlation.
Just when you thought Stuxnet was old news…
From the Internet Storm Center: Continuing analysis of the Stuxnet worm by Symantec suggests that it may have been created with the intent of sabotaging Iranian uranium enrichment efforts. The worm appears to target industrial systems that control certain frequency converter drives, high speed motors like those used to spin gas centrifuges. In particular, it targets drives with outputs of 600Hz and greater.
Another great article from Computerworld: New Stuxnet clues suggest sabotage of Iran’s uranium enrichment program
A few eyebrow-raising quotes in the NY Times “The Great Cyberheist” homage to Albert Gonzalez and his crew
The New York Times recently dug into the Albert Gonzalez case with f information most of you probably can recite in your sleep, but in addition to deeper technical coverage on war driving, SQL injections and the intricacies of a cybercrime operation, here are two passages that should keep all of us for the foreseeable future at the High Threat stage.
On how fast a breach can happen:
(Gonzalez co-conspirator, Patrick) Toey: “Within 10 minutes we were on (Forever 21) computers and were able to execute commands freely. From there we leveraged access until we were the domain administrators. Then I passed it over to Albert.”
On how little we still know about the true impact of Gonzalez’s efforts:
“The majority of the stuff I hacked was never brought into public light,” Toey told NYT. One of the imprisoned hackers told the newspaper there “were major chains and big hacks that would dwarf TJX. I’m just waiting for them to indict us for the rest of them.”
A short love affair: Wikileaks + Amazon/WikiLeaks – Amazon
Unless you’ve been living under a server farm of late, you know that WikiLeaks leaked, people reacted, the site got hit with repeated Distributed Denial of Service (DDOS) attacks, Amazon rode in to save the day white knight-style and then did an abrupt about-face. Then, on Dec. 3, Dynamic Network Services’ subsidiary, EveryDNS.net, terminated the Wikileaks.org domain name because of those repeated DDOS attacks. All this in less than a week.
Here’s a great recap from Daily Tech’s Jason Mick on Amazon’s ‘about-face’ on storing WikiLeaks content via its “Elastic Cloud Computing (EC2)” service:
Why Amazon in the first place? DDOS attacks typically knock sites off Internet unless they have strong countermeasures in place or a ton of bandwidth available. Wikileaks has neither, but reportedly EC2 allows companies to pay for their usage as it mounts up, rather than upfront.
The shocker here for me wasn’t so much the wacky Wiki goat rodeo over such a short period of time or even the reported reason for Amazon’s sudden change of heart. It was an organization going TO the cloud for better system and data security and protection from attacks. The times they are a’ changed.
And… until next time:
An anatomy of an attack video from Sophos that captures threats and cyber criminal behavior patterns very well.
Happy Holidays if you don’t hear from me before. In the spirit of giving – Keep giving me feedback, stories and the occasional hard time. You can find me on Twitter here: http://www.twitter.com/MarkAEvertz