How the security threat landscape will evolve this year

Where 2012 was a period of great innovation amongst cybercriminals and hackers – many of whom keenly develop new and hybridized attack vectors that build on a constantly expanding range of extensible code environments seen running on Windows and Apple Mac platforms – 2013 is likely to go down in the darkware IT history books as a period of consolidation.

This trend will be driven, we predict, by the not inconsiderable fact that the incredible volume of new security threats seen over the last 12 months will push many of the so-called legacy threats out of the first tier of the attack tables that many IT security applications automatically load into memory.

But 2013 will also, we believe, be marked as a period of adaptive security threats, driven by the continual development of five key areas:

1. Adobe Acrobat and Reader security flaws
2. SQL injection threats
3. Compromised and malicious Web sites
4. Exploit Kits
5. Zero-day Web browser threats.

The four main groups of attackers that will be delivering the main strands of threats will be cyber-criminals, cyber-terrorists, political hacktivists and rogue employees – causing IT security professionals a number of headaches as never before.

All of this, of course, comes against a backdrop of an evolving Internet – using extensible code technologies such as ActiveX, HTML5, JavaScript and good old Multimedia – to introduce malware to the company IT platform and to monetise frauds, steal data, raid company bank accounts and hit corporate reputations where it hurts most: on the bottom line.

Adobe Acrobat and Reader security flaws
The first of our five threats that IT professionals should be on the lookout for in 2013 is the recurrent problem of Adobe Acrobat and Reader security flaws. Although Adobe’s software has been around since the early 1980s, it wasn’t until the company acquired Macromedia in 2005 – when Flash came under Adobe’s wing – that the extensible code threat landscape started to change.

Because much of Adobe’s code structures are designed to be executed across multiple platforms, this makes the process of enhancement a tricky one, especially against a backdrop of a constant stream of Patch Tuesdays for Windows – and similar code updates for the Apple Mac and other operating system platforms.

A classic example of this was back in December of 2011 when hackers started tucking into a potentially major Adobe Acrobat and Reader security flaw, with Adobe issuing a warning to its user base about the issue, which affected Adobe Reader X (10.1.1) and earlier versions for Windows and Apple Mac systems, and Adobe Reader 9.4.6 and earlier 9.x versions for Unix, as well as Adobe Acrobat X (10.1.1) and earlier for Windows and Mac machines.

Since the security issue extended to include MS-Office users, the problem – just one of many for Adobe over the last couple of years – was a lot more widespread than many of the other Adobe vulnerabilities reported by security research organisations.

The solution to these vulnerabilities is similar in principle to the advice we give our clients about Java in all its shapes and forms: namely the need to constantly patch – and stay on top of patches – in almost any computing environment.

Whilst Adobe has developed its own strategies to deal with these issues – including that of integrating its own updates alongside Microsoft’s Patch Tuesday code releases – there may be an argument not to install an Adobe application unless you actually need the facility.

This is especially true where Web browser clients are involved – and it is worth noting that there are a number of browser extensions and apps designed to easily toggle extensible code environments on – and off again – as and when required.

It is also worth noting that, whilst an Adobe install may be required on your laptop computer, there is rarely a requirement for the same application code to be installed on a server environment.

2.0 SQL injection threats
The second threat identified in our 2013 top five list is the problem of SQL injection attacks. Readers with long memories may recall that SQL first became an industry standard way back in 1986, since when it has been central to RDBMS/database software – and also poses a juicy target for all manner of cybercriminals.

This was illustrated in May of 2012 when a Symantec engineer spotted a mass SQL injection series of attacks in progress.

The Lizamoon mass SQL attack vector was, of course, well used by cybercriminals and the principle behind the attack vector is that hackers exploit vulnerable Web sites using an SQL-injection attack, which will then direct users to other sites containing malicious code.

Mitigating the Lizamoon attack – as with all SQL-based IT aggressions – is not as easy as some vendors claim, as there are only a handful of products out there that were designed to secure databases.

Of those that there are, however, users report them to be effective security products. Each database install is different and to secure them, it is clear that the layout and structure must be understood.

All database admins should undergo thorough security training on a regular basis so that they can understand the threats and learn what techniques can be used for mitigation.

Compromised and malicious Web sites
The third issue in our top five list of threats includes the recurrent problem of compromised and malicious Web sites. Whilst graphical Web sites have been “around’ since the mid-1990s, it has taken the evolution of HTML5 and other Web technology advances to shift the threats/solutions balance up by more than a gear or two – and sadly in favour of the cybercriminals and hackers.

This was illustrated quite clearly back in June of 2012, when Symantec’s security response operation spotted a malformed Web page flaw – CVE-2012-1875 – being exploited in the wild. At the time, researchers noted that Microsoft – in its recent security bulletin summary for June – released security bulletin MS12-037, which is a critical security update covering Internet Explorer version 6 through 9.

A month earlier, in May of 2012, Amnesty international suffered a similar attack on its UK Web site, with hackers using a two-pronged vector based on Bloodhound.Exploit.466 and the IPS Signature Web Attack. The executable seen in the Amnesty International attack was Trojan.Naid, a remote access trojan first seen back in January 2010 which listens for – and accepts – a connection from the attacker to allow remote access to the infected machine.

These types of threats continue to be cause major issues, and do not just compromise computers, but can potentially affect all manner of hardware, including wireless routers, printers, cameras and most database applications.

Exploit kits
Next up, we have the recently evolved threat of exploit kits, of which the BlackHole kit is arguably the most well known. Despite its near-legendary status amongst hackers, this kit was first released by a Russian Hacker back in 2011, since when it has gone on to become the number one Web threat.

In June 2012, for example, several security experts spotted that the zero-day flaw (CVE-2012-1889) could be exploited using Internet Explorer. The solution to these kits is to subscribe to one of the main information feeds on kit exploits on the Internet, and use cloud information collation from your vendor to stay at least a few steps ahead of the threat pack if at all possible.

Within a week of the zero-day flaw being discovered, a Metasploit module was released by cybercriminals, allowing them to tap the exploit. Later in June, our colleagues at Sophos spotted a similar set of exploit code had been added to the BlackHole exploit kit landing page.

The Mal/ExpJS code in that case was notable for attempting to evade detection by being obfuscated (hidden) using a complex methodology that relied on a Web drive-by download attack vector as a means of infection.

Zero-day Web browser threats
This leads us nicely into discussing the fifth of our top five vulnerabilities, that of zero-day Web browser threats. Internet Explorer has come a long way since version 1.0 saw the first light of day in the mid-1990s, but the Web browser client’s evolution over the last 12 months has been rapid, adding a swathe of new features to the previously laggardly Web browser client.

In September 2012, several researchers warned of a new zero-day exploit for Internet Explorer, which – owing to its severity led to some firms advising users to switch to using another Web browser until the security flaw was remediated by Microsoft. Some reports suggested that the flaw affected as many as 32 per cent of Web users worldwide, owing to the penetration rate of Internet Explorer 7 – 9 running under the Windows XP, Vista and 7 operating systems.

The feature sets seen in that attack have also resulted in a new harvest of threats, which regularly pop their heads over the threats newswire parapets every few months or so. The problem these threats pose is that the actual patching process takes time, as the software vendors – despite user criticism – really do need to check and verify those patches. HTML5, for example, creates its own set of problems.

Mitigating those problems is no easy task, as it is important to understand that, if users have a given Web browser client installed, it is down to the IT security department to decide on an effective strategy, such as enhancing the performance of intrusion protection systems and the like.

Recommendations
I hope that this overview and analysis of the top five threats for 2013 has piqued your interest. The field of IT security threats – and mitigating those threats – is a constantly changing landscape – meaning it is important to patch, remediate and review your existing devices, as well as applying the same processes to your ongoing defenses and defense strategies.

Understanding what devices are on your network is similar to knowing where the property lines around your home begin and end, allowing you to start building a fence. However, your fence will not keep people out if there are holes in it. In the IT world, these holes can be plugged using security patches.

Unfortunately, for many businesses, patch management is a problem – and since cybercriminals tend to exploit some of the most ubiquitous software on the market, the need to patch those applications assumes significant proportions.

As we’ve seen above, Oracle’s Java and other popular applications such as Adobe’s Flash Player are often common targets. For users of Microsoft Windows, we know they can also expect their machines to get the brunt of the cybercriminal attention.

Analyzing and deploying patches such as Microsoft’s Patch Tuesday updates can be a tedious process when carried out manually. Many small organizations rely on Microsoft’s automatic update mechanism, which, if enabled, can install critical updates with little administrator intervention.

Whilst this approach may work for smaller networks, if the number of endpoints grows – or includes non-Windows machines – the situation can quickly become unwieldy without an automated network scanning solution.

This is particularly true when it comes to dealing with updates for the army of third-party applications on your computers. It is here that vulnerability scanning technologies can help companies find risks and prioritize remediation, so that the most dangerous problems can be countered before it is too late.

Our own research suggests that the top 25 per cent of the nCircle Benchmark antivirus community participants update their antivirus definition files within 7.7 days or less. The length of the time window between updates from antivirus companies and their deployment by users is a good indicator of the security posture of an organization – the longer the period between update downloads and update releases, the longer the possible window of exposure is open to ongoing malware campaigns.