With each passing year, hackers come up with new ideas, or variations of past ideas, to combine technology and social engineering to deceive users and attack networks for their financial benefit. The mid-2000s saw the proliferation of botnet attacks used for spam, targeted attacks and worse, while 2007 and 2008 have seen the rise of SQL injection attacks and other Web site exploits as hackers increasingly focus on social networking sites to target millions of users.
What’s on the threat horizon in 2009? Well, several factors — including a severe recession, easier ways to commit cybercrime, and continued growth of social networking online — will create for a unique year of threats once again. Hackers will continue to study human behavior — reactions to e-mail, Web and other social media attractions — to determine these areas of vulnerabilities.
Botnets Are Changing but Not Leaving
Over the past few years, botnets — systems of personal computers networked together and controlled for cybercrime — have dominated security headlines as they were controlled for distributed denial of service (DDoS) attacks, which would flood the network bandwidth at large companies and media outlets. Massive botnets comprised of thousands of zombie computers with names such as “Storm” and “Kraken” were used to attack Fortune 500 companies for financial gain. However, the latter half of 2008 has seen a decrease in size and activity of these larger botnets, likely because many researchers have been focused on infiltrating them or identifying related server hosts and shutting them down.
Unfortunately, this quieting of the botnet giants does not mean that botnets are going away. In the next year, they will continue an evolution toward smaller and more targeted forces, acting below the radar in stealth mode, that are used for a specific purpose (e.g. stealing e-mail addresses from a computer). Perhaps the most dangerous development of all is that the massive Eastern European cybercrime industry is now selling enterprise-class botnets as a software-as-a-service (SaaS) offering to the general public — complete with warranties no less — which can be used to distribute viruses or perform other malicious activities.
The Rise of Site Exploits: SQL Injection Attacks and Clickjacking
Adding to the increased stealthiness of botnets is the rise in the past year of SQL injection attacks, through which hackers trick Web site software into inadvertently running malicious commands. By simply rendering a Web page that has experienced a SQL injection attack, the victim’s computer can be comprised and brought into a botnet army. No longer does a user have to be fooled into clicking on a malicious link in an e-mail — their computer can be infected by visiting a trusted Web site that has been compromised.
In addition to their role in aiding the growth of botnets, SQL injection attacks are often used to exploit financial information on the victim’s machine. To make matters worse, another Web site exploit to appear in 2008 with this capability is clickjacking, which takes control of browser exploits to get users to click on malicious links and even give hackers complete control of their desktop. The rise of these Web site threats will continue in 2009, and they have made it clear that simply having an up-to-date antivirus installed will not be enough protection for computers and a company’s network.
Social Media Brings Collaboration but Increases Exposure
Swelling the problem of new Web site threats is the continued proliferation of online social networking amongst consumers and across the enterprise. The benefits of social media have been well-established; however, the lack of control and wide user base that it involves opens up many more opportunities for Web site exploits, whether it is clicking on a malicious video in a MySpace message or on a devious link on Facebook.
The next year should continue to see hackers finding new ways to integrate SQL injection attacks and clickjacking into the social media realm.
The Economy as an Escalator
In 2009, a significant escalator of cyber-threats will be the severe recession that most of the world is heading into. As banks, financial institutions and other companies falter, hackers will plan to use social engineering to confuse consumers into providing their financial information or clicking on links claiming to inform them of essential financial details. For example, phishing e-mails will continue to be seen which claim mergers of financial institutions or ask for verification of financial information.
Contributing to this economy-fueled cybercrime will be increased layoffs of IT personnel who may turn to the “dark side” by joining up with Eastern European cybercrime organizations and using their skills through the only outlets where they can find revenue. While companies will try their hardest to cut back on expenses in 2009, for the reasons above, there will be a legitimate justification for an actual increase in IT security spending to prevent data loss that could absolutely cripple a company when they are already in the midst of difficult economic times.
What Can Be Done?
While the anticipated threats of 2009 paint a grim picture, companies are by no means hopeless to stay protected. First and foremost, to fully take advantage of the work that security research companies are putting into fighting these threats, companies must put in a concerted effort to patch their systems as often and quickly as possible with updates. Many security software and appliance providers now have the capabilities to automatically deliver patch updates or protection packs to customers.
In addition to Microsoft’s Patch Tuesday announcement, the company has now started the Microsoft Active Protections Program (MAPP), which provides top security vendors’ vulnerability information in advance of Microsoft’s monthly security update release so that they can anticipate emerging threats and provide their customers with more timely protection. It is important that a company work with its security solution providers so that these updates can be put in place as soon as possible — a quality vendor will be able to provide these automatic updates on a regular basis. In addition to regular enterprise-wide patches, it is important to continue to educate users on updating their individual computers for key antivirus and browser updates.
The next year will see an increase in the variety of vulnerabilities to a network, yet at the same time, there are a variety of complementary technologies that can be integrated to provide the best defense. The best network defense available is not a single technology solution through a silver bullet, but rather a pervasive security approach that creates an ecosystem of technologies, including intrusion prevention systems (IPS), firewalls, network access control (NAC), event correlation, security information and event managers (SIEM) and others.
The past year saw an unprecedented rise in network data breaches and resulting exposure of corporate assets, reaching far beyond financial institutions to organizations like Hannaford Supermarket, a number of hospitals and even both major presidential campaigns. A next-generation IPS has proven to be an essential investment for detection and prevention of these network breaches, as it provides layered protection to the three major threat categories — malicious content, DDoS attacks and undesired access. This defense can be further augmented through tighter integration with other security technology, such as SIEM technology, which can provide context around the transaction information involved in a certain breach to understand its severity. While budgets may be tight in 2009, companies can better connect related technologies like these to extend the value of their network security investments. As threats evolve once again in 2009, a company’s best defense will to evolve its security infrastructure along with them by pushing for integration between security technologies to create a pervasive security ecosystem.
Ken Pappas is a security strategist at Top Layer, a provider of intrusion prevention systems.