Security Experts:

Year in Review: The Catalysts Behind the 2012 Threat Landscape

If 2012 has shown us anything about the security landscape, it’s that we’ve come very far in defending against – and deterring – attacks. And we’ve also learned that while we cannot control attackers themselves, we have endless power in our preparation for, and responses to, their attacks. With all of the new security technology and services available, we have the tools we need to raise the defensibility of every layer of our security shields. We may not be able to quell the sheer amount of attempted cybercrime – but we can dig down and root out their sources, including the lesser-discussed but increasingly prevalent forces of hacktivist groups and botnets.

What then were the primary threats that made their mark consistently throughout 2012? Cross-site scripting, cross-site request forgery, SQL injections, and directory traversal. It’s often difficult to pinpoint the reason why specific exploitations are more common during certain time periods. Truthfully, to a business that’s just been hacked, the “why” doesn’t matter so much as the “what,” as in, “what can we do about it?” So, with that in mind, here’s what you need to watch out for in 2013 and how you can stay effectively on guard.

IT SecurityCybercrime tools become readily available

One thing that all four of these dominant attack methods share is the exponentially decreasing knowledge and expertise required to execute cybercrimes. Due to the deluge of automated “hacker in a day” methods, not only are these tools growing in number and offering more choices, but there has also been a strong and steady escalation in sophistication of breaches performed successfully with them. Freely available tools like sqlmap exist as an application-testing tool, but make the discovery and exploitation of SQL injection flaws straightforward and virtually automated. Products like Havij v1.16 Advanced SQL Injection are intended to be used by penetration testers in order to determine where vulnerabilities lie, but can be easily used for malicious intent - the only real difference between a hacker and a penetration tester are motives and ethics.

How do you respond? Web application firewalls are an excellent start and they are no longer a luxury. Make sure you have a Web application firewall in place this year. WAF technology continues to improve year over year and is well worth fixing into your budget. You can find a great hardware or virtual appliance solution, no matter what size your business or budget.

Don’t let a hairline crack become a gaping crevice in your security posture

What’s one secret that will never be kept in the world of hackers? Available exploitation opportunities. When there’s infrastructure or software with exploitable vulnerabilities, or “weak links,” you can bet that every individual in the hacker community will hear about it – practically instantly. Knowledge of such pervasive vulnerabilities spreads far faster than the time it takes to devise the necessary steps to block the attack and then disclose a recommended recourse to affected parties.

So what’s the fix? Rigorous testing and implementing security throughout your software development lifecycle – especially the early stages – is one way to ensure these types of emerging threats don’t squeeze by undetected. At minimum, use a free source of vulnerability and exploit information like exploit-db.com or secunia.com and pair it up with a well-supported and easily used tool like Metasploit. Your organizatiobn will be well on its way to quickly identifying and testing possible vulnerabilities that could lead to a damaging compromise.

Beware of the proliferation of hacktivist groups and botnets

Hacktivist groups intent on mass exploitation for political or other gains were on the rise last year, and seem to be a strong corollary to the intensity and types of attacks seen in 2012. Use caution when deploying Web applications, as faulty infrastructure can allow Google and other search engines to essentially index vulnerable pages, plugins, and software. This makes it easy and quick for hacker networks to find targets.

In addition to hacktivist groups, botnets have also been multiplying – usually through unwilling hosts becoming zombies after being compromised themselves. DDoS for hire extortion cases occur regularly, and the ability to rent botnets through underground channels is a more common practice each day. With their rise in frequency, it’s not surprising that botnets tie into the attacks we’re seeing repeatedly.

How do you protect your business? Your primary course of action should be to go back to the basics and make sure that a security plan is in place. Implementing strategic and complementary layers upon layers of security is still the most optimal way to guard against these threats. Protecting your edge by blocking known bad IPs (DShield, ShadowServer, etc.), stopping intelligence gathering with an IPS, and blocking malicious Web requests with a Web application firewall work cohesively as a finely tuned filter, preventing a lot of “dirt” from making it to your applications. Eventually we can go on the offensive against these perceived powerhouses, but in the meantime – fortifying your virtual citadel is what will serve you best in the here and now.

Only time will tell if we see more of the same or a crop of new hazardous hack methods in 2013. Whatever the case may be, these security pariahs have been lurking behind the scenes and surreptitiously contributing to the most common attacks we saw last year. Don’t forget to look past the attack itself to some of the forces behind it, and prepare to bolster your security against both. It’s the only way to cover all your bases.

view counter
Chris Hinkley is a Senior Security Engineer at Armor where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with Armor (previously FireHost) since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.