Editor’s note: Last month, the information security firm Symantec released the 11th edition of its Internet Security Threat Report. This is Symantec’s attempt to get out of the day-to-day and see the forest for the trees, and these woods look pretty ominous, according to Dave Cole, a director in the Symantec security response organization.
The name of the game today is data theft, and the creation of malicious code targets specific organizations for information that can be monetized by the cyber criminals. These cyber criminals are becoming increasingly coordinated, and they can leverage interoperability between their diverse threats and methods. In this interview with WTN, Cole explains what to look out for and what to do.
WTN: What’s your personal overview of the Security Threat Report’s findings?
Cole: The threat landscape is very criminally focused right now. It used to be focused on kind of digital graffiti. Data theft is the big emphasis today – data theft and unauthorized access. So if you look at malicious code, 66 percent of our top 50 threats are not your kind of “Melissa, I Love You” type things, and see how far it can go. They are of the sneaky get on it as quick and as fast as possible, and steal data.
If you look at phishing, traffic is up 19 percent. If you look at the amount of spam out there, it’s up 59 percent. So across the board you see very big dollar signs behind what’s happening in the landscape today, and you see a greater level of sophistication and cooperation across the cyber criminals.
WTN: In terms of the findings, how is the report different from the previous one? Are you picking up any new trends?
Cole: Sure. There are a number of things that we looked at a little differently. So one thing was we have a system called Dark Vision, and for the last year it’s been monitoring Internet online crime sites. So these are what we call fraud economies, or communities. Think of it as social networking for the bad guys. This is where commodities such as people’s identities, credit cards, fax machines – all these things are being bought and sold, and this allows the criminals a variety of specializations, so you don’t have to be the person that goes out and steals the identity. Your role might be simply to cash it out and turn it into bankcards or to reship things. Your role might be to steal the stuff and then turn around and sell it in aggregate to people in other parts of the world.
So in these fraud economies, you see a variety of specialization, but you also see standardized pricing come out. So one of the things we did for this report is we issued sort of a menu of fraud-economy pricing. One of these was the price of credit cards, themselves, which go from $1 to $6 [U.S. dollars]. Now if the credit cards are out of the United Kingdom, they go for about double that, so for $2 to $12, which I believe are mostly the price of the Pound, which is about double that of the dollar.
We also see things like game accounts being sold as people recognize the value in game currency. So World of WarCraft, while a U.S. credit card goes for $1 to $10, a World of WarCraft account goes for $10. So some interesting disparities and data popped out at us as we went through the report. One of the other things I mentioned is that an identity, while some people might believe that it goes for hundreds or thousands of dollars, it really only sells for $14 to $18 in the underground, sometimes even less than that.
WTN: Is the truly frightening aspect of this report the fact that threats are increasingly the result of coordinated criminal activity?
Cole: Yeah, but there is good news and bad news in this report. The bad news is that, absolutely, the criminals are coordinated. Absolutely, they are not out to just trash your hard drive or to make your life… to play a prank on you. They are out to steal your identity, and the economy is very efficient behind that, meaning they can quickly monetize this. They can quickly rip you off. They can do it across many, many people, across many, many countries at one time due to these networks of fraudsters out there.
The flip side is that they really don’t care if it’s Joe from Wisconsin or Dave from Los Angeles. They just want someone’s identity, so they are out there kind of combing the Internet for low-hanging fruit. They don’t want to work very hard for it, and there are plenty of people on the Internet now that if you are well protected, they will move on. So you can almost think of it like having “The Club” [anti-theft device] in your car. You don’t have to have the perfect car-alarm system. You don’t have to be decked out to the nines with every possible security unit. If your car is parked next to someone else’s, it’s got a good alarm system, it’s got “The Club” on it, they are going to go for the car that doesn’t.
So the fraudsters, while they are very aggressive and they are very efficient, they are also playing the numbers. If you’re well protected, you really don’t have that much to worry about, unless someone wants you specifically, which frankly doesn’t happen very often.
WTN: How hard is it for law-enforcement authorities to track down cyber criminals?
Cole: That’s really outside the domain of Symantec and any commercial enterprise. What we do is we cooperate with law enforcement, so we do turn over data and we work with groups like the National Cyber Forensics Training Alliance, which is a non-profit front for the FBI and the U.S. Postal Service. So we can collaborate with them, but at the end of the day it’s really a matter for law enforcement.
I can say, without speaking out of turn, that it’s a big challenge. You’ve got the cyber criminals, which are going through great pains to hide themselves, and many of them are sitting in countries well outside the jurisdiction of [American] law enforcement, so there’s a fair amount of cyber crime activity emanating from the former Soviet block, which requires a lot of international law enforcement cooperation. And the skills required by law enforcement are different than they were before, so they are in the process of really kind of staffing up and getting the right skills for those teams, so you’ve got a combination of the different skills required than before in adding to a level of cooperation across countries that may be impeded by different skill levels, language barriers, different priorities, you name it. It’s really quite a tough challenge when you consider the international barriers that are out there.
WTN: Since these threats are sometimes used in combination to attack an entire network system, how do you protect the entire network system?
Cole: It really goes beyond the network, but having said that, a lot of the old mantras of defense-in-depth and layering your protection really still work today. It’s the stuff that maybe some people don’t want to hear. Maybe some people are still searching for that silver bullet, but the reality is that layering your defenses, having a tight firewall policy, having an intrusion-detection and an intrusion-prevention system, having your process and policy, trained people, defending the host, segmenting your network – all of that stuff, which has been good advice for a long time, is still the same [good] advice today.
The one thing I’ll say is that Web applications, about 66 or 69 percent of all the vulnerabilities are in Web apps. You’ve got to bake security into the system-development life cycle. So that’s one thing we probably can’t emphasize enough because while the network perimeter has gotten harder, web application security… I’m not convinced it has gotten phenomenally better. That’s one areas that could stand to be emphasized a bit more.
Now the flip side of this is that since we know attackers are going after a company’s brands, in many ways the perimeter has gotten a lot harder than what it was before. You know, if you were to go out there five years ago and scan the Internet, you would have found a lot of lousy firewall policies, a lot of machines and networks that were probably fairly open. Today, you’ll still find some of those out there, but it’s a lot less than what was there before. We’ve done a decent job of hardening the network perimeter across the Internet, which is why you don’t see things like Blaster, Slammer, or Code Red nearly as much anymore. ISPs are doing a better job. Companies are doing a better job as a whole.
So where you see the attackers going is after the company’s brand. Rather than trying to penetrate the network and pull off the Oceans 11 heist and steal the customer database, they are going after the consumer. They are going after the people, the customers of that organization. It’s a lot easier to go after Aunt Sally than to try and break into Sally Mae, right? It’s much, much easier, and with the fraud economies they can aggregate their thievings and sell them for perhaps the same amount as if they were to rip off the customer database.
So the question for a big company is, do you have a defense on the perimeter? Lock down your web apps and do the right thing, but consider that your perimeter now includes your customers as they go after them in a crime wave, and so the perimeter, if you think about it in much broader terms, has expanded out to your customers. What are you doing to protect them as well?
WTN: Does the same advice apply to a mid-sized or smaller business?
Cole: I would say yes, maybe a little less, but we certainly see the regional attacks going on. You’ve got plenty of brands out there that never thought they would be targeted by phishers and by fraudsters, but as I mentioned before, phishers and fraudsters are looking for fresh meat. They are looking for the easy win, and we’ve seen plenty of small banks, we’ve seen plenty of smaller retail establishments be targeted by fraudsters. If you’ve got an online presence and there is money to be made from these transactions, anyone is a potential target.
So I’d say a little less so, but certainly at least have your process in place and consider what you would do if your brand is targeted by such an attack.
WTN: Are security providers keeping up with the new threats, perhaps anticipating their next moves?
Cole: The one thing I’ll say, and this is sort of back to the good news-bad news story, is that the bad news is things are criminally and money motivated. The good news is that because they are money motivated, you can follow the future of attacks a lot more easily now. So our current forecast is that all you have to do is look where the money’s at, right? So if you know where the money is at, and you know the attackers don’t want to work any harder than they have to, it’s actually gotten much easier to predict the types of attacks that will arise.
For example, one of the things that we’re forecasting now is that video such as QuickTime, Windows Media format – you see it exploding across the Internet. There are YouTube and so many other players. We know the consumers are under attack, and they are under attack because of the Web browser. Web browser security is getting better with the latest versions of Internet Explorer, of Mozilla Firefox and so on.
So where are the attackers going to go? Well, they are going to go to the consumer-client side, third-party applications, to exploit people. We’ve already seen that a couple of times with QuickTime this year, the first time in conjunction with MySpace and then there was a MacBook hacking challenge last week at a very popular security conference call CANSAK West, and how did they win the contest? Well, they won it with a QuickTime flaw through the Safari browser.
So you can kind of apply the logic of “okay, where are the attackers going to go next?” They are following the money.
WTN: Are there other key points about the Security Threat Report and its implications?
Cole: There’s a lot of stuff in there. We just touched on the very high-level stuff. At the end of the day, the attackers out there, in general, don’t care about any one organization or any one individual in particular. They are going after the easy target, so if you’re doing the basics, if you’re putting the right technology in place, you’re thinking through your processes, if you’re training your people, at the end of the day while the threat landscape is ominous, it certainly isn’t an insurmountable challenge.