General Information Security

You are currently browsing the archive for the General Information Security category.

State of Internet Security Report

September 19, 2009 in General Information Security, Web

Websense recently released their report on the for the first half of 2009.  They have some very interesting findings which I have summarized below.

  • In the first half of 2009, 77 percent of Web sites with malicious code were legitimate sites that have been compromised. This high percentage was maintained over the past six months in part due to widespread attacks including Gumblar, Beladen and Nine Ball which aimed at compromising trusted Web properties with massive injection campaigns.
  • Web 2.0 sites allowing user-generated content are a top target for cybercriminals and spammers. Websense Security Labs found that 95 percent of comments to blogs, chat rooms and message boards are spam or malicious.
  • The “Dirty” Web is getting dirtier: 69 percent of all Web pages with content classified as objectionable (e.g. Sex, Adult Content, Gambling, Drugs) also had at least one malicious link. This is becoming even more pervasive, as 78 percent of new Web pages discovered in the first half of 2009 with objectionable content had at least one malicious link.
  • Websense Security Labs found that 37 percent of malicious Web attacks included data-stealing code, demonstrating that attackers are after essential information and data.
  • The Web continues to be the most popular vector for data-stealing attacks. In the second half of 2008 the Websense Security Labs found that 57 percent of data-stealing attacks are conducted over the Web.
  • The convergence of blended Web and email threats continues to increase. Websense Security Labs reports that 85.6 percent of all unwanted emails in circulation during the first half of 2009 contained links to spam sites or malicious Web sites.
  • In June alone, the total number of emails detected as containing viruses increased 600 percent over the previous month.

This information confirms that the Web is a dangerous place and becoming more so.  The reason is simple… money.  Criminals have figured out that the benefit from online crime is high and the cost is low.  Moreover, the chances of getting caught are slim.  Compare the crime of identity theft or credit card fraud committed via the Internet with a physical crime such as a bank robbery.  The cost of committing a crime on the Internet is low.  One can obtain ready made software on the Internet that will help you obtain credit card and other personal information with which it is possible to commit fraud.  The risk associated with this crime is very low compared to the expected payoff.   However, robbing a bank has very high costs and risks.  One could get shot or get caught and sent to prison.  And the likely payoff isn’t that great either.  The average amount of money stolen during a bank robbery is less than $5000.  This isn’t much compared with the risks.

Internet crime is a huge business.  To protect yourself, follow for using the Web safely.  Even legitimate and well known web sites can get compromised and be used to commit fraud against you.  And don’t think because you use a Mac that you are immune to these attacks.  You aren’t.  More on that in a future article.

Security Vendors Lacking Good Security

February 15, 2009 in General Information Security, Vulnerabilities

kettle

In two separate incidents ealier this month, well known security companies had their web sites breached as a result of SQL injection vulnerabilities.  The first was Kaspersky Labs, an anti-virus vendor which on February 9.  Two days later, it was reported that BitDefender, another anti-virus vendor also had their web site hacked by the same Polish hacker who had successfully breached the Kaspersky site.  Again, a SQL injection vulnerability was the cause.

If you do not pay attention to reported incidents and vulnerabilities, you might assume that security vendors would not frequently be the victims of web hacks or have vulnerabilities found in their software.  However, nothing could be further from the truth.  I have been in the security industry for over 13 years and sadly, the companies that are selling security software and services seem to be just as likely as everyone else to be on the wrong end of a security problem.  McAfee, Trend Micro, Barracuda, Cisco and Check Point (to name just a few) all reported serious vulnerabilities in in their products in 2008.  And now we are seeing security companies falling victim to web application attacks as well.

We should demand more from our security vendors.  These are the companies that are securing our infrastructures and protecting our data.  They need to ensure that the products they are selling are secure, because as a consumer of these products, I cannot afford to take the chance that my environment will be compromised due to a weakness in their systems.  And I certainly don’t want to be in a situation where I am frequently applying security patches to my security systems.  I for one will avoid purchasing products from any security vendor that has a poor track record of providing quality, secure products.  This is the only way that they will get the message that we expect more from the vendors that we entrust with the security of our data.

Looking Into the Future

January 1, 2009 in General Information Security

crystal_ball

This is the time of year when information security professionals like to make prognostications about future trends in the industry.  The soothsayers who pen these prophecies rarely provide any information that could be considered earth shattering or even mildly prescient.  I am not gifted with the ability to see into the future, and even if I was it is likely I would suffer the same fate as Cassandra and no one would believe me.  Thus, I will not attempt to make any predictions about the future.  I will however, make a statement of fact about the future.  And since this is a truism, it is not a prediction:

Those who use computing resources for nefarious purposes, including phishers, spammers, virus writers, crackers, organized crime units and any other group or individual who sees an opportunity to make money by obtaining information illegally or using computing resources without authorization, will continue to stay 2 or 3 steps ahead of those attempting to secure systems against such people.

I have been involved with information security for over 10 years and I can honestly say that the state of information security has never been worse.  There are more threats now than at any time in the past.  There are more vulnerabilities now than at any time in the past.  Any the job of the information security professional is more demanding and complex than ever.

To some extent, this is to be expected.  Information systems are pervasive in every aspect of our lives.  And moreover, these systems are all interconnected.  Our appliances can communicate with their manufacturers.  Our phones have morphed into miniature computers with all the power and vulnerabilities common in desktop PCs.  Our cars have computers that are capable of determining faults and sending this information to dealers who can resolve the issue.  And our national infrastructure, such as electrical grids, dams, nuclear power stations and stop lights, are all controlled by computers and often are connected to the Internet.

Information systems are more complex than ever.  The bad guys have ever more opportunities to attack those systems and make money from using them illegally.  The threats are real and protecting against them is difficult.  Unfortunately, I don’t see anything that will change this scenario in 2009.  Happy New Year.

Copyright © 2011 InfoSecStuff.com — All Rights Reserved