Meeting the Challenge of Today's Blended Threats

Meeting the Challenge of
Today's Blended Threats
Cyber-crime and its costs are increasing rapidly.
The FBI received a record number of complaints in 2008, and the associated direct cost of the frauds carried out with stolen data was $265 million, up about 11 percent over 2007.
There is no sign that this trend will abate. Last year's growth and today's continuing problems can be attributed to one fact: Hackers are becoming more sophisticated in their efforts to steal personal identity data and sensitive corporate intellectual property. In par-ticular, they are increasingly using socially engineered, multi-pronged, and blended attacks that exploit the openness of Web 2.0 applications and Web sites.
Compounding the challenge of securing personal information and intellectual property data is that companies are being forced to grant access to more systems and information all the time. Bank customers want quick access to account balances, workers want to maintain their own 401k and health insurance accounts, Web shoppers want to place orders quickly and make purchases with a single click, and business partners want to work on projects in a collaborative manner online.
Additionally, companies are increasingly using SaaS (software-as-a-service), which means employees must go online to access corporate applications.
Companies naturally benefit from the customer and worker satisfaction of this openness afforded by Web 2.0 and self-service approaches. But, as expected, the openness brings additional risk.
Changing hacker tacticsSecurity has always been fighting to keep up with evolving tactics. Current-generation hackers seem to be raising the stakes to even higher levels.
First, hackers are using multi-pronged, blended attacks. A typical scenario includes send-ing a spam e-mail that tries to lure the recipient to a Web site. That site might be poised to download malicious software as soon as the user connects to the Web page. That soft-ware often includes a keylogger program that steals passwords, malware that steals appli-cation data, or a program that turns the computer into a remotely controlled bot that can be used to launch denial-of-service attacks, distribute spam, or spread other malicious code. Alternatively, the landing page might be a replica of a legitimate site, such as a banking or e-commerce site, whose purpose is to trick the user into giving up account information.
Second, attacks are more targeted and use more sophisticated social engineering tech-niques to trick even savvy users into making a mistake. In the past, a phishing attack might involve sending a generic spam e-mail message (e.g. there's a problem with your eBay order, or, a Nigerian philanthropist needs help sharing his wealth) to any address the hack-ers had obtained. Many of these messages were easy to identify as bogus.
Sponsored by
Now, many attacks use current-events issues or hot-button topics to trick people into tak-ing action. For instance, hackers quickly seized on the concerns about swine flu and used phishing attacks that exploited these fears to try to steal information or sell pharmaceutical products.
And earlier this year, a spam campaign lured people to a fake, but realistic-looking, Barack Obama Web site that carried a breaking news story about Obama refusing to be president, claiming he was not ready for the position. Clicking on the link automatically downloaded spam bot software to the victim's PC.
More sophisticated attacks use information about the target to customize the phishing e-mail message, making it harder to dismiss, and, in some cases, making it appear legiti-mate. For example, knowing the name of a person's boss, a hacker can send an e-mail claiming, "Your boss gave us your contact information." And because some messages appear to come from friends or colleagues, the recipient usually trusts the contents.
This can cause the recipient to take action such as opening an attachment or going to a Web site-actions the recipient would possibly have avoided if the message lacked that lev-el of detail. Oftentimes, the personal touches that make these messages more believable come from stolen information. This type of attack is essentially a more elaborate blended attack.
Third, hackers are leveraging social networking's popularity, taking advantage of users' openness and people's willingness to share ... [download for more]