No surprise, most cyber attacks could be averted

SAN FRANCISCO — During the last half of 2010, phishing attacks became more sophisticated, exploit kits more professional, social networking sites more attractive to criminals, and the most common exploits were those for which patches are available, though not always applied. There were few big surprises in the latest biannual Security Labs Report from M86 Security.

“If we look back at where we were in June 2010, the last half of the year was much along the lines of what was expected,” said Bradley Anstis, VP of technical strategy.

The one exception was the steep decline in the volume of spam, down 33 percent in December from where it had been a year earlier. “That was a surprise,” Anstis said.

Related coverage:

Death, taxes – and spam in your inbox

It was also largely due to good luck. Although law enforcement and security organizations have become better at shutting down the botnets used to deliver spam, it was the unexpected departure of Spamit.com, which acted as a go-between for spammers and bot-herders, that reduced the output. The respite, while welcome, is only temporary, Anstis said.

“We’re dreaming if we think it will make a permanent reduction in volume,” he said. Volumes are likely to creep back up as the owners of botnets find new outlets for their illegal capacity. “I don’t see any silver bullet for spam.”

M86, a provider of real-time threat protection and secure Web gateways, released its latest report on cyber threat trends at the annual RSA Security Conference being held this week. According to the report, the United States retained its position as the world’s top host of malicious code, coming in with a commanding 42 percent. China came in a distant second with 6.4 percent.

One of the more disturbing, although not surprising, findings was that the top 15 vulnerabilities being exploited by observed attacks were all well-known and had patches available, some of them for years. The Office Web Components Active Script Execution vulnerability, No. 2 on the hit list, has been patched since 2002. The top vulnerability, in Microsoft’s Internet Explorer RDS ActiveX, has been patched since 2006.

The reason these vulnerabilities are still popular is because they still work, the report says.

“It astonishes us that the patched vulnerabilities continue to be successful for criminals,” Anstis said. Much of the problem is in large organizations that maintain large bases of legacy systems that are locked down and are not regularly updated because of stringent change control policies. Although change control is good, delays in patching can leave systems vulnerable.

One way to reconcile change control with patching is a gateway that can recognize and block malicious behavior targeting known vulnerabilities. This does not eliminate the need for patching vulnerable software, but it can act as a backstop until patches can be tested and rolled out in a controlled way, Anstis said.

Phishing attacks are becoming more sophisticated, using malware such as ZeuS and SpyEye to perform man-in-the-browser attacks by injecting malicious forms to steal user information into legitimate Web sites. Exploit kits are becoming more professional, allowing less sophisticated criminals to mount more sophisticated attacks, for a price.

But social networking could be the big threat vector of the future. In the second half of the year Twitter was the victim of multiple cross-site scripting attacks and a growing number of online survey scams are appearing on the sites.

These threats become more serious as social networking becomes more embedded not only in our personal lives, but our business as well, Anstis said.

“We are starting to communicate more with our business partners through social media sites,” he said. “The use of these sites by commercial organizations is growing,” and he predicted that in a few years an online presence on Facebook could be as necessary to an organization as a conventional Web site is today. Organizations should recognize this and plan for it, putting policies and controls in place for the inevitable migration to social networking.