Targeted attacks, IPv6 complicate cyber defense

SAN FRANCISCO — The online threat landscape has continued its shift over the past year from wholesale crime to targeted attacks using advanced persistent threats to quietly steal information.

“The threat has morphed into one that is much more targeted and sophisticated,” said Art Coviello, executive chairman of RSA, the Security Division of EMC. “They are looking for the soft underbelly. People don’t realize they are being attacked in this manner.”

At the same time, with the exhaustion of the IPv4 address space, the introduction of IPv6 is creating new complexity in networks that further complicates security.

“It’s going to drive more boxes-in-the-middle,” to handle the tunneling, translation and other accommodations of the next generation of Internet Protocols, said VeriSign Chief Security Officer Danny McPherson. “They make the network more complex and more vulnerable to attack.”

Related coverage:

Emerging cyber threat: Evasion techniques that combine to conquer

WikiWars: The face of future conflicts

These devices are going to be around for the foreseeable future, but the security of emerging IPv6 equipment is “certainly not on a parity with IPv4 today,” McPherson said. Until the reliability and security of IPv6 equipment catches up, networking companies will have to compensate with greater investments in IPv6 infrastructure to ensure availability of services.

Coviello and McPherson were among the industry and government executives and security practitioners assessing developments in IT security at this week’s RSA Security Conference.

In general, it is improved governance and policy, rather than new technology, that is needed to better secure systems, Coviello said. “The technology is often the thing that works best.” The problem often is “the judgment and expertise of the people.”

Since the announcement by Google last year of long-term breaches to its systems in China, advanced persistent threats have become a hot enough topic that they now are referred to simply as APTs. Their emergence is due in part to improved security, Coviello said. Enterprises are doing a better job of risk assessment and access control.

“We are getting better generally at stopping the broad-based attacks,” he said. But criminals and spies — both industrial and national — also are evolving to circumvent these defenses. “I think we keep pace, but there is never a moment to take a deep breath,” he said.

The shift is putting an increased emphasis on people in the security equation. New attacks often use social engineering crafted to a carefully selected target to evade defenses. Coviello offered a multistep cyber defense program in which technology is the final step: Have multiple layers of defense, identify risks, establish security policy, understand employee (and other insider) behavior, establish access controls, and then apply technology.

One trend that disturbs McPherson is the growth of “hacktivism,” illustrated by recent denial-of-service attacks in support of and against WikiLeaks. The ability of individuals to opt into a botnet organized for such activities is giving people an easy and effective — but usually illegal — way to act on their beliefs.

“These attacks have real impact on an organization, and most of the time it’s a crime,” he said.

On the bright side, the growing deployment of the DNS Security Extensions already could be improving the security of the Domain Name System, McPherson said.

DNSSEC uses digital signatures to validate responses to DNS queries, which provide numeric IP addresses for URLs. About 30 percent of the Internet’s top-level domains are signed now, including the root, which was signed in July. The largest top-level domain, .com, is scheduled to be signed this spring. With the root now signed, as many as one-third of DNS queries now could be validated by DNS name servers by authenticating digital signatures, McPherson said.

 “It’s a matter of recursive name servers turning on validation,” he said.