by Andrey Dulkin
Over the past year we’ve witnessed several spectacular attacks that demonstrated just how dangerous cyber criminals have become. These attacks have emphasized that a narrow focus on protecting against the insider threat is short-sighted and that more preventative approaches are needed to guard against external, highly targeted and persistent attacks that focus on high value information such as customer data and intellectual property. In taking stock of the threat landscape and emerging IT trends, we’ve summarized three key areas that we think will evolve significantly in the coming year, both in terms of technology innovation and risk.
Targeted Attacks: Preventative Protection on the Rise
As an industry, we’ve seen attacks move from opportunistic to increasingly sophisticated and targeted (think Stuxnet), with privileged access rights as a consistently – and perhaps increasingly – popular attack vector. Privileged accounts have proven to be a ‘sweet spot’ for attackers because of the broad, often anonymous access they provide to high value targets. However, many organizations are still in the early stages of identifying and solving privileged account weaknesses, including those caused by hard-coded passwords, which provides attackers with an extended window of opportunity.
That said, in the coming year we strongly believe that there will be a rise in more preventative approaches to protecting privileged accounts, including better isolation, access control and activity recording. This is due in part to greater awareness, increasing regulations and adoption of best practices, which are all driving significant growth for the privileged identity management market as a whole, and ultimately will help drive down the popularity of privileged accounts as an attack mechanism.
As strong indicators for the increasing need for more proactive privileged account management, consider that as a result of the changing threat landscape that the SANS Institute announced a major update to its 20 Critical Controls earlier this year. The 20 Critical Controls is a prioritized baseline of information security measures designed to provide continuous monitoring to better protect government and commercial computers and networks from cyber attacks. Several are directly related to privileged accounts: #8 Controlled Use of Administrative Privileges; #9 Controlled Access Based on the Need to Know and #11 Account Monitoring and Control.
Similarly, in the most recent NIST 800-53 publication that provides the recommended security controls for federal information systems and organizations, there is an emphasis establishing a proactive, preventative approach to privileged account management to achieve FISMA compliance.
SCADA Systems Under Attack: Vulnerabilities Continue to Put Critical Infrastructure at Risk
From weapons systems and water pumps to prison gates, systems not previously considered vulnerable to attack showed up in news headlines over past year. Those attacks have generated visibility for the fact that many of those systems were not designed with security in mind. Because of the hard-coded or weak/rarely changed passwords in tools like programmable logic controllers or SCADA software, those targets have become accessible to attackers, potentially putting critical infrastructure at risk.
With repeated attacks on the horizon, and building awareness, we expect that in 2012 there will be a notable increase in research dedicated to examining how hardware can be attacked by software, and the use of code to execute attacks particularly in the energy and utilities space. One early indicator that more research and solutions are needed may be statements made earlier this year by the U.S. Department of Homeland Security that said it was reevaluating whether it makes sense to warn the public about all of the security failings of industrial control system (ICS) and SCADA software – considering re-categorizing design flaws vs. security holes.
One of the main challenges with SCADA systems is that even when knowing about specific vulnerabilities, the cycles to fix them are so slow that it often makes more sense to try and keep the vulnerability confidential so attackers won’t exploit it during the lengthy repair period (remember “security by obscurity,” this of course will not be a long term strategy).
Private Clouds: Hypervisor Weaknesses Exposed
While some hesitancies around public cloud infrastructure may still exist, infrastructure changes resulting from rapid private cloud adoption could result in new risks, the scope of which we may not be fully aware of, yet, organizations will be expected to proactively protect against. For example, in a private cloud scenario, a virtual machine can sit on multiple servers or be accessible through multiple hosting centers. A systems administrator may know the virtual machine is accessible, but it’s difficult to know who has access to it, when it was accessed, or what was done once access was achieved. The hypervisor provides some of that much-needed control, but at the same time becomes an attractive target for attack. In 2012, protecting against hypervisor threats will quickly become an IT security priority, and, as we achieve greater maturity in the virtualization space, we could potentially see the cost efficiencies of virtualization take a second seat behind increased risk. We will also see IT security teams taking a more significant role in the initial build-out and deployment of private clouds to initiate much-needed proactive security infrastructure.
What are your thoughts on these 2012 trends to watch? Do you have some of your own to share?