Add to del.icio.us     Digg this

March 1, 2010

According to an Internet security report to be published later today, most companies and organizations these days are totally defenseless against the types of cyber attacks that recently hit Google and at least thirty-three other large companies. There are even estimates that the actual number of targeted companies could top well over one-hundred.

These findings are very significant because they suggest that many of the best practice corporate IT departments that they have been diligently following for the past 10 years are ineffective against the attacks, which Google said were successful at piercing its defenses and accessing its trade secrets.

iSec founding partner Alex Stamos said that with the exception of Google and a handful of other organizations with budgets to support expensive IT security teams, companies are totally unprepared to defend themselves against this new and much more complex method of attacks.

The attackers behind the cyber assault identified as Aurora patiently stalked their hand-chosen cyber victims for a number of months in a campaign to correctly identify specific end users and applications that could be targeted to gain entry to corporate networks, the report, prepared by security firm iSec Partners, concluded.

Emails or instant messages that appeared to come from friends and trusted colleagues were combined with potent zero-day vulnerabilities targeting common applications. In many cases, exploits were tweaked to circumvent specific versions of anti-virus programs.

"Cyber attackers are willing to spend months attacking people in these companies, and they write custom malware specific to those companies. The malware for each of these companies has been customized based on the versions of vulnerable software they're running, as well as what kind of anti-virus they're using. The problem is to defend against that level of attacker - the game is completely different than what most companies are doing," added Stamos.

So far, the attackers showed painstaking perseverance in gathering information about vulnerable end users, often casing social networks to learn the identities of friends and business associates so instant messages and emails with poisoned links will appear more innocuous.

They also employed an encyclopedic knowledge of corporate networking weaknesses that allowed them to convert a compromise of a single computer into a vector that would surrender unfettered access to a company's most valuable crown jewels.

In the following days after Google's January admission, investigators said as many as 33 other companies were hit by the very same attacks. But according to Stamos, that estimate was based on the analysis of just one command and control channel under the control of the attackers. After sifting through the contents of another 60 or so additional channels, Stamos said the number of compromised companies could be as high as 100, many with totally unprepared IT departments.

"These people really understand how to take control of one computer and turn it into a master domain admin access server. Most users are not well prepared for this kind of thing," said Stamos.

For companies to reverse this trend, they will have to make some very structural changes to the way they think about and manage IT security inside their own network perimeters. And it goes even further than that. Chief among these changes is disabling all services that despite repeated warnings often remain on, such as LAN Manager Hash.

Other recommendations include logging and inspecting that all queries made to internal domain name system servers and building safeguards into the network that prevent key resources from being accessed even when a client on the system has been compromized.

Most specifically for example, Windows servers should only be run in unprivileged mode for the vast majority of users, and independently of which department they work for.

An update to this news story is expected in about a week. We will keep you posted.

Add to del.icio.us     Digg this

Source: iSec Internet Security & Associates.

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.