One of the hot topics at the Infosecurity Europe show – held in London this week – is the scale and complexity of the latest attacks against corporates.
Whilst several research operations and vendors competed with each other to come up with reports on how bad the attack landscape is at the moment, the real question that C level executives attending the event want to know is: how bad are the attacks really – and what can I do to defend against the threat?
According to Ian Pratt, the co-founder of Bromium Labs, the threats situation is potentially quite serious, as his research team has uncovered a new type of attack vector called the Kernel Kracker, which is what some experts call a layered attack.
The attack exploits a vulnerability in the Windows operating system kernel and allows the attacker to gain admin/system level privileges on the host system, so allowing them effectively peel away the various layers of security the company has installed.
Having said this, Pratt says that the use of multiple layers of security to protect an organisation’s IT resources is still a very viable defence approach, as, although no set of security layers is ever going to reach 100 percent protection, the use of multiple layers is still a lot better than the old single-suite option of yesteryear.
“The underlying problem is that all commodity operating systems are now too big to protect in their entirety,” he said, adding that – as an example – Windows XP had more than 100 patches applied to it last year by Microsoft.
Against this backdrop, Pratt argues that the best solution is create virtual instances of a given operating system environment, taking the concept of virtual machines to its logical conclusion.
This means, he says, that even if the defences fail and an attack succeeds, its effects are severely limited to the privileges assigned to the given Web browser session. After the session on a given Web resource finishes, the virtual machine collapses the session and a fresh one is started for the set Web site.
“You can let the exploit happen, and its effects are limited,” he explained, adding that he fully expects cybercriminals to come up with new attack vectors on a constant basis.
Will there ever come a time when it ceases to become viable for the cybercriminals to develop new attack vectors to attack corporate IT systems, we asked him.
That time, he replied, is still a very long way off, as new methodologies will arrive all the time.
“Over the last 18 months, it’s all been about Java. That is going to change, and you will see a new set of security threats being used,” he said.
Jag Bains, CTO of DOSArrest, agreed that the threat landscape will continue to evolve from its current mix of DDoS attacks and operating system-specific vectors.
David Gibson, vice president of Varonis Systems, agreed that cybercriminal attack vectors are evolving, but cautioned that the fundamental problem remains the volume of data to which users of IT systems have access.
“We had a meeting with a client recently where users had the same levels of access rights [to data] as their high level management. As a result, we discovered that volumes of company data were being exfiltrated from the system, despite their use of multiple layers of security,” he said.
It’s against this backdrop, he told SCMagazineUK.com, that he fully expects attacks to evolve for the foreseeable future, but he adds that the inside attacker is likely to be the “next big thing” in the security attacks arena.
“For this reason, I am of the opinion that companies must continue to develop the technical controls required to protect the data in their organisation, as well as evolving the security being used to defend the IT resource,” he concluded.