Aug 14 2008

Security Shift

Web attacks aren't what they used to be.
 The information-security landscape has shifted significantly in the past several years, requiring a major rethinking of how security is managed in higher education. The new environment requires long-term thinking and strategic alignment in the enterprise to compensate for this shift.

Historically, higher education IT security owes much of its heritage to the damaging Internet worm attacks of 2001–2005. Those worms inflicted unprecedented damage on the unfiltered networks common to higher education at the time. With IT just managing to keep up with the worms' massive, service-disrupting outbreaks, there wasn't much need to do in-depth threat modeling. It was clear the attacks were a threat to network infrastructure.

The significant efforts of IT security professionals and a general change in the security philosophy of IT manufacturers have greatly reduced this threat. In the past few years, major OS and application manufacturers have adopted a secure-by-default mind-set, shipping their wares with default-deny firewalls, mandatory passwords and automatic updates. Nearly every major manufacturer now has a best-practices guide for further securing their applications.

Over roughly the same period, the motivations of many members of the “black hat” community (hackers, crackers and attackers) have changed significantly. What once was an unorganized group of independent vandals and file traders knocking over systems for fun has transformed into organized groups of criminals leveraging compromised systems to engage in illicit moneymaking activities.

Motives Change

This change, from hacking-for-fun to hacking-for-profit, has led to the development of a robust, structured underground economy. Online black-market forums that provide access to stolen data, malware and crimeware are readily accessible. Some are run by large umbrella organizations such as the infamous Russian Business Network (RBN), which openly provides infrastructure services to cybercriminals for phishing, gambling, malware, DoS attacks and child pornography.

Through these forums, spammers can rent armies of compromised computer systems from “botnet herders” to send massive amounts of unsolicited e-mail. Stolen credit cards, counterfeit identity documents and new malware can be bought, sold or traded. University networks are a favorite target of these attacks. While the RBN itself has gone quietly underground recently, there is every indication they will continue to do business.

Shift to Application Layer

It's no surprise that with such strong financial motivations, the attacker community is adjusting its methods in the face of a much stronger default desktop-security posture. The drastic reduction of vulnerable network services has encouraged attackers to shift to client-side and application-layer attacks. Client-side attacks are an effective choice because they circumvent default firewalls, which generally do not control outgoing connection attempts, and third-party client applications are almost never included in automatic operating-system updates. Although attackers usually must entice users to open a malicious file or visit a dangerous website, client-side attacks remain the weapon of choice for large-scale attackers.

Application-layer attacks, especially web-application attacks, also provide hackers with another method of getting around a firewall because they provide, by design, access to back-end services or information to an unauthorized audience.

Additionally, many such applications are written (or heavily customized) in-house and don't undergo the strict code review that open-source or commercially developed software is subjected to, leaving them full of undiscovered vulnerabilities.

There are far fewer web servers than clients on the public Internet. They are therefore more commonly used by data thieves who wish to compromise a specific site rather than conduct indiscriminate massive attacks.

Now What?

To address this shifting landscape, we not only need to revisit our old assumptions, we need to fundamentally change the way we approach information security. Traditionally, higher education security programs have focused on rapid threat detection and reaction. The shifting landscape provides security professionals a unique opportunity to reassess how they allocate their time and resources, looking toward more proactive and predictive areas of assessment and protection and expanding their efforts to every part of IT.

IT security teams are frequently tasked in isolation to “solve” the application-security problem, often quickly and in reaction to a catalyzing incident. Unfortunately, there is no intrusion detection system (IDS) rule or new turnkey inline appliance that will completely secure web applications at your institution.

Instead, what's needed is a holistic, strategic approach to web-application security that stretches across the enterprise. The advice presented by the Open Web Application Security Program (OWASP) exemplifies this model. It includes comprehensive information on how to include security in all phases of application development and deployment, including developing secure code; performing code audits, reviews and static analysis; and, when possible, penetration testing. Unfortunately, some vulnerabilities, such as those arising from storing unencrypted or poorly encrypted data, are beyond the ability of the penetration tester to discover, and therefore outside the realm of what is often considered the responsibility of the higher-ed IT security team.

Moving Forward

The security programs that look beyond the operational, those that extend to all aspects of IT security – policy, compliance, technology architecture, application and database security, operations and more – will undoubtedly prove to be leaders in the higher education security community in the coming years. Organizations such as Internet2, Burton Group and the Information Technology Infrastructure Library (ITIL) have already begun to make great strides in this arena for IT as a whole. Now the time has come for IT security organizations in higher education to deploy these strategies. These initiatives may differ in their implementation and inspiration, but at their core they send the same message: IT security in the modern enterprise is best handled comprehensively with long-term implications in mind.

Those who are interested in learning more on the shifting-landscape concept can check with the SALSA-CSI2 working group, which is supporting research on this area. Current efforts include a white paper with more in-depth coverage of the elements mentioned here and a taxonomy of tools that higher-ed security professionals are leveraging to successfully mitigate current threats.

Stay tuned: The next couple of years are going to lead us down entirely new roads. You'd better check your map.

For More Information:

David Bizeul, “RBN study–before and after,”

“Chronology of Data Breaches,” Privacy Rights Clearinghouse ChronDataBreaches.htm

Larry Greenemeier; Nicholas J. Hoover, “How Does the Hacker Economy Work?”, InformationWeek, February 12, 2007

Kelly Jackson Higgins, “New Crimeware-as-a-Service Market Thriving,” Dark Reading, April 7, 2008

Bruce Schneier, “Computer Security: Will we ever learn?” Crypto-Gram, May 15, 2008 crypto-gram-0005.html

Ryan Singel, “Russian Hosting Firm Denies Criminal Ties, Says It May Sue Blacklister,” Wired, October 15, 2007