The Symantec Intelligence Report - is it time to rethink security?
Last month saw our release of The Symantec Intelligence Report, combining the best of the Symantec.cloud Messagelabs Intelligence Report and the Symantec State of Spam and Phishing report. A bit of a mouthful we're sure you'd agree, which is why we've distilled everything down into a single place.
Included are the usual staples - Spam which is down from last year, Phishing which is up, and Virus attacks which have stayed roughly the same. Spyware is static, but the number of sites hosting web-borne viruses and trojans is on the increase.
So far, business as usual. But behind the broad trends lies a more interesting phenomenon, in the Chinese proverbial sense of, "May you live in interesting times." A number of new styles of attack are becoming more prevalent, which don't attempt to fit industry categories such as phishing or spyware, but which like to use elements of all of them.
Take Shady Rat, for example. We've written about this extensively - and without dwelling on the programmatical complexity of the attacks, it's clear that they are difficult to categorise, yet no less challenging.
Consider: A very simple trojan is included in an office document or PDF, which gains a foothold on the computer. This then contacts a web site and access a seemingly innocuous page, which contains hidden commands either in the HTML or embedded directly into images. These commands can then request downloads of other programs, or open a port for remote monitoring and uploading information.
It's clever stuff - while security specialists may talk about "multiple attack vectors", the truth is none of the components add up to an attack. It's only when they are all put together that their true intentions emerge - each combination like an online version of "The Sting".
The main challenge is not whether such things will happen (they will); it's not whether the bad guys will increasingly go where the money is (they are), nor whether they focus more closely on specific individuals (they do). While all of these things matter - a lot - the real issue, the elephant in the room is that the ways we use computers, mobiles devices and online services is changing dramatically and fast, and the majority has little if any grasp of what the security implications might be.
Consider Apple's iCloud service for example. Already it has been subjected to relatively simple phishing attacks, before the service is even launched. Once there however, once it becomes the backbone for information sharing between devices with automatic synchronisation, how hard would it be to create a 'payload' which would pass all checks for the receiving device - a mobile phone, say, but would be damaging in the extreme if it was synchronised to a laptop computer?
The point is not to conjure scare stories - too much of this has been done in the past (remember Bluetooth viruses?) and people have become immune to the technique. Rather, it is to consider how we should think about the "threat surface" at all. What was once a game of chess - or indeed splat the shady rat - has become an entire toy shop of possibilities which cannot be dealt with one by one.
Security strategy, security architecture, security process have traditionally been defined around keeping the bad guys on the outside, and the information safe on the inside. In these days of cloud services, mobile device proliferation, consumerisation and so on, it's increasingly clear that an outside-inside, threat-response approach is not enough. It is not just our devices and information that are under attack, but the very way that we think about security at all.
Food for thought. And if you'd like to read more on the Symantec Intelligence Report there's a full presentation available here.