Now in its 20th year, Symantec has released its annual threat report. We spoke with Piero DePaoli, Senior Director for Global Product Marketing for Information Security at Symantec at the recent RSA Conference.
“There’s really three big areas on the cybersecurity side. The first one is cyber attackers are leapfrogging defences in ways companies don’t even have the insight to anticipate.
While phishing attacks and their highly targeted siblings spear-phishing attacks involve targeted messages being sent to individuals, Symantec has coined the term “watering hole attack” to describe an evolving threat vector.
In a watering hole attack attackers infiltrate places people go. For example, they might inject a vulnerability into a website they know their visits. This bypasses the measures put in place to block malicious email.
A variation of this is bad actors infiltrating software used in specific industries with malicious payloads. For example, if a mining company uses a specific application, a hacker could infect that software at the developer’s site so that the malicious payload enters the mining company through a seemingly legitimate channel.
In some cases, Symantec has seen determined attackers use spear phishing, watering hole and infected software at the same time to infiltrate a target.
DePaoli said the second main finding of the report is attackers are moving faster than the defences. This was highlighted by 2014 marking the largest number of identified zero day vulnerabilities. Symantec reported 24 new zero day threats, up from 23 the year before and 12 in 2012.
An example of the speed at which attackers are moving is the emergence of Heartbleed last April. Within four hours of Heartbleed becoming public, there were exploit kits available.
One of the issues, according to DePaoli is it took a combined total of 295 days to issue patches for the top five zero day vulnerabilities.
“This is where you start to look at defences. If you look at a vulnerability that is now known and patches aren’t available, organisations are ripe for being hit by these sorts of attacks”.
The marked acceleration in the detection and release of significant threats is a major issue for the security industry. With a new zero day vulnerability appearing almost every two weeks, it seems that no sooner is one vulnerability detected and remediated than another appears.
It seems the bad guys have an almost inexhaustible bag of unexploited threats that they can pull from. Many of the vulnerabilities affect older software. But DePaoli hopes modern applications are written with security at their core rather than bolted on as an afterthought.
“My hope is that modern software, especially cloud software and mobile software is being written knowing that we are living in a different world than we were when these software packages were developed”.
Given this threat environment, DePaoli suggests taking a more granular approach to security. Rather than traditional perimeter security, he recommends limiting access to specific servers only to those who need them and placing defences around specific data and assuming attackers will bypass the perimeter.
“Most servers have a specific purpose. They don’t need to be ‘default allow’ and then try to block a bunch of stuff, even if it’s inside the network. Why not ‘default deny’ and then turn on the services that are needed?”.
One of the important developments is that security is becoming mainstream according to DePaoli. “Security was an IT topic, maybe a geek topic for organisations five years ago. It’s becoming mainstream news and part of everyday life”.
Anthony Caruana attended RSA Conference as a guest of Symantec.