Symantec fingers organized crime

Next to keeping the lights on, security is job one, but it has become absurdly complicated for most enterprises. Recently I interviewed Francis deSouza, the new senior vice president of Symantec’s Enterprise Security Group, in an effort to demystify the latest threats and security technologies — and, more importantly, to ask where he thought enterprise security pros should focus their efforts.

The response from deSouza was unequivocal: repelling attacks by organized crime. The interview covered a number of topics, but deSouza’s account of how well-funded attackers get the jump on enterprise defenses is as instructive as it is frightening, so I’ve edited things to concentrate on that angle. We began the conversation by discussing the ever-widening scope of responsibilities security professionals now must undertake.

[ Learn how to secure your systems with Roger Grimes’ Security Adviser blog and newsletter, both from InfoWorld. ]

Eric Knorr: Enterprise security has become mind-numbingly complex, from security event management to access control to data leak prevention. How are customers managing to wrap their arms around all this?

Francis deSouza: We’re hearing that anyone in security feels like they have more to deal with today than they ever have before.

The first thing they’re saying is that they have more viruses to deal with than ever before — the meat and potatoes of the security world. Our research bears that out. In 2008, we put out more anti-virus signatures than we did in the previous 17 years of our existence.

The second thing that security professionals are saying is that they have more threats to deal with that are not viruses. They’re concerned about people inside their environment that are stealing information. They’re concerned about botnets; they’re concerned about phishing attacks.

They’re also saying that the surface area they have to protect continues to grow exponentially. They have more people to manage, because today, it’s not just your employees, but increasingly, contractors, suppliers, and even customers that have access to your network, because that’s the way we do business today. So there are more people that you have to manage. And there are more devices — not just PCs and laptops, but increasingly smartphones, iPhones, iPods, that plug into a network.

There’s also more information. So it’s not unusual for most companies to see a doubling of the amount of information on their network every two years. And then you throw in SaaS, cloud computing, server virtualization, and desktop virtualization, and the infrastructure complexity continues to grow.

And finally they’ll tell you their job descriptions have grown. So two years ago, three years ago, they were in charge of security. And in fact the CSO was a fairly new office being formed. Today, increasingly, compliance and regulatory compliance fit under the CSO’s office. So they’re saying we’re not just in charge of security anymore, we’re in charge of compliance as well.

Knorr: What about the threat world? How has that changed?

deSouza: One of the most staggering things I think is that in 2008, 90 percent of breaches were driven by organized crime. That is massively different than three years ago.

Knorr: How can you get that kind of statistic?

deSouza: We actually do a lot of forensic analysis on breaches that happen — in fact, we’re called in a lot — so that’s our own stat based on the breaches we are seeing. We’re obviously on tens of millions of desktops around the world, so we understand the profile of the attacks that are coming in.

Another category of breaches was driven by the actions of well-meaning insiders. Examples are people who store information on unencrypted USB drives and leave them somewhere; people that lose their laptops. Or it just could be a broken business process. We had one case with an airline in Europe that called us in — they were using our data loss prevention product. They saw that they were putting out tens of thousands of credit card numbers every day and asked us to help them identify where that was coming from. What we found is that they were using credit card numbers as boarding pass numbers! They were printing them on every single boarding pass. Now that is a major breach.

The third category we’re seeing is the result of malicious insiders. Disgruntled employees, people being laid off, or people who’ve realized they can turn a profit from selling company information.

Knorr: Wouldn’t you consider that to be the leading cause of rising anxiety among security professionals?

deSouza: It’s one of the leading causes. It depends on the organization. If they understand the threat from organized crime, then that’s their leading concern.

Knorr: So what does an organized crime attack look like?

deSouza: The anatomy of a breach is very different than it was only two years ago. What we’ve identified is that there are four stages to any of these attacks. And the criminals are organized enough that they typically have dedicated teams for each of these four stages.

The first stage we’re calling the incursion phase, where the team is trying to get into the network. So they’re poking at the network to see how they can get in. In 2008, the No. 1 way that criminals got into a network was over e-mail, and was a combination of getting in over spam — an e-mail that had malware on it or an e-mail with a link to malware — and more insidiously a growing number of custom e-mails that were targeted at one person and looked like they came from a legitimate source. When you clicked on it, it looked like the right thing happened or nothing happened. So typically you didn’t know you were hit.

The incursion teams also look for Web-facing infrastructure that’s not well protected: default passwords or infrastructure that hasn’t been patched. In fact, 80 percent of breaches last year, the attackers targeted vulnerabilities for which there had been patches for more than six months.

The third vector is that they look for Web-facing applications that have not properly been hardened and are prone to things like SQL injections.

Knorr: And after they get in, then what?

deSouza: Once they get in, the incursion team hands things over to the discovery team, which handles phase two of the attack. The discovery team maps out the network to understand what information exists where and how well protected it is.

They’re relying on two things. The first thing they’re relying on is that most companies don’t have strong policies enforcing who can have access to what infrastructure or what information. Once the criminals are in, they can have free reign, because there aren’t good controls to what they have access to — it’s a classic example of hardened on the outside and soft on the inside.

The second thing they’re counting on is a phenomenon we’re calling data spillage. Most companies know, for example, that their patient records are in their patient record database. What they don’t always know is where else that information may be.

Last year we were called into a large government agency and, using our SIM technology, they sense they were under attack, because they were seeing a lot of communication between their site and a known criminal site in Bosnia. They knew something was going on, but they didn’t know what the target of the attack was. And what we found was that the criminals were after employee records, but they weren’t after them on the employee record database. What they had figured out was that there was a copy of the employee records on an internal test server, because the internal development team was about to launch the next version of their HR system, and they were testing it on live data as you would expect.

Data spillage occurs, and it’s not always obvious to companies where this information exists.

So that’s what the discovery team does: They map it all out. Then they hand it over to the capture team. The capture team does the trade-off around how valuable this information is across the network and how well protected it is. They want the most valuable information for the least amount of work.

In many cases they find that the corporate information is well protected, but the employee desktops are not. Last year we found a case where they installed screen-scraping software on employee desktops, so when employees were logging onto their personal bank accounts, that information was being captured.

In the case of the world’s largest data breach, the Heartland case, they installed a rootkit on the credit card transaction processing server, and they were able to capture the credit card records.

Once the capture team has captured the records, they turn it over to the fourth team and the final team in the attack, and that’s the exfiltration team. The idea is simply to get the information out of the company. It’s actually fairly straightforward:  Generally what they do is encrypt the information, find an unused port in the firewall, and send it out.

So that’s what today’s breaches looks like. It’s very different from the old breaches. These are well-funded attackers, deep-pocket gangs in some cases; in some countries we’re seeing ties with governments. These are really sophisticated attackers.