For every action, there is an equal and opposite reaction. Or so said that bloke with a wig and an apple who used to appear on one side of a pound note (that's Sir Isaac Newton; for those of you too young, too confused, or too ambivalent to recall), and it's true.

Unfortunately, with technology it can sometimes feel less like a case of Newton's Law than Sod's Law. Not least when it comes to Internet security.

Like the Internet itself, web-borne threats to network security evolve on a quite literally perpetual basis. The quicker you act to snuff out one menace, the quicker the criminal community seems to react with a new and even more dastardly one. I mean, play the game.

It's enough to leave even the most cautious, diligent business peering over its shoulder and wondering where the next attack is coming from.

According to Gartner, the entrenched institutional nervousness and doubt this continues to cause will see sales of security software hit more than $9bn in 2007, representing a rise of almost 11 per cent year on year.
As such, says the analyst, it may be time for a change in the way we handle new and evolving threats; time for security solutions to move on from being largely ungainly and reactive to being intrinsically predictive and proactive.

They have a point, says Marino Zini, head of managed services at Claranet. "In the modern, Internet-facing, networking environment, every aspect of your network - from your routers and switches to your extranets and remote users - can pose a potential threat", he says, adding with due irony that as networks become more complex, they also become more vulnerable to attack.

So, to answer the infernal question, where IS the next attack coming from? First, it's vital to consider that it's not only the ways in which cyber criminals strike that's changing, but the places.

As Simon Perry, VP of security strategy for EMEA at Computer Associates (CA) puts it, computer attacks are like flowing water, they naturally find the easiest route to their goal. He notes, for instance, that it's no longer necessarily operating systems that are the main security soft spots, as more and more attacks are now being levelled against user behaviour via techniques like phishing.
Applications are suffering too, as attackers specifically target the likes of Acrobat reader, Quicktime, web browsers, and even the very anti-virus software that's supposed to be standing guard.

"It is therefore very important to focus on the health of the whole computing environment up to and including the application stack at the top end," he adds.

It's also important to understand the attacker's rationale - not just how they're hacking your network, but why. Involving potentially astronomical profit margins - from the sale of identities, credit card details, or valuable industrial information - and relatively low risk for those involved, where attacks may once have been perpetrated largely for the sake of mischief, these days they're much more likely to be driven by criminal, financial motives. Then there are the ever more sophisticated techniques now being employed by such individuals.

Among the newer kids on the block, for example, are botnets - a method by which hackers are able to infect huge numbers of machines across the net. (These botnets are often then left in situ, undetected, enabling the hacker - who can control this 'army of agents' in a coordinated fashion - to return at some later point and conduct
further attacks).

Jeff Finn, CEO of eSoft, says that, especially once inside the perimeter, such attacks are now a major threat as they can take over multiple networked machines in a matter of minutes. "Known as 'zombied' PCs", he says, "(infected) computers act as the ground troops in the hacker's Bot army. Mercenary in nature, they can then be 'rented out' to various third parties for large scale Denial of Service, phishing, spam and other such attacks."

What makes these and similar emerging threats even more pernicious, he explains, is that their attacks tend to have a very short shelf life, making them doubly difficult to detect, track, counter, and monitor. Currently, for instance, around 200 or so unique eBay and PayPal phishing attacks are launched on a daily basis. But, on average, the websites to which the recipients of such attacks are directed are active for less than 24 hours.

A 'blended' approach combining a variety of technologies - everything from spam filtering, IPS, and anti-virus, to URL filtering, IM/P2P filtering, and anti-spyware - is recommended. As is some kind of 'reputation filtering' service for email and web activities. "Reputation filtering is being promoted by network security vendors as a means of comparing email and web traffic amongst a large group of SMEs, who in essence act as an early warning network for one another", says Finn. "This type of collaboration is one of the most effective ways of providing access to the type of early warning and rapid response security that has previously only been available and affordable to the largest enterprises."

Another important factor worth remembering is that the criminal element needs little enough encouragement to try and breach the network perimeter without us inviting them in, taking their coats, and offering them a nice cup of tea. And yet as more and more businesses buy into the mobility ideal, and support increasingly large, disparate mobile workforces, that's effectively what we're doing; albeit inadvertently. So believes Chris Haigh, technical director at S2S. He says that, with its potential for allowing trojans, viruses, and the like onto corporate networks, mobility itself can present a real threat if not properly managed.

"The mobile workforce will tend to pick (up) trojans and viruses while connected to unprotected Internet links from home and Internet cafes", he explains. Then they walk back into the office, walk through your entire network security infrastructure, walk onto the network and let potentially dozens of viruses and trojans loose across the enterprise.

Hackers will therefore prey on any enterprise, small business, or home user not savvy enough to protect their wireless connections, says Zini, cautioning that those SMEs without dedicated IT departments are particularly at risk.

"Wireless is vulnerable in a number of ways. Even an object as innocent as a can of Pringles can aid a hacker - acting as a rudimentary wireless antenna to detect unsecured wireless networks."

A further irony is the fact that the more powerful and intelligent mobile devices get, the more tempting and compelling a target they become and the more sophisticated attacks will get, too. Assaults on devices like smartphones look set to increase in direct proportion with the growth in their volume and usage therefore; something SMEs should guard against with encryption says Peter Harris, product marketing manager over at Trend Micro.

Another increasingly popular hacker hunting ground is the converged voice system. With more and more enterprises consolidating their voice and data traffic onto single hybrid networks, the telephony system can easily become an unguarded 'gateway' for attackers. All it takes is a minute or two's access to an unsecured courtesy phone in your reception, and the hacker can suddenly have full, undiluted access to all your resources and data.

Services such as VoIP, P2P and IP-TV will come under particular attack, says Harris, as they're often targeted as potential points of weakness and as easy entry points for malware, which is itself evolving apace.

Also evolving is spam. No longer just a damned nuisance, the phenomena has now matured and started employing multimedia formats such as mpegs, videos, and PDFs in order to get itself (and often malware too) past the firewall and in under the wire. Then there's Spam over IP (or SPIT as it's more commonly known) to think about.

"Mail and the web are the two core applications for all businesses", notes Jason Steer, European Product Manager at IronPort, "so focus on these two protocols (among hackers) is still on the rise. Hence the attacks."

In this regard, even in today's net savvy society, many enterprises still face problems because of a lack of education among staff, he says. "Social engineering is the number one reason why spam and phishing attacks work, users are too trusting and should be considerably more paranoid. Education will mitigate a significant amount of that risk."

Here, says Zini, the trap is thinking that firewalls and anti-virus software will be enough. Auditing the network or bringing in a third party to do it for you is often a sensible idea and, as Haigh puts it, a good security partner won't sugar coat the results.

Security then, needs to be adopted with a 'defence in depth' approach, according to Viorel Canja, BitDefender's head of Virus Laboratories. "A product or a technology is not enough", he says. "Policies that reduce the risk of an attack must also be put in place."

He further argues that it is critical that products installed on servers and desktops should be from different vendors, noting that while this creates a management overhead, it also provides a better chance of detecting new attacks.
"Monoculture in computer security is just as dangerous as in society", he warns.


A 15-point checklist to help ensure your network stays watertight

1. Ensure all computers have up-to-date AV software, are regularly scanned with anti-spyware tools, and are configured to download and install security patches automatically. If you don't have a company-wide firewall, enable the built-in Windows firewall.
2. Ensure each employee has their own user account and don't allow password sharing.
3. Prohibit staff from using any accounts with administrator privileges.
4. Ensure the company and all staff comply with all relevant IT-related legislation.
5. Conduct regular back-ups, store them remotely, and test back-up processes and copies often.
6. Employ data encryption to protect data, especially on laptops and back-ups.
7. Review your remote access policies. What data is authorised to enter and leave your premises? Can staff dial in? Is that process secure?
8. Ensure automatic logging facilities such as Internet surfing and user login histories are enabled, and set for a long duration.
9. Ensure your web site is protected against Denial of Service attacks. Back it up regularly and keep tight control of your web administration passwords.
10. Formulate an Acceptable Use Policy - to tell staff what they can and can't use their computers for (e.g. accessing private email) - and a Disaster Recovery Plan.
11. Undertake a basic risk analysis at least once a year.
12. Ensure any wireless access to your network is set up and configured securely.
13. Store nothing on your web server that you don't want in the public domain.
14. Dispose of old hardware safely. Wipe disks of all data or, better still, remove the hard disk and physically destroy it.
15. Implement basic Security Awareness Training for all staff.

Source: defeatingthehacker.com