Hackers evade security perimeters as agencies scramble to keep pace

Cybersecurity concerns grow as sophisticated attacks, automation evade detection

This summer, cybersecurity is seemingly making news daily, as the number and variety of incidents reported are growing. At the same time, federal government agencies and departments are striving hard to keep up with current and emerging threats.

A rash of high-profile breaches suggests that conventional defenses aren’t working well. Breaches have cost Citigroup an estimated $2.7 million, RSA an estimated $100 million and an untold sum from the numerous attacks on Sony. According to industry news reports, hackers allegedly released 400M of internal data from government cybersecurity contractor ManTech International Corp. as part of a reported “weekly campaign” to embarrass the FBI, as well as other government agencies and their partners. The batch of documents appears to mostly involve NATO, along with the Homeland Security Department, U.S. military branches, and the State and Justice departments, according to those news reports.

Yet another recognized concern — social media — still isn’t getting the security focus needed, based on findings from a newly published Government Accountability Office report. In late July, GAO released a report that outlined how all but one of 24 major federal agencies engage in social media while most still lack a clear plan to mitigate records management, privacy and security challenges.

Only seven agencies identified and documented possible security risks — such as spear phishing, social engineering and Web application attacks — to federal information systems when engaging with social media, according to the authors of the GAO report.

Only eight agencies conducted and documented privacy impact assessments to identify potential privacy risks associated with social media use. Twelve agencies describe whether they use personal information obtained from social media in a formal, updated privacy policy.

“Social networking sites, such as Facebook, encourage people to provide personal information that they intend to be used only for social purposes,” the GAO report states. “Government agencies that participate in such sites may have access to this information and may need rules on how such information can be used.”

Only the Interior Department had developed records management, privacy protection, and security risk management policies and procedures for social media use, according to GAO. The Small Business Administration, the Social Security Administration, the U.S. Agency for International Development and NASA lacked any policies and procedures for the use of social media services, according to the report’s authors. GAO recommended that agencies ensure that appropriate records management, privacy and security measures are in place and published specific recommendations for each agency. Read the report at www.gao.gov/new.items/d11605.pdf.

Finally, approximately one in every 280 e-mail messages was identified as malicious in July, a significant increase in activity related to aggressive and rapidly changing polymorphic malware. The rise accounted for nearly 24 percent of all e-mail-borne malware intercepted by Symantec in July. And this is more than double the amount tabulated six months ago, indicating a more aggressive strategy by cyber criminals along with perhaps a greater use of automation, which has allowed attackers to increase their output, according to Paul Wood, senior intelligence analyst at Symantec.

Cybersecurity tools for defense in depth

The right combination of defenses can keep agency networks secure. The tools considered most important include:

* Firewalls, to inspect traffic and permit or deny access based on set policies.
* Virtual private networks, to provide secure remote network access to an increasingly mobile workforce.
* Web filtering, to monitor and control Web access and block unsafe or inappropriate sites.
* E-mail filtering, to monitor e-mail for malware and confidential information.
* Intrusion protection, to analyze network traffic to detect signs of malicious behavior.
* Antivirus/anti-spyware, to inspect e-mail and other traffic for a variety of threats and eliminate or quarantine malware to prevent its spread.
* Anti-spam, to review e-mail messages for signs of spam and block or reroute them to a special spam repository.

Polymorphic malware is harmful, destructive or intrusive software (a virus, worm, Trojan or spyware) that constantly “morphs,” making it difficult to detect with anti-malware programs. The evolution of malicious code can occur in a variety of ways, such as file name changes, compression and encryption with variable keys.

According to Symantec’s analysis, the number of variants, or different strains, of malware involved has also grown dramatically, by a factor of 25 times the same quantity six months ago. This alarming proliferation in such a short time heightens the risk for many organizations because new strains are harder to detect using traditional security defenses.

Polymorphic malware is also likely to be causing pain for a great number of traditional antivirus companies that rely on signatures, heuristics and software emulation to detect malicious activity, Symantec’s Wood reported. This type of malware is frequently contained inside an executable file within an attached ZIP archive file and often disguised as a PDF file or office document.

Because organizations can’t rely on signatures and heuristics alone, they must also take into account the integrity of an executable file based on knowledge of its reputation and circulation in the real world, Wood reported.

A growing malware threat

An ever-growing malware threat is driving federal agencies to “investigate solutions that can detect and protect their online Web and social media environments, including blocking inbound malware and analyzing outbound traffic to detect compromised endpoint systems,” said Will Hedrich, a security architect at CDW-G.

There are solutions available that can be effective. Agencies can incorporate tools that include traditional signature-based malware analysis and detection of known bad Web destinations, along with real-time analysis to detect new and targeted threats, Hedrich explained. Among other key anti-malware approaches, the Stamford, Conn., Gartner Inc. reports that URL categorization is used to classify URLs on the fly, along with site reputation analysis and real-time code analysis to seek out common malware techniques in Web code.

Crucial cybersecurity tools, circa 2011

Some of the leading hot-button technologies that public sector organizations should strive to investigate and possibly incorporate to address the increasing number of threats include:

* Real-time Web content ratings.
* Web 2.0 content filtering.
* Inline threat analysis (stream scanning).
* Social networking threat protection.
* Compressed archive analysis.
* File and attachment filtering.
* Hardware-based Secure Sockets Layer.
* Data loss prevention.
* Proxy avoidance blocking.

Perimeter-based anti-malware protection must be supplemented by enhanced security policies as well. Government organizations should seek solutions that offer granular policy controls for social networks to further protect Web resources. According to Gartner’s research, there’s also growing interest in cloud-based services that can address the malware threat in Web 2.0 environments.

According to Gartner’s research, in 2010, the secure Web gateway market reached $817 million, achieving growth of 17 percent over 2009. In 2011, Gartner estimates the market will grow approximately 17 percent, to just under $1 billion. The market is still dominated by the on-premises solutions (approximately 90 percent), with “secure Web gateway as a service” making up the remaining 10 percent of the market (approximately 10 percent). However, this cloud-based segment is the fastest growing and expected to grow 55 percent this year.

About this Report

This report was commissioned by the Content Solutions unit, an independent editorial arm of 1105 Government Information Group. Specific topics are chosen in response to interest from the vendor community; however, sponsors arenot guaranteed content contribution or review of content before publication. For more information about 1105 Government Information Group Content Solutions, please email us at [email protected]