When looking into the crystal ball of IT security, a clear overall picture of what the black hats have in the works emerges, even if the details are somewhat fuzzy. One thing in particular is for sure: The days of secure computing are over (if they ever really existed), and they aren’t coming back.
“People who expect to be safe online at all times are out of their minds,” said Scott Charney, Microsoft vice president of trustworthy computing.
He talked about the information security field in a recent discussion with top executives at the Chief Learning Officer magazine Think Tank, which was held at the Microsoft Conference Center in Redmond, Wash.
The overall picture presented was not unlike an athletic competition between teams, with the offense (black hats) trying to score points on the defense (white hats) by exploiting holes.
“We know that bad guys will continue to evolve their viruses to avoid the sensors,” Charney said. “There’s going to be this constant war of attrition between offense and defense. The advantage is for the offense — if they’re attacking all the time, they’re going to get through, unless you’re always perfect.”
So, the offense is inevitably going to get some wins. That’s more or less a given. The key for the defense, then, is to try to anticipate their moves based on probabilities.
“It’s all about risk management and always has been,” Charney explained.
When, where and how will attacks likely occur, though? The key is to carefully examine the black hats’ motivations and techniques, as well as what technologies end-users are using and how.
First, Charney’s explanation notwithstanding, the “offense” isn’t a monolithic group that works together toward a common purpose.
Rather, it’s a collection of diverse players who can range from an American teenager fooling around on his home computer to a sophisticated team of state-supported hackers.
An example of the latter came to light recently when the Financial Times reported that computers at the offices of U.S. Secretary of Defense Robert Gates had been breached by a group operating within the People’s Liberation Army of China.
Thus, the motivations will be different for black hats, who are nearly as likely to attack one another as the white hats.
As a result, they’ll use different kinds of attacks, which can be divided into two basic categories, Charney explained. The first is an opportunistic attack, which is more or less indiscriminate in nature.
Examples of these are spam e-mails blasted out to lists of thousands of addresses, with the hope that a few recipients open up the malware attached to the message.
The second kind of these attacks is the targeted method, which has become much more prevalent in the past couple of years. This technique, which heavily relies on social engineering, contrasts with opportunistic attacks in the same way that an art thief does to a street pickpocket — with the former, the objective is usually much more specific.
Another problem is the speed at which the black hats operate, in that they’re getting faster at finding and exploiting vulnerabilities. Not surprisingly, this has led to a spike in the number and frequency of zero-day (and even zero-hour) attacks.
Additionally, an important consideration is the technologies people are using to connect with one another. Although the most common form of transmitting malware has been e-mail, attacks via IM and mobile devices (especially overseas) are on the rise.
IT security pros can fight malware in its current and future forms by relying on their arsenal of anti-virus, anti-spyware, IDS and firewall solutions. Moreover, they should encourage (inasmuch as they can) thorough testing of software prior to release.
But without question, the best way of combating these threats will continue to be nontechnical, that is, sound security policies and end-user education.