Protecting Government from the Latest Attacks

By Stacey McDaniel

Government organizations generate and maintain an abundance of sensitive and important electronic information. Protecting that information is vital -- for instilling citizen confidence, and for defending our nation's security. The Internet threat landscape is constantly changing, and new threats and means of attack are always emerging.

This article delivers insights for government organizations on how to adopt the most appropriate protection for their systems, and includes key findings of a recent Internet Security Threat Report which covers threat activity that took place between July 1 and December 31, 2005. 

• Threats to confidential information  The Threat Report noted that threats that expose confidential information are on the rise, which is not just a concern to government agencies as a whole, but also the employees who may use their work computer for personal business such as online banking and shopping. Confidential information is captured many ways, including keystroke logging and password-stealing Trojan horses. The percentage of malicious code that threatens confidential information rose from 74% in the first half of 2005 to 80% in the last half of the year.
• Web vulnerabilities  The second half of 2005 was marked by a slight increase in the total number of vulnerabilities disclosed. In that period, 1,896 new vulnerabilities were documented. Vulnerabilities that were rated as moderately severe increased from 48% to 52% over the past six months. This is due to an increase in vulnerabilities affecting Web applications, the majority of which are classified as moderately severe.
• Bot infections  The Report noted indications that an entrenched and well-organized community of attackers are beginning to utilize their resources to carry out more coordinated attacks. Many of these attackers are likely to utilize bot networks. Bots (short for "robots") are programs that are covertly installed on a user's machine in order to allow an unauthorized user to control the computer remotely. The remote attacker is able to control a large number of compromised computers over a single, reliable channel in a bot network, which can then be used to launch coordinated attacks. Over the second half of 2005, the United States had the highest number of bot-infected computers of any country. Twenty six percent of bot-infected computers worldwide were situated there.
• Phishing  Over the last six months of 2005, the percentage of emails that were identified as phishing messages was 9% higher than during the first half of the year. Between July 1 and December 31, 2005, phishing attempts made up 0.84% of messages processed. This is an increase over the first six months of 2005, when 0.77% of the messages processed were phishing messages. While 0.84% may not appear to be a significant number, it means that roughly one out of every 119 email messages scanned was found to be a phishing attempt.
• Modular malicious code  The previous Report stated that modular malicious code would likely be an issue of concern in the near future. This appears to be the case. Modular malicious code is usually stealthy and very small -- 50kb or less -- and extremely difficult to detect. Once it has infected a computer, it can download additional code that has new, potentially more damaging capabilities such as the keystroke loggers referenced above. These may allow it to further compromise the target computer or to perform other malicious tasks. The intent of the initial modular code is only to establish an outpost on the machine. Between July and December of 2005, modular malicious code accounted for 88% of the top 50 malicious code reported. This is an increase of 14% over the 77% reported from January to June 2005. It is a further increase of 40% over the 63% reported in the second half of 2004.

Government specific findings
Here are some highlights of what sensors deployed in the government sector found between July 1 and December 31, 2005:

• The most widespread attack was the Microsoft SQL Resolution Service Stack Buffer Overflow Attack (also known as the Slammer worm). This attack was performed by 51% of attackers targeting the government.
• The United States was the top country of origin for attacks. Thirty-eight percent of the attacks originated there. The U.S. continues to have more Internet users than any other country, which may explain the high level of original attack activity.
• The most frequently targeted port was TCP port 1434. This port, commonly used for Microsoft SQL Server, was targeted by the highly successful SQLExp worm (also known as Slammer) and has since been used by common bot network applications including Gaobot and Spybot.

On the horizon
The latest Report also discusses emerging trends and issues that will become prominent over the next 12 to 18 months. Most noteworthy are the changes in attacker motivations and tools. Attackers appear to be moving away from threats that destroy or compromise data and toward the theft of confidential, financial and personal information for financial gain. Tools that are used in the commission of such activities are often referred to as crimeware. There is forecast to be an increase in the number and type of crimeware, which includes keystroke loggers, screen scrapers, rootkits, spyware, phishing, and Trojans. The purpose of network-based attacks will continue to shift from one-time compromises and informational sorties to compromises designed to build supporting infrastructures for the facilitation and spread of crimeware.

Some recommendations
In order to keep an organization's systems secure, defense-in-depth strategies should be employed, which utilize multiple, overlapping, and integrated systems to guard against single-point failures in any specific technology. Defense-in-depth should include the deployment of antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. Vulnerabilities should be addressed with prompt priority oriented patching, and an asset management system and vulnerability alerting service are recommended to help assess new vulnerabilities quickly. Resources that provide alerting and patch-deployment solutions are also recommended. User education is also very important. Employees should be directed not to open attachments unless they are expected and come from a known and trusted source, and not to execute software that is downloaded from the Internet unless it has been scanned for viruses.
 
Conclusion
Being informed about current threats and remediation methods can go a long way toward securing privileged government information.

Stacey McDaniel has been writing about high-tech issues for more than six years.