Contact Us
DuPont Insider Breach Highlights the Need for Monitoring
http://scmagazine.com/us/news/article/633578/dupont-hit-400-million-corporate-espionage-incident
DuPont's case illustrates the risk of insider threats to critical information assets. In order to do their jobs, trusted insiders are given access to confidential information and therefore pose some level of risk. While this risk will always be present, there are many steps you can take to minimize it without impeding your business.
Understanding the flow of information through your IT infrastructure is a very important part of protecting your critical information assets from insider threats. To effectively counter malicious behavior by a trusted user, you must know what activity to look for and what that activity really means in regards to the security of your sensitive data. Efforts such as comparing organizational data requirements (who needs what data when) to Netflow information (where is data being sent to and from) are good starting points to help define key indicators of malicious activity in your environment.
Access and usage logs detailing activity across critical applications, servers, and databases, should be monitored for key indicators that may signal malicious behavior. Activity such as excessive log-ins over a given period of time, data accessed outside of a user's job requirements, or simply a spike in overall usage, should be flagged for further investigation. Additional internal layers of security, such as host-based intrusion prevention, will help reduce the risk of insiders abusing their access to critical systems and applications. As a last line of defense, data leakage prevention technologies can be implemented to help detect and block traffic containing sensitive information at your network's perimeter.
As always, SecureWorks is available to help protect your critical information assets. Through our Managed Security and Professional Services, we can help define the key indicators of insider threats within your organization and provide 24x7 vigilance across your applications, servers, and databases.
2006 Attack Statistics Overview: Part One of Two
Every day, SecureWorks monitors and processes more than 1.3 billion security events across our clients' networks. In the last year alone, we identified and blocked more than 931 million attacks using our iSensor® intrusion prevention technology. Over 1800 iSensors are currently deployed across more than 1,450 networks, providing broad visibility into zero-day threats and attack trends. Using this information, we proactively develop countermeasures to protect our clients from the latest attacks. In Part One of our 2006 Attack Statistics Review, we share some the statistics and trends we've identified during the course of protecting our clients from security threats.
Broken down by month, total attack attempts across our client base consistently in the range of 70 million per month. There was a large spike of attacks attempts in September 2006, during which they jumped nearly 45 percent to 115 million.
You may recall July being the "Month of the Browser Bugs" in which researcher H.D. Moore of Metasploit fame (http://metasploit.blogspot.com/2006/07/month-of-browser-bugs.html) disclosed a new web browser vulnerability every day. It took some time for working exploits to be developed, leading to a strong surge of attacks targeting web browsers which we blocked in September.
During 2006, we blocked an average of 720,791 attacks for each of our clients. This varied significantly by industry, with Healthcare averaging the most attacks throughout the year. Anecdotally, we believe this to be primarily due to healthcare systems being more open to the internet with a greater distribution of accessible endpoints such as mobile units and other distributed systems.
| Industry | Blocked Attacks Per Client |
|---|---|
| All | 720,791 |
| Banks | 419,289 |
| Credit Unions | 584,470 |
| Healthcare | 6,801,434 |
| Utilities | 1,369,588 |
| Other | 1,642,565 |
Financial institutions such as banks and credit unions experienced a comparatively lower number of attacks in 2006 than other industries; however it is still very interesting to note that each bank or credit union faced at least 1,100 attacks every day - all of which were countered by SecureWorks before any damage could be done.
There were also significant changes in the type of attacks we saw in 2006, reflecting several trends within the security landscape.
Spyware is still a major security issue for many businesses, with familiar names such as Bfast, Hotbar and Gator causing problems within corporate environments. Of greater importance has been the rise of web application attacks (classified as "Other" above). Attacks that take advantage of flaws in websites, such as injection flaws (SQL injection), cross-site scripting flaws (XSS) and buffer overflows, have become a primary attack vector. This is especially true for banks and credit unions, where we witnessed a large increase in the number of SQL injection attacks beginning in May of 2006. We expect web application attacks to continue to rise significantly in 2007 and we have taken several steps to further protect our clients from these threats.
That's it for Part One of our Attack Statistics Overview! Part Two of our analysis will be published in the next volume of the SecureWorks Newsletter and it will focus on other key information from 2006 such as which assets were attacked most within corporate environments, which vendors were most frequently attacked and where most attackers were located.
Internet Threat Update
Storm Worm Summary
In January, several anti-spam websites came under a distributed denial-of-service (DDoS) attack. The Trojan responsible for the attack was one of several that were dropped onto systems infected by the email virus which later came to be called "Storm Worm", also referred to as W32/Small.DAM and Trojan.Peacomm. Utilizing a peer-to-peer (P2P) control channel, the versatile malware can constantly change and be modified by the attacker at any point.
In addition to attacking anti-spam sites, Storm Worm has also been attacking websites associated with the Warezov virus. Warezov is part of another system, probably operated by a competing spam group. Based on the Storm Worm group's actions, it seems they are prone to attack anyone that interferes with their business model regardless of whether they are an anti-spam group or a competing spammer. In some cases, they've even attacked third-party services such as capitalcollect.com, a money transfer service.
On January 30, the spamhaus.org website also came under attack from traffic closely resembling that of the Storm Worm DDoS attacks. After further investigation, it was determined that spamhaus.org was an unintended target. Apparently, the Warezov spammer(s) attempted to redirect Storm Worm's DDoS attack by altering the DNS "A" records for some of their domains, pointing the attack at the spamhaus.org IP address instead.
While these recent attacks have not posed a direct threat to any of SecureWorks' clients, it is worthwhile to take note of the aggressive escalation of attacks brought forth by Storm Worm. It is a clear sign of organized criminal activity within the underground spam and malware community, which will lead to more sophisticated (and possibly more brazen) attacks. Here at SecureWorks, we are dedicated to staying on top of the security landscape and ensuring that our clients are protected both now and in the future.
For original in-depth research on Storm Worm, please visit http://www.secureworks.com/research/threats/storm-worm/
