At IBM Internet Security System’s, the company’s primary security research organization is called X-Force. Kris Lamb, director of X-Force, says his group is charged with knowing where potential threats will arise and deliver product, services and education to customers about how to stay ahead of the risk. Recently Lamb discussed with Network World Senior Editor Denise Dubie what he sees as the most critical challenges and opportunities facing enterprise IT security managers today.
Tell me a bit about your role as director of X-Force at IBM Internet Security Systems.
We are the thought leaders for our customers and the company around applied security technology, the security landscape, threat forecasting, creation of new technology solutions that we may bring to market in the form of new products or new service offerings.
We also provide the content delivery services for all of our products that we currently sell, such as antivirus updates or IPS updates or content filtering updates are delivered out of the X-Force organization.
We also have a consulting portion of X-Force that delivers security consulting services to our clients. All told X-Force is a sizeable organization made up of a lot of research and development disciplines that are centered on security expertise.
What are some major trends or changes in the security industry X-Force is currently tracking?
Over the last 12 to 18 months or so, we’ve seen the hard right turn of the criminal underground shifting from a notoriety-driven motivation to a very highly-organized financially-driven motivation. Money is really driving what they do. All of the security vulnerabilities or exploits or computers they control represent real dollars to them given the activities they are using these resources for.
Before it was about notoriety, it was about being seen or noticed, or getting a lot of press coverage by Web site defacements and denial of service attacks that were very public. Now the criminals don’t want to be detected because when they are detected they lose control of the computing resources and they are not able to engage in the criminal activities such as computer bot exploitation or malware spreading or phishing recruitment runs.
They lose those assets or the ability to conduct those activities and that means they are losing money. The criminal underground is now engaging in very shrewd, very guarded sets of activities.
How does this motivation shift change security threats?
A real big philosophical and structural change is happening. We are seeing the threat landscape go through a major change. Over the last 12 months, the types of threats and attacks that are being exploited and really being used in the criminal underground are much more application-centric and browser-centric in nature.
Rather than the vulnerabilities of old that were more operating system related and low level in nature, whether is be default Windows or Unix services these vulnerabilities are still being found and leveraged, but by and large the motivation and the areas of threat research going on among the criminal underground are around highly repeatable, highly undetectable types of attacks.
What’s the most ubiquitous activity that people are conducing on the Internet?
That’s Web browsing and e-mail.
Those two are the number one delivery vectors. What you see is people looking at ways that they can reliably utilize those two application frameworks to deliver highly targeted malware and exploits that leverage the browser to infect computers or to steal identities or engage in other sorts of activities where those are the vectors for attack.
How does the change in threats and attacks impact potential victims?
It is a lot more difficult for even discerning computer enthusiasts and really advanced users to guard themselves against these kinds of threats. When you have messaging and browsing being the two most ubiquitous functional activities that happen at a computer, it becomes difficult to discern between what is a valid e-mail and non-valid e-mail or what is a valid Web site and non-valid Web site. Those binary black and white terms are no longer easy distinctions to make. You reach a whole gray area in which you can’t easily determine a secure Web site.
Is there a perception of security that perhaps is unwarranted with some Web sites?
If you were to interview 100 people, and say, “List the top five trusted legitimate Web sites,” a majority would say MySpace or YouTube and ironically enough those are two of the riskier Web sites that could be leveraged for attacks with MySpace worms and MySpace spam as well as embedded QuickTime malware and other media format malware hitting specific to YouTube.
Are these types of community sites creating a bigger threat on the Internet than users realize?
The explosion of Web 2.0 convergence and the democratization of content and opening up of traditional content barriers on the Internet have made it so that, at least from the browser perspective, making the distinction of what is safe and what is not safe isn’t an easy proposition. You can’t just assume that because the source is trusted that the Web site is safe.
What is it about Web 2.0 that poses such a risk?
A year ago the risk was much greater because there were about 120 different Web 2.0 APIs and a various number of application frameworks that represent different areas that would need to be protected. Now as the market as matured, the APIs and technologies and Web 2.0 platforms are becoming more standard and can be more easily protected.
Last year Web 2.0 was a very precarious area to secure because there were not a lot of standards or a whole lot of consolidation in the industry. Now security vendors can focus on a handful of mainstream technologies now that we see which are being adopted most.
Can you give some examples?
There are a bunch of XML-related threats that are similar to traditional SQL attacks, but targeted at the XML data layer. Because XML is seen as ubiquitous in transferring data from site to site and Web service to Web service, attackers can target that, but vendors can also better secure it. As XML as become more of a standard, security vendors are able to deliver solutions that ensure integrity of XML data and ensure XML can’t be manipulated.
Also as AJAX becomes more mainstream as the client side data messaging system powering a lot of Web 2.0 frameworks, vendors can focus on protecting the Java script and XML again in those environments. Even today certain network solutions are very effective in securing Web 2.0 infrastructures if they are stateful, protocol-based IPS products.
Are there other risky areas outside Web 2.0 that people should be leery of?
We are seeing the same level of threats with financial applications, put at risk with financial spam and financial phishing attacks. Overseas the market for very targeted, highly undetectable boutique financial malware to divert funds from accounts or to steal identities is exploding due to the penetration of online banking. We can look to those markets as a clear crystal ball for what we have in store here in the U.S. as online banking becomes more ubiquitous.
As the functionality that is extended to consumers through banking applications becomes much more powerful and you can do account transfers and bank-to-bank wire transfers over the Internet, the risk increases. You are going to see these highly targeted malware based threats that even the most savvy of security experts wouldn’t be able to differentiate from valid or invalid.
What do companies or individuals have to do to better protect themselves from these types of attacks?
Legacy security solutions that have been deployed for years in the network space were adopted after the fact. We didn’t know as much and the security industry wasn’t as mature when those architectural and adoption decisions were being made. Security was an afterthought.
Today we are in a unique situation as a lot of areas of technology around next-generation networking and communications converge. People going through the standards and architecture phase now should be considering their security implications and decision as a function of designing, architecting and figuring out their next generation networking solutions.
It’s important they consider security at the front-end of their network design rather than the back-end. People should use this opportunity to make security more a front-loaded activity that is not separated from the adoption and architectural decisions.
Why is it important to include security in network architecture plans? The days from being able to differentiate security from network architecture are over. It’s not the right way to do things and it’s not the most prudent way that buyers can go about really getting a grasp on the risks and potential protections they can deploy if they look at those things hand in hand.