As we look back, 2012 was a big year in IT Security. Hacking activity consistently made the front page across the globe and viruses and other malware still continue to evolve and adapt to changing environments. I'd like to examine some of the major hacking events that shaped this last year in IT Security:
Largest Breaches of 2012
Zappos data breach exposed roughly 24 million account details
As you can see, hacking and other cyber attacks are not strictly limited to the business sector; any sensitive information can be very valuable. Cyber attacks come from many different methods and inflict various amounts of damage. As demonstrated above, it doesn't matter what type of organization you represent, the ease with which the customers and employees can connect to your data will be tested by hackers in some way at some point. In recent years, breaches like these have come to surface more frequently and Canaudit has been following the trending activities of malicious attacks, which has led us to continually expand our line of products to ensure a more complete coverage of vulnerabilities that are being used in the wild.
These attacks were just cross-section examples of the massive amounts of cyber attacks that occurred at many levels of business, education, government and other organizations. They were initiated through many different attack vectors with varied levels of difficulty. In most cases, a successful attack depends on exploiting many types of vulnerabilities, both low and high tech, chained together in a cohesive manner. The major attack vectors in most of these breaches varied and showed a wide range of available methods for intrusion. Though details in some of the attacks were not disclosed or remain unknown, the vulnerabilities leading to exploitation and data breach are generally available in many places. A phishing attack was used in at least one case, coercing an employee to click on a malicious link in an email leading to a malicious website that automatically downloaded an exploit which gave attackers access to the internal network. Misconfiguration of a firewall exposed a system meant to remain internal onto the internet. A trusted employee used legitimate access to obtain sensitive data for personal, malicious purposes. SQL injection was used to exploit a web application to access internal systems. In at least one case a weak password allowed high level access to a machine available on the internet, making short work of any other security precautions.
Beyond these threats, light has been shed this last year on the depth and effectiveness of several other major vulnerabilities in the wild which will be discussed below. Government funded malware, social engineering, web plug-in exploits, and the implicit costs of cloud based security are all major concerns for 2013.
Government Funded Malware
This year revealed multiple malware and viral threats sponsored by various governments, sometimes in collusion with other governments. These viruses were seemingly directed toward other governments for geopolitical purposes, but at least one form of the Stuxnet virus found its way onto the open internet. The New York Times broke the story in June of the United States' active involvement in Stuxnet to thwart Iran's nuclear program. The virus was targeted at SCADA networks and industrial machines. "Operation Olympic Games was devised as a means to throw sand in the works of Iran's controversial nuclear program."  Quoting Richard Stiennon, principal analyst at the security consultancy IT-Harvest, "Nation states are now undeniably in the game of cyber attacks. Olympic Games ushered in the era of weaponized software. There is no looking back." 
Flame, discovered by Kaspersky Lab, was found mainly in apparently targeted systems in the Middle East. The code is much larger than Stuxnet, containing many modules for specific espionage purposes. In that way it is more of an advanced toolkit than strictly malware for a smaller scope. 
The key point to note in these new threats is that both foreign and domestic government funded malware incorporated multiple 0-day attacks in 2012. Such attacks may target government information or operations, but public and private entities can easily get caught in the cross fire. The normal precautions and best practices, such as consistent patching and complex passwords, won’t defend against well funded malware that incorporates multiple 0-day exploits. Organizations that strive to survive this storm must reassess their fundamental network controls including firewalls, access control lists, network segmentation and intrusion detection and prevention systems (IDS/IPS). The first rule of security is if you don't need it, get rid of it, and if you do need it, restrict it and monitor it as much as possible.
By far ,the most vulnerable part of any system is the human element. People are susceptible to being persuaded to give up sensitive information if they are not specifically trained to identify and deny such attempts. In one instance, a fraudster found an image of the signature of a high ranking officer at a healthcare organization on the internet. They used this signature to initiate wire transfers of increasing amounts to a bank account. Because of the rank of the signature, it was not questioned by the escrow agent until after several million dollars had already been transferred. 
At DEFCON 20 last year, Shane MacDougall used social engineering techniques to gain sensitive information from a Wal-mart employee about pay cycles, manager shifts, PC model. and email and antivirus versioning from an unsuspecting and overly helpful manager seeking an alleged government contract. MacDougall, who runs a security firm which regularly conducts these types of social engineering audits, said he enjoys targeting individuals in a sales position; "As soon as they think there's money, common sense goes out the window." 
In 2012 ,as organizations improved their technical controls in response to evolving threats, hackers continued to more heavily target users through social engineering attacks. Though security education has always been critical, it will become even more critical going forward. Attacks will target all levels of the organization and therefore security education must span all levels of the organization from Management down.
Web Plug-in Exploits
This last year saw a few tremendous hits against Java, first version 7, and additionally a different exploit affecting 5 and 6 as well. The latter exploit resulting in a complete bypass of one of the central security features of Java, the sandbox. 
Red October, a sophisticated "swiss army knife" of cyber espionage "was characterized by relying on highly targeted spearfishing email attacks with infected files." This spearphishing attack directed a victim's machine to a website that used the Java exploit to automatically download and install malware. 
Though patching in the Windows environment has greatly improved over the recent years through the adoption of Windows Server Update Services (WSUS), third party patch management remains poor in many cases. In 2012 we saw hackers target neglected web browser plug-in vulnerabilities with devastating cross platform exploits for Flash and Java. Organizations must address these vulnerabilities going forward through investment in a holistic patch management solution rather than relying on WSUS which only addresses Microsoft products.
Costs of the cloud
In 2012 we continued to see more organizations employing cloud based security in the form of virtual security operations centers (SOC) and we saw many of our clients realize far too late the limitations of these services. In our penetration tests, virtual SOCs were found to provide clients poor or delayed notification of malicious activity, and in some cases were unable to be configured to pick up subtle malicious activity like network scans for a single service. Even more frightening was the fact that these organizations had been sold on these services as security panaceas with no understandings of these services limitations or need for additional configuration and testing. The proverbial chickens have not come home to roost on virtualized security, the costs have not yet been tallied nor the risks understood.
An interesting example of this is Trustwave’s involvement in the 2012 breach of South Carolina Department of Revenue and the resultant lawsuit filed against them and other state entities for violating state breach notifications laws and acting negligent in regards to the breach. Though the outcome of this case is still pending, we would hope such cases would cause organizations to be more hesitant and thorough before contracting with cloud security providers.
Although various organizations are sometimes specific targets of cyber attacks, more often it is a matter of unnecessary exposure, poorly configured or insecure services being publicly exposed, or weak controls between external and internal systems. In general, a cyber attacker will go after the systems that appear to be the easiest targets. For more information about how we can help you protect your organization by finding weaknesses before malicious attackers do or to request a proposal, contact Tamra Savage at tamra@Canaudit.com or (805) 583-3723 or visit our IT Security Audit Services page for further information.