Wednesday, 11 December 2013

Your Network's Been Hacked: Get Used to It

Exploit Lifecycle
On the second Tuesday of every month, "Patch Tuesday," Microsoft pushes out patches for bugs and security holes in Windows and in Microsoft applications. Most of the time the problems addressed include serious security holes, programming errors that could let hackers penetrate network security, steal information, or run arbitrary code. Adobe, Oracle, and other vendors have their own patch schedules. An alarming new study by NSS Labs suggests that on average, hackers have about five months of unfettered access to these security holes between initial discovery and remediation. Worse, specialized marketplaces exist to sell newly discovered vulnerabilities.
Dr. Stefan Frei, Research Director at NSS Labs, oversaw a study that pored over ten years of data from two major "vulnerability purchase programs." Frei's report points out that that all of the resulting figures are minimums; there's clearly plenty more going on that they simply don't know about. Based on what they do know, the market for information about exploits has grown significantly in the last few years. Ten years ago, the two companies studied had just a handful of undisclosed vulnerabilities on any given day. In the last few years, that number has grown to over 150, over 50 of which relate to the top five vendors: Microsoft, Apple, Oracle, Sun and Adobe.
Exploits for Sale, Cheap
Stuxnet and other attacks at the nation-state level rely on multiple undisclosed security holes to penetrate security. It's assumed that their creators pay huge dividends to obtain exclusive access to these zero-day vulnerabilities. The NSA <a href="http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/31/the-nsa-hacks-other-countries-by-buying-millions-of-dollars-worth-of-computer-vulnerabilities/" target="_blank">budgeted $25 million</a> for exploit purchase in 2013. Frei's study revealed that prices are now much lower; still high, but within the reach of cyber-criminal organizations.
Frei quotes a New York Times article that examined four boutique exploit providers. Their average price for knowledge of an as-yet-undisclosed vulnerability ranged between $40,000 and $160,000. Based on information obtained from those providers, he concludes that they can deliver at least 100 exclusive exploits per year.
Vendors Fight Back
Some software vendors offer bug bounties, creating a kind of crowdsourced research program. A researcher who discovers a previously unknown security hole can get a legitimate reward directly from the vendor. That's surely safer than dealing with cyber-crooks, or with those who sell to cyber-crooks.
Typical bug bounties range from hundreds to thousands of dollars. Microsoft's "Mitigation Bypass Bounty" pays out $100,000, but it's not a simple bug bounty. To earn it, a researcher must discover a "truly novel exploitation technique" that can subvert the latest version of Windows.
You've Been Hacked
Bug bounties are nice, but there will always be those who go for the bigger reward offered by boutique exploit providers and cyber-criminals. The report concludes that any enterprise or large organization should assume its network has already been hacked. Blocking or even detecting a zero-day attack is tough, so the security team should plan for the worst with a well-defined incident response plan.
What about small business and personal networks? The report doesn't talk about them, but I would assume that someone who paid $40,000 or more for access to an exploit would aim it at the biggest target possible.

No comments:

Post a Comment