Cyber Security Trend - Annual Review 2012

Transcription

1 Cyber Security Trend - Annual Review 2012

2 Cyber Security Trend - Annual Review Inventory and measures for websites dispersed worldwide - Executive Summary 1. Threats of the Internet - Web Network 1.1. Attacks from the Internet 1.2. Corporate System Status 1.3. Implementing Patch Management Focused on High-risk Vulnerabilities 2. Threats of the Internet - Web Applications 2.1. Attacks from the Internet 2.2. Corporate System Status 2.3. Main Flaws in Web Applications 2.4. Security Measures for Web Applications 3. Threats to Overseas Sites 3.1. Attacks on Overseas Sites 3.2. Overseas Sites Status 3.3. Security Measures in Overseas Sites 4. Threats of Targeted Attacks 4.1. Malware Detection Status While Browsing Websites 4.2. Detected Malware Attached to s 4.3. Malware Measures in Organizations 4.4. Impact of Social Media on Targeted Attacks 4.5. Security Measures for Targeted Attacks 5. Epilogue

3 Executive Summary Threats of the Internet - Web Network - Strict patch management targeted at high-risk vulnerabilities - Our security assessment revealed that approximately 43% of websites were not applied with measures against the high-risk vulnerability (CVE ) in Apache HTTP Server disclosed in the late August While it may be difficult to establish ideal patch management, it imposes serious risks if no action is taken for such a high-risk vulnerability in publicly available services. We should narrow down the target to high-risk vulnerabilities, collect vulnerability information, and organize the system to apply patches to truly high-risk vulnerabilities without delay. Also, we should determine truly high-risk vulnerabilities with considerations to its effects, whether the attack code is published, how easy to attack, and the importance of the targeted system. We learned that attacks on vulnerabilities occurred within 1 to 3 weeks after the vulnerability was made public. If it is difficult to apply patches within the duration, WAF can be an effective temporary measure until the patch can be applied. Executive Summary Threats of the Internet - Web Applications - Collective measure by WAF is effective for vulnerabilities that require comprehensive measures - Vulnerabilities such as SQL injection and cross-site scripting have been constantly detected at a certain rate in the past few years. In order to eliminate them, comprehensive measures on the system such as assessment of every single screen in the web application as well as the source code are required. Such comprehensive measures would be too costly to implement unless high-level security is required by the system such as a financial system. WAF can apply measures at once to issues derived from lower processes of development such as SQL injections which can be especially harmful, and cross-site scripting which is frequently found. WAF is also an effective measure to implement a certain security level at once over multiple sites. However, it must be noted that WAF is not the answer for issues derived from upper processes. Threats to Overseas Sites - Centralized infrastructure is effective for websites dispersed over the world - A number of global organizations implement and operate overseas websites. However, 66.2% of them leave security measures to overseas bases and the status is not understood in Japan. Our simple security checks on dispersed overseas websites of global organizations revealed that more than 49% of them were using vulnerable old versions of products and were in riskier status than domestic websites. It will be extremely costly to apply security measures individually to dispersed overseas websites. Therefore, we recommend these websites to be gathered on to an infrastructure where a certain security level is confirmed, or access routes to these websites to be integrated and monitored by WAF. Threats of Targeted Attacks - Additional measures for end users to deal with increasing targeted attacks - Although targeted attacks have been around for a while, recent growth of social media made it easier to collect information on the targets thus cultivated the ground for more sophisticated targeted attacks. In such a climate, it is effective to train the employees to develop resistance against targeted attacks. OSes, applications, and definition files for anti-virus products should be kept up-to-date as security measures against targeted attacks. However, vulnerabilities are detected all the time and it is difficult for organizations to maintain 2

4 all products to the latest versions. Also, measures involving applying patches and updating definition files alone cannot prevent attacks from malware that is not included in the definition file and attacks on unknown vulnerabilities. Therefore, it is necessary to deploy products that specialize in attack detection without relying on definition files as part of the existing measures. Research Outline This report analyzes data which NRI Secure collected in 2011 (April 1, 2011 to March 31, 2012) through the following security services. Older data is also used in some places in order to analyze the trend in past years. Executive Summary Managed Security Services - FNC 1 Secure Internet Connection Service It is an outsourcing service providing security measures required for safe connections between customers' internal networks and the Internet, such as gateways, proxy servers, and remote access. This report summarizes logs from URL filtering servers for 7 companies, virus check servers for 19 companies, and spam filtering servers for 16 companies which are part of gateway servers under management of the FNC Secure Internet Connection Service. - FNC Secure Web-Net Management Service It is an outsourcing service providing security measures to protect customers' websites from threats of illegal external access. It monitors security devices such as firewalls, Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and Web Application Firewalls (WAF) 24 hours 365 days. This report summarizes logs from 70 firewalls, 37 IDSs, and WAFs for web servers of 368 IPs under management of the FNC Secure Web-Net Management Service. Security Assessment Service - Platform Assessment It is a service which inspects security holes and setting statuses of system infrastructures such as servers and network devices from outside (the Internet) or inside the LAN, and provides the assessment on the risks of detected flaws based on our own standards. This report summarizes 118 systems on which we carried out the assessment in Web Application Assessment It is a service which detects hidden security flaws in web applications with considerations to the web application implementation, development languages, and platforms, and reports the assessment on the risks of detected flaws based on our own standards. This report summarizes 308 systems on which we carried out the assessment in Website Group Inventory Service It is a service which uses our proprietary algorithm to search public websites that are related to a given organization, and carry out simple security checks on those discovered sites to determine the overall security level of the website group. This report summarizes 1,005 sites (737 domestic sites and 268 overseas sites) on which we carried out the simple security checks in * NRI Secure presented a proposal of specific measures with the assessment results to organizations whose systems contained security flaws, and strongly recommended that they apply the measures immediately. As a result, we assume that the most of these websites have applied the appropriate measures and are now secure. 1. Firewall Network Center. Our service brand which provides the secure boundary mainly to the Internet. 3

5 1. Threats of the Internet - Web Network 1.1. Attacks from the Internet The FNC Secure Internet Connection Service and FNC Secure Web-Net Management Service monitor access from the Internet to the internal network and website, and log rogue attempts blocked by the firewall. Among those blocked by the firewall between April 2011 and March 2012, Table 1 lists 15 services which were most frequently targeted, and Figure 1 shows the number of attempts. 1. Threats of the Internet - Web Network Table 1: Top 15 services targeted by attacks blocked by firewalls Figure 1: Number of blocked attempts to top 15 services In addition to familiar services on the Internet such as TCP/25 (SMTP protocol) and ICMP, approximately 30% of those top 15 targeted services were used mainly in Windows systems such as TCP/135 (Microsoft RPC service), TCP,UDP/137 (NetBIOS name service), TCP/445 (Windows file sharing), TCP/1433 (Microsoft SQL Server), and TCP/3389 (Remote desk- 4

6 top). These trends of top 15 seem unchanged over years although slight fluctuation may occur depending on the discovered vulnerabilities and popular attacking method for a certain period. On the other hand, a large number of scans were carried out. These were probably searching for open proxy servers which could be used as the stepping stone to hide the attacker's identity. TCP/80 which was used for web access as well as listening to the proxy server was at the 3rd position, and TCP/8080 which was widely used for proxy servers was at the 13th in the top 15 table. Although they did not make into top 15, scans on TCP/8909 and TCP/9415, which were used by some Chinese software to behave like a proxy server, were also popular. While scans on TCP/80 and TCP/8080 have been common for years, scans on TCP/8909 and TCP/9415 emerged only in recent few years. Scans on TCP/9415 rapidly increased from the second half of 2010 to and are still observed regularly in Some Chinese video streaming software allegedly provides proxy services using TCP/9415. The specification that lets client software run the proxy service is risky enough; however, its inappropriate default setting which accepts any external connection request without any restriction on the sender's IP address makes it an ideal target for the attacker who is hunting for an open proxy. As Figure 2 indicates, scans on TCP/9415 declined after August 2011 while scans on TCP/8909 rapidly increased around the same time. These scans were also assumed to have been initiated by attackers searching open proxies. A site that lists IP addresses of open proxies 3 contains many IP addresses using TCP/8909 still today. Scan on TCP/8909 were hardly seen before but it suddenly increased from a certain point. Meanwhile the IP addresses listed on the site are still continuously updated. As for TCP/9415, the attackers might be looking for opportunities where the proxy service was unintentionally started during some client software installation. 1. Threats of the Internet - Web Network Figure 2: Monthly status of scans on TCP/8909 and TCP/

7 Although this report does not mention the trends in sender port numbers, many of blocked packets used TCP/6000 as the sender port number. This phenomenon was observed no later than 2010 thus there have been many reported cases other than our FNC 4. Since the attempts were repeated at an abnormally fast rate, it was considered to have been initiated by worm or something similar rather than human beings; however, details have not been known. In addition to the use of TCP/6000 as the sender port number, it has been pointed out that simple regularity in values used in the IP headers and TCP headers closely resembled Dasher Worm 5 which was spread in Therefore, there has been a speculation that the original source code may have been Dasher Worm 6. Dasher Worm scanned TCP/1025 to take advantage of the vulnerability in Windows discovered at the time. However, the incident this report is referring about is its activities that appeared to be searching popular applications such as TCP/1433 (Microsoft SQL Server) and TCP/1521 (Oracle Database), as well as searching open proxy servers by scanning services mainly used by proxy servers such as TCP/3128 and TCP/8080. Also, many of sender ports scanning TCP/8909 and TCP/9415 were TCP/6000. Figure 3 shows countries from where packets were sent through the TCP port 6000 based on their IP addresses. The senders were predominantly in China when this phenomenon was initially recognized in 2010; however, they are now scattered over countries including Japan to indicate that more devices have been infected by the given worm. 1. Threats of the Internet - Web Network Figure 3: Origin countries of packets sent through TCP/

8 Let's now focus on RDP on the 6th position. RDP is used to operate the desktop environment on a remote machine, mainly in Windows OSes. Figure 4 shows the monthly status of RDP packets blocked by firewalls. 1. Threats of the Internet - Web Network Figure 4: Monthly status of RDP packets blocked by firewalls The number of blocked packets peaked in March This is considered to be due to the vulnerability discovered in Remote Desktop. This vulnerability could have allowed the attacker to execute any code remotely; therefore it was considered extremely risky and immediate patch application was urged and PoC 7 was also published within a few days of the publication of the vulnerability. August 2011 saw more than twice as many blocked packets as the previous month. This was probably caused by the spread of the worm called Morto. The device infected by this worm repeated scans within the network to search a device on where remote desktop connection was enabled and generated a massive amount of traffic to TCP/3389. This worm attracted much interest when it was detected since it deployed a new self-propagation method called RDP. Figure 5 shows origin countries of packets addressed to the RDP service blocked by the firewall based on the senders' IP addresses. 7. Proof of Concept. Code for verifying some concept rather than the actual attack code; however, it is often re-used by attackers. 7

9 1. Threats of the Internet - Web Network Figure 5: Sender countries of RDP packets blocked by firewalls It is unlikely that RDP packets were allowed in from the Internet through firewalls at organizations; therefore, RDP communications would have taken place within protected communication routes such as VPN between employees. However, if an attacker takes control of an employee's device, he can avoid protective functions in the organization, and may access internal resources using the same privileges as the employee. Since remote access services such as RDP will continue to be attractive targets for attackers, it is recommended to constantly practice basic security measures such as checking access logs regularly for suspicious login records, and installing security software on remote devices. This is the summary of the Internet threats observed by our FNC. It revealed that searching activities such as scanning were carried out constantly to find out services running on the targets. Meanwhile extensive searches for open proxy servers were also carried out to use them as stepping stones to hide the attackers' identity. The majority of sender IP addresses carrying out such searching activities were in the Chinese domains. These Chinese IP addresses include cases where attackers living outside China are using devices in China as the stepping stones to carry out the searches, and also where attackers living in China using devices in China to carry out the searches. We have confirmed that part of source code of the tool which was apparently used for the searches was posted on a Web forum and a discussion followed in Chinese. It is understandable that Japan receives searches from neighboring countries such as China, Korea, and North Korea considering its geographical, historical, and political positions. As we saw cyber attacks from China on Japan in September 2010 concerning the Senkaku Island conflict, it is possible that diplomatic conflict with neighboring countries may escalate to cyber attacks, may be on government agencies and major enterprises. Therefore, it is considered necessary to implement a system which can monitor access from outside including overseas to help us taking appropriate counter actions and making right decisions in such a situation. 8

10 1.2. Corporate System Status This section examines how measures are implemented in web networks in corporate systems based on the results of our Platform Assessment Service. The Platform Assessment Service consists of remote assessment which is carried out via the Internet through the firewall, and on-site assessment which assesses the system from inside the firewall. Their aims are to assess the resistance against attacks from external networks such as the Internet and attacks from internal networks initiated by insiders or third parties who have overtaken servers. Systems are classified into one of the following three groups according to their risk levels determined by the assessment. - "Danger": Systems which can be successfully attacked any moment. - "Warning": Systems which can be successfully attacked under certain conditions. - "Safety": Systems which do not have any of the above flaws. 1. Threats of the Internet - Web Network Figure 6: Platform assessment results via firewalls annual comparison Figure 6 shows the results of remote assessment over the past five years. Systems in "Danger" increased significantly in This is due to the DoS vulnerability (CVE ) in Apache HTTP Servers (hereinafter Apache) reported in late August This vulnerability was in the most widely used web server Apache and affected all version 2.x at the time. The attack code commonly known as "Apache Killer" was immediately publicized. Therefore, the vulnerability became the one which required the most urgent action among all vulnerabilities disclosed in the previous year. However, Platform Assessment via a firewall carried out in September onward still detected this vulnerability left unattended in 27 out of 63 systems which is approximately 43%. Also, a vulnerability in web application development platform such as PHP and Ruby, commonly known as "Hash DoS" was disclosed in late December Hash DoS attracted as much attention as the DoS vulnerability in Apache since this affected wide-ranging products and the attacks were highly reproducible. This vulnerability was found in 11 out of 33 systems assessed in January 2012 onward, which indicated that approximately 33% were unattended. However, because of the fact that they were detected in January 2012 onward, and 7 out of these detected 11 systems also contained the DoS vulnerability of Apache, this figure had no impact on the danger group shown in Figure 6. Apart from the above two vulnerabilities, the proportion of dangerous systems was 4% which was as low as the previous years. These included systems whose management consoles of application servers were accessible and their passwords were guessable thus allowed illegal logins. Many of systems with "Warning" had application server management consoles and remote maintenance services (ssh, etc) accessible from the Internet. Although they were implemented with authentication functions, the system could be illegally controlled once attacker were authenticated using the dictionary attack on the ID and password. 9

11 1. Threats of the Internet - Web Network Figure 7: Platform assessment results inside firewalls annual comparison Figure 7 shows the results of on-site assessment over the past five years. As it was in the remote assessment, the increase in "Danger" systems in 2011 was due to the DoS vulnerability in Apache. This vulnerability was found in 17 out of 26 systems in Platform Assessment inside the firewall in September 2011 onwards. Although "Danger" systems were 38% without this vulnerability, the difference between Figure 6 and this figure indicated that corporate systems were still heavily relying on their firewalls to protect themselves against attacks via the Internet. Public systems have to allow certain packets in due to system requirements such as web services, services, and DNS services; therefore, attacks using these permitted packets cannot be blocked by firewalls. The large scale information leakage occurred in the previous year was carried out by attackers by taking advantage of this nature to penetrate through the firewalls and attacking vulnerabilities of application servers. Therefore, it is recommended to implement multi-layered protection by improving security levels on individual servers in addition to system protection provided by firewalls. However, Figure 7 shows little changes in the status and it suggests that it is difficult for organizations to improve security levels of individual servers. However, it is important to implement a system to apply patches and avoidance measures as quickly as possible when high-risk vulnerabilities are disclosed in software used in public services in order to guard them against attacks that cannot be blocked by firewalls. 10

12 1.3. Implementing Patch Management Focused on High-risk Vulnerabilities The DoS vulnerability in Apache was high-risk and notorious last year. Even though owners of approximately 43% of systems failed to obtain the vulnerability information and apply the avoidance measures in a timely manner. This proves the difficulty of appropriate patch management in organizations. It is difficult to apply patches to every vulnerability since patch application involves costs for its operational tests and release adjustment. However, failing to apply patches to truly high-risk vulnerabilities is tantamount to taking risks of security incidents that will cost far more than patch application costs. Therefore, it is recommended to implement patch management that focuses on truly high-risk vulnerabilities. Management of patches that are issued periodically from product vendors can be left to the system operation service vendors. However, when a truly high-risk vulnerability for the system is disclosed, the owner should be able to recognize and analyze risks of the vulnerability and instruct the patch application in a top-down manner. Truly high-risk vulnerabilities indicate ones that can be exploited easily by external attackers, and the attack can result in significant damage to the organization. Vulnerabilities which can be exploited easily by external attackers are those in public service infrastructures such as web servers and web application servers; in other words, vulnerabilities that cannot be protected by firewalls, that can be attacked remotely, and whose attack code is publicly available. Vulnerabilities which can cause significant damage are those which may allow attackers to illegally obtain important business secrets or customer information, and which may allow attackers to stop services whose continuity is crucial (DoS vulnerability). Stoppage of services, even for a short period, is critical in plants such as power stations and factories, control systems of important infrastructures such as electricity, water, and gas, and systems whose unavailability for a few seconds causes an enormous loss such as on-line trading systems and on-line banking systems. Also, vulnerabilities that allow attackers to use the system as the stepping stone should be recognized as high-risk regardless of the system's nature. Expert knowledge may be required to distinguish truly high-risk vulnerabilities. If it is difficult to secure such specialized human recourses in-house, the organization may look for vulnerability information services from security vendors and request support in distinguishing truly high-risk vulnerabilities in addition to collecting vulnerability information. WAF can be considered as the temporary measure before the patch can be applied since WAF is capable of partly dealing with vulnerabilities in infrastructure products for web services such as web servers and web applications. 1. Threats of the Internet - Web Network 11

13 2. Threats of the Internet - Web Applications 2.1. Attacks from the Internet The FNC Secure Web-Net Management Service monitors access to corporate websites via the Internet and records detected results using Intrusion Detection Systems (IDS) and Web Application Firewalls (WAF) as described in 1.1 concerning the firewalls. Figure 8 shows the attacks detected by IDSs provided by the FNC Secure Web-Net Management Service between April 2011 and March 2012 by their targets. 2. Threats of the Internet - Web Applications Figure 8: Website attacks detected by IDSs by their targets 23% of attacks targeted CGI; this was due to sudden increase in attacks on some CGI applications for a short period. It is assumed that these attacks were simply searching devices which could be used as stepping stones using bots since they came from dispersed addresses and targeted a wide range of addresses. Nevertheless it pushed up attacks on CGI to the top on the detection list. 17% of attacks targeted IIS which was mainly used as web server software. IIS has always been popular target and the trend remained unchanged. Old vulnerabilities found between 2000 and 2002 were continuously detected every month. Attacks on web applications created by PHP and Oracle products were continuing; however, many of attacks were targeting at old vulnerabilities that were found long time ago. More than 90% of attacks detected by IDSs were exploiting vulnerabilities in the website system infrastructure or web applications. Attacks were mostly carried out with generally available attack tools and were detectable by IDSs; this indicates that most attackers were deploying relatively easy methods. Attackers use such attack tools before launching sophisticated attacks. It is difficult for IDS to detect sophisticated attacks since IDS is based on matching packets and byte-streams; therefore, a separate detection system would be necessary. Figure 9: shows attacks detected by WAFs provided by the FNC Secure Web-Net Management Service in the same period by their attack types. 12

14 2. Threats of the Internet - Web Applications Figure 9: Website attacks detected by WAFs by their risk levels Risk level Medium and Low include low risk activities such as scans and harmless access attempts. Risk level High consists of attacks on web applications such as SQL injection (hereinafter SQLI) occupying approximately 90% and cross -site scripting (hereinafter XSS). Such high-risk attacks should be all detected and blocked; however, the detection must be strictly limited to attacks, otherwise normal requests may suffer. In order to accurately distinguish attacks, various mechanisms are required in addition to recognizing attack patterns using the blacklist. Responses to requests should be analyzed, and inputs to web applications and responses over a certain period should be analyzed to avoid normal parameters being detected as an attack by error. If any detection error occurs, normal requests should be defined in the whitelist in fine detail such as the URL and parameters. With regard to vulnerabilities, many vulnerabilities were found in web middleware such as Apache and Struts2, and frameworks for web application development in Table 2 shows some vulnerabilities that were high-risk, whose attack code was available, and could be attacked by anyone from the Internet. Table 2: Attacks on vulnerabilities found in 2011 CVE was the DoS vulnerability in Apache mentioned in 1.2. We created the signature for WAF based on the published attack code to apply the measure before the release of the fixed version of Apache. CVE and others were the Hash DoS vulnerability also mentioned in 1.2. We were able to prevent attacks without applying the specific measure because WAF already had the definition of normal communications on the target server. CVE and CVE were vulnerabilities in Struts2 where attackers may execute any command by sending HTTP requests containing attack code to application servers. These are high-risk since once the application server is successfully attacked, it can be used as the stepping stone to attack other servers in the network and damage 13

15 may spread. CVE could be dealt with as soon as the vulnerability was disclosed by applying the proprietary signature we had created in advance. CVE was similar to CVE , so we created the signature for WAF based on the attack code and applied the measure smoothly. Figure 10 shows detected attacks on these vulnerabilities. 2. Threats of the Internet - Web Applications Figure 10: History of detected attacks on vulnerabilities found in 2011 Attacks on vulnerabilities occurred within 1 to 3 weeks of the vulnerability information disclosure. This gives us a rough indication of the grace period we have to apply measures to vulnerabilities. With regard to the number of attacks was particularly high on Apache which was widely used for website was particularly high. Also, the peak of DoS attacks on Apache (CVE ) in February 2012 indicates the attacks were probably automated. Many of these attacks on vulnerabilities can be blocked by WAF; therefore, WAF can be an effective measure in environments where implementing server protection is operationally unrealistic, or where applying measures require some time. 14

16 2.2. Corporate System Status This section will examine how measures are implemented on the corporate websites based on the results of our Web Application Assessment Service. Similarly to the Platform Assessment, our Web Application Assessment categorizes websites into 3 groups according to their risk levels. - "Danger": Websites where important information can be illegally accessed. - "Warning": Websites with possible information leakage risks while important information could not be accessed. - "Safety": Websites which do not have any of the above flaws. Figure 11 shows websites we have assessed in the past five years by each of the above categories. 33% of websites were in "Danger" in the 2011 results. 2. Threats of the Internet - Web Applications Figure 11: Risk levels of websites over five years The history shows that the number of "Danger" sites was decreasing up to 2010 but 2011 did not see any improvement. This may indicate security measure implementation in application development was stagnating. However, the security stagnation may not be the case in all industries since security policies vary in organizations and their business. High-level security is required in financial systems where security breaches directly lead to financial damage. Also, awareness of information security is deemed to be relatively high in financial organizations since certain pressure on them to promote security measures through FSA inspections and BOJ inspections 8. Let's observe risk levels in financial and non-financial organizations. 8. An inspection carried out by the Bank of Japan in accordance with the Bank of Japan Act in order to maintain stability of the financial system. 15

17 Figure 12: Risk levels in financial and non-financial websites 2. Threats of the Internet - Web Applications Figure 12 shows the summary of assessment results in 2011 for financial and non-financial websites. Proportions of "Danger" and "Warning" in Financial websites are significantly smaller than non-financial websites. Figure 13: Risk levels of financial websites over five years Figure 13 shows proportions of each risk level in financial websites since Although the proportion of "Danger" sites stagnated after 2009, the proportion of "Warning" sites dropped considerably from 44% to 26% in As we saw in Figure 11 this is the trend specific in the financial industry. It seems a certain level of achievement in reducing "Danger" was followed by actions against "Warning". However, over 20% of sites still remained in "Danger" and this indicates the difficulties in completely eliminating the risks. Next, we will examine the security status of websites where credit card information 9 is handled. Websites which handle credit card information are called for robust security measures since exploitation of such information will likely to cause direct financial damage to users. Figure 14 shows the risk levels of websites which handle credit card information (hereinafter handling sites) and which do not (hereinafter non-handling sites). 9. Websites that hold information such as credit card numbers, names, and expiry dates. 16

18 2. Threats of the Internet - Web Applications Figure 14: Risk levels of handling and non-handling sites The risk level comparison shows that portions of "Danger" are almost the same among handling sites and nonhandling sites. On the other hand, the proportion of "Warning" for handling sites is larger at 54%. This may be because the number of security measures for handling credit card information is greater in handling sites. Handling sites are required to comply with PCI DSS 10. However, we did not see any difference in security levels between handling and non-handling sites in 2011 as shown above. This may be because PCI DSS is only starting to spread among some clearing houses and service providers in Japan thus web systems of general members have not caught up yet. Next, we will examine the risk levels among organizations which have previously undergone our web application assessment and organizations which have never been assessed by us before (hereinafter new clients) over five years. Figure 15: Risk levels of websites with assessment experience over five years 10.Payment Card Industry Data Security Standard. Security standards developed by five global payment brands for systems which handle credit card information. 17

19 2. Threats of the Internet - Web Applications Figure 16: Risk levels of websites of new clients over five years Figure 15 shows the proportion of "Danger" is kept around 30% or less over five years whereas they are around 50% in Figure 16. This indicates that organizations can accumulate know-how to develop safe web applications without introducing major flaws through regular assessment experience. Nevertheless, even organizations with regular assessment experience cannot eliminate "Danger" completely. So far we have seen that even financial organizations with high security awareness and organizations with security know-how through regular assessment experience still carry certain risks and have difficulties in completely eliminating vulnerabilities. We will focus on high-risk vulnerabilities in the next section. 18

20 2.3. Main Flaws in Web Applications The following are most common and critical flaws found in our web application assessment. - Spoofing due to insufficient checks (hereinafter spoofing) - Accessing administrative functions by privilege escalation (hereinafter privilege escalation) - SQLI Figure 17 shows detected cases for the above flaws plus another major flaw XSS in our web application assessment in the past five years. 2. Threats of the Internet - Web Applications Figure 17: Detected major flaws over five years Detection rates of "Spoofing", "SQLI", and "XSS" were generally decreasing over the past five years; however, they showed slight increase in This is considered due to the large number of new clients in Figure 18 summarizes detection rates of these flaws by the organizations' assessment experience. It shows that detection rates are higher in new clients for every flaw. 19

21 Figure 18: Detected major flaws by assessment experience These detection rates can be broken down into financial organizations with higher security awareness and nonfinancial organizations as shown in Figure 19 and Figure Threats of the Internet - Web Applications Figure 19: Detected major flaws in non-financial organizations by assessment experience Figure 20: Detected major flaws in financial organizations by assessment experience 20

22 First of all, privilege escalation and spoofing in organizations with assessment experience were less than or equal to half of new clients in Figure 19. This proves that awareness of these flaws was low in many organizations and measures were applied after the first assessment. On the other hand, privilege escalation and spoofing in Figure 20 does not show much difference between new clients and organizations with assessment experience. Therefore, awareness of such flaws is already high in financial organizations even before the assessment. Also, privilege escalation and spoofing are detected in similar rates among financial organizations with high security awareness and non-financial organizations when they have assessment experience. This indicates that these flaws can be dealt with as long as they know the means regardless if they are financial or non-financial organizations. Focusing on SQLI and XSS, the general trends that detection rates were lower in organizations with assessment experience are the same in both financial and non-financial organizations. The difference is that financial organizations maintained much lower detection rates. Web application assessment is often carried out on selected screens in larger systems due to the security budget restrictions. However, SQLI and XSS flaws exist in screen parameters thus they can be overlooked if measures are applied to only selected screens. Therefore, how comprehensively security measures are applied determines the difference in SQLI and XSS detection rates. Systems with high-level security requirements may be subjected to comprehensive assessment such as examination of every screen and the source code in web applications. Such comprehensive measures may be practiced more in financial organizations than non-financial organizations, and resulted in the lower detection rates of SQLI and XSS. 2. Threats of the Internet - Web Applications 21

23 2.4. Security Measures for Web Applications Development processes of web applications can be defined as "Requirements (requirement definition)", "Design", -risk flaws found in web application assessment. This section describes characteristics of flaws that are created in each development process, and required measures. 2. Threats of the Internet - Web Applications Figure 21: Processes where high-risk flaws were created Flaws in requirement and design processes are created when security requirements and perspectives are not sufficiently identified; therefore, measures can be perfected by developing the system with sufficient understanding in requirements and perspectives. "Privilege escalation" and "spoofing" discussed in the previous section are flaws created in these processes; therefore, they can be eliminated by establishing and appropriately maintaining necessary environments and systems such as creating design guidelines with security perspectives and carrying out design reviews. On the other hand, these flaws are difficult to deal with mechanically. In order to apply the appropriate measures, understanding in security perspectives as well as the business logic is required; therefore, it is difficult to apply mechanical measures such as source code assessment tools or WAF. Flaws in the implementation process can be difficult to eliminate since they can be overlooked or escape attention even when the developers understand the necessity of measures. It is difficult to eliminate human errors in major development projects. However, these flaws can be comprehensively dealt with by using a mechanical approach such as source code assessment tools. WAF can also be deployed. WAF can be the collective measure for flaws such as SQLI which can be especially harmful, and XSS which is frequently found. WAF can be an effective measure to implement a certain security level at once over multiple sites since one WAF can protect multiple sites. However, note that WAF is not the answer for all flaws. Lastly, flaws in deployment and operations processes are mainly platform specific. As described in 1.3, it is important to deal with flaws in these processes by applying measures to high-risk vulnerabilities using vulnerability information services or other means. WAF can also be used to deal with some high-risk vulnerabilities. 22

24 Figure 22: Measures in website development processes 2. Threats of the Internet - Web Applications 23

25 3. Threats to Overseas Sites 3.1. Attacks on Overseas Sites The large scale information leakage from a major global enterprise in the spring 2011 is still fresh in our memory. Many websites were targeted by hackers and information leakage occurred one after the other from those websites. Figure 23 shows geographical locations of the servers where information leakage occurred based on their IP addresses 11. Although a small number of these sites were located in Japan (hereinafter domestic sites), majority of them including the one with the largest scale information leakage were located at overseas bases (hereinafter overseas sites). 3. Threats to Overseas Sites Figure 23: Locations of sites with information leakage incidents More hackers joined in to attack overseas sites of other global enterprises and further information leakages occurred. It seemed that attackers searched for vulnerabilities in the targeted enterprise's websites all over the world, and attacked from easy targets where the security level was low. Once an information leakage occurs, the organization will suffer a loss of prestige no matter whether the incident occurred overseas or in Japan. Therefore, security measures in overseas sites should be managed as strictly as in domestic sites. 11.Only the country can be accurately determined when obtaining geographical information from IP addresses, and the precise location of the server cannot be determined. 24

26 3.2. Overseas Sites Status According to the "Organizations Information Security Status Investigation 2011", 66.2% of organizations which had overseas bases answered that they leave security measures to the local staff in the questionnaire 12. This section examines differences in security measures in overseas sites and domestic sites. We offer an inventory service of websites including overseas sites, and a service to carry out simple security checks on these websites. Figure 24 shows locations of websites we have checked based on their IP addresses. The map indicates that overseas sites of Japanese global enterprises are dispersed over many countries. 3. Threats to Overseas Sites Figure 24: Locations of overseas sites of Japanese global enterprises Figure 25 shows the results of checks carried out as part of these services in 2011 for domestic sites and overseas sites. Please note that the location of websites does not necessarily mean whereabouts of the target users. Some websites serving Japanese users may be installed at overseas locations. However, assuming most domestic sites are located within Japan, websites at overseas locations are all counted as overseas sites. Figure 25: Comparison of simple check results in domestic sites and overseas sites

27 Open/close status of ports used for maintenance services Checked if the ports which were mainly used for remote operations and any open port was counted as an "open maintenance port". Users usually have to log in to use the service, but the server can be taken over by attackers if the attackers can successfully guess the ID and password; therefore, accessible devices should be minimized. The malware commonly called Gumblar which was widespread in 2009 also targeted these ports for maintenance services. Product version check from the banner information Checked the product versions from the banner information included in the response to access to an open port. If the version contained any known high-risk vulnerability (that allow remote execution of any code or remote DoS attacks), the product was counted as a "vulnerable version in use". Appropriate patch management is probably not implemented if such an old vulnerable version is in use. 3. Threats to Overseas Sites Figure 25 shows that security measures in overseas sites are inferior to those in domestic sites. This indicates that overseas sites are more likely to be illegally accessed if security measures are left to the local staff. However, even domestic sites were not satisfactorily secure since 39% of them were using vulnerable versions of products. It is assumed that there are some domestic sites whose operations are left to designated departments and the security control department is not centrally managing the security status. Also many of these websites subject to simple security checks probably never underwent security assessment before. Security measures in such websites should be managed regardless if they are domestic sites or overseas sites. However, it should be more difficult to manage overseas sites than domestic sites. According to the "Organizations Information Security Status Investigation 2011", 50.4% of organizations which had overseas bases answered "not able to apply enough security measures." Often fewer staff are placed at overseas bases than domestic bases. This necessitates one person having to manage various operations and subsequently information security receives less attention. Another reason may be differences in the approach to information security between Japanese staff and locally employed staff due to their cultural differences. According to the "Organizations Information Security Status Investigation 2011", 55.2% of organizations answered "difficult to carry out information security training", and 48.2% of organizations answered "application of information security measures is difficult due to various cultural differences." These answers indicate the difficulty of managing information security at overseas bases on their own. 26

28 3.3. Security Measures in Overseas Sites How can we manage information security in overseas sites appropriately? It would be difficult to assign an employee dedicated to information security at overseas bases. One of the ideas to promote information security at overseas bases without increasing the number of employees is to centralize information security management. First of all, a designated organization such as the information security control department in domestic bases should select a sufficiently secure infrastructure whose security level can be appropriately maintained by patch management and regular security assessment. Then, gather websites including overseas sites on the selected infrastructure. If an overseas base wants to implement a new website, it should apply to the information security control department, add a server on the selected infrastructure and install the required web contents. This approach eliminates costs for selecting the infrastructure, checking the security level, and maintaining the website for each overseas base. Also, centralizing the infrastructure makes it easier to apply measures against threats from insiders because maintenance access to the live environment can be centrally monitored. The organization may prepare the infrastructure themselves, or use an external hosting service. However, they can reduce operational load such as adding or decommissioning servers by using cloud infrastructure services (IaaS 13 ). Since centralization will increase the geographical distance between users and servers, delays may become an issue in systems for which real-time services are crucial. A separate centralized infrastructure can be implemented closer to the users for such systems. Delays and risk concentration can be mitigated by dividing the whole area of the overseas bases into several regions and implementing an infrastructure for each region rather than concentrating all on a single place. Cloud infrastructure services may be suitable for such management with regional divisions since some of them offer regional services. 3. Threats to Overseas Sites Figure 26: Centralized infrastructure Migrating on to a new infrastructure may be difficult depending on the configuration and size of the existing system. In such a case, integrating access routes to the websites using the SaaS type WAF can be considered. This is achieved by centrally managing DNS servers that manage the organization's domains including domains of overseas sites. Then, use the SaaS 14 type WAF and configure all the access to the organization's domains including domains of overseas sites to go through WAF to guarantee the security level. To implement the SaaS type WAF, only two actions are needed; changing IP addresses registered in the DNS and blocking any access which is not coming through WAF by a firewall as shown in Figure 27. This relatively easy implementation provides measures against attacks which falsifies parameters such as SQLI and XSS, and some vulnerabilities in web server products. 13.Infrastructure as a Service 14.Software as a Service. A service which offers an application as a service via the network. It is often offered as a web based service. 27

29 3. Threats to Overseas Sites Figure 27: SaaS type WAF implementation procedure In general, integration should start with smaller sites with relatively low traffic because WAF may become the bottleneck if busy web sites are integrated. Many of overseas sites whose security statuses are not controlled from Japan, are considered to be relatively small sites that do not require large investment to web site implementation. Therefore, this approach has the merit of integrating small sites. As it was discussed in the article on the centralized infrastructure, risks in concentrating access routes can be mitigated by dividing the area of overseas sites into several regions and managing each region by separate WAF as shown in Figure 28. For example, overseas sites in Figure 24 seem to be concentrated in Europe, Asia, and North America; therefore, dividing them into the European, Asian, and North American regions can be considered. How to divide into regions should be examined by each organization since concentrated areas vary depending on the organization's business. 28

30 3. Threats to Overseas Sites Figure 28: Access route integration by WAF 29

31 4. 4. Threats of Targeted Attacks 4.1. Malware Detection Status While Browsing Websites The attack of web-based malware 15 is triggered by falsifying the website, whereas the damage to the user is triggered by accessing the website using a browser. Let's see the malware detection status from April 2011 to March 2012 based on the data from the gateway type virus check servers provided by our FNC Secure Internet Connection Service. Threats of Targeted Attacks Figure 29: Malware daily detection history while browsing websites Figure 29 shows daily history of detected malware while corporate users were browsing websites. The number of detection stays relatively low under 20 since this is the business use by corporate users; however, the number surged on January 20, This was caused by Malware called "Trojan.JS.Agent.EXP". Figure 30 shows daily history of detected numbers of this malware in January Figure 30: "Trojan.JS.Agent.EXP" daily detection history "Trojan.JS.Agent.EXP" is an illegal JavaScript code that falsifies websites to redirect users to attackers' sites. JPCERT/ CC 16 reported cases where many websites implemented with WordPress 17 were falsified by being taken advantage of their vulnerabilities 18. All websites with "Trojan.JS.Agent.EXP" were implemented with WordPress. Therefore, the increase in the detected numbers was caused by the temporary increase in the number of websites falsified by the same method. Which vulnerability were they going to exploit in the attackers' sites to where users were redirected from the falsified websites? Figure 31 summarizes part of Security Alerts 19 issued by JCERT/CC for endpoint products from April 2011 to March Malware by which the user is infected only by browsing the page. 16.Japan Computer Emergency Response Team/Coordination Center 17.Open source blog software Document to notify vulnerabilities that are serious and widely influential. 30

32 4. Figure 31: Security alerts by JPCERT/CC for endpoint products in 2011 This shows various vulnerabilities in endpoint products were reported between disclosure of WordPress vulnerabilities and detection of "Trojan.JS/Agent.EXP". This time, falsification of websites implemented with WordPress was redirection to attackers' sites. Attackers' sites were managed by attackers; therefore, attackers were able to exploit vulnerabilities in endpoint products through these sites by placing web contents with attack code on Java or PDF files with attack code on Adobe Acrobat. Threats of Targeted Attacks Figure 32: Detected malware while browsing websites Figure 32 shows detected malware in the same period. We have already explained "Trojan.JS.Agent.EXP". "Trojan- Downloader.JS.Agent.gay" and "Trojan-Downloader.HTA.Agent.ai" are a type of malware which downloads illegal programs from the attacker's site. "Other" includes various malware with low numbers of detection. The fact "Others" occupy approximately 60% suggests there are various subspecies and their life cycle is relatively short. Figure 33 shows detected malware by its types. 31

33 4. Threats of Targeted Attacks Figure 33: Types of the detected malware while browsing websites Downloader which downloads illegal programs from attackers' sites makes up 50%. As well as it was suggested in Figure 32, web-based malware has become mainstream. Since this data was collected from the website access record of corporate users, we can assume the majority of such access was to well-known and relatively reliable websites. Even such websites did not escape malware attacks and were falsified. To prove this point, Figure 34 shows the summary of top level domain names of URLs where malware was detected. Figure 34: URL domains where malware was detected 32

34 4. Figure 34 shows that com domain and jp domain make up the majority. One of the reasons for the large proportion of jp domain is that the subject to this summary was Japanese organizations. However, it is clear that cases such as website falsification and the use of falsified content by mashup 20 are happening in Japan. jp domains where malware was detected included the noticeable number of those owned by listed organizations on a stock exchange. In order to prevent malware infection, basic measures such as "maintaining the latest versions of OSes and applications" and "installing the latest version of security software and maintaining the latest version of definition files" should be diligently followed. Also, even while visiting familiar websites the users should be aware of the possibility that the site could have been falsified and they could fall victim. However, types of endpoint products to be dealt with are more and more diverse and the frequency of vulnerability detection is increasing. Organizations are finding it difficult to maintain everything to the latest versions. Therefore, it is important to consider "risk mitigation" to reduce the impact of attacks, for example, by uninstalling applications which are not essential for business operations and disabling "JavaScript" which is often used in attacks if the organization cannot catch up with the latest versions. Threats of Targeted Attacks 20.A method to implement a new website by combining APIs (Application Programming Interface) from multiple web services. 33

35 Detected Malware Attached to s Emergence of cloud diversified web services and web access is becoming overall majority of Internet access. However, is still a popular tool for inter and intra organizational communications. Let's see the detection status of malware which was attached to incoming s 21 from April 2011 to March 2012 based on the data from the gateway type virus check servers provided by our FNC Secure Internet Connection Service. Threats of Targeted Attacks Figure 35: Daily malware detection from s via the Internet Figure 35 shows daily detection history of malware from s received via the Internet. The number of detected malware surged from April 11th to 12th This was caused by Malware detected as "Packed.Win32Katusha.n". Figure 36 shows daily history of detected numbers of "Packed.Win32.Katusha.n" in April "Packed.Win32.Katusha.n" is an executable file packed by a packer that is often used by Malware. Packers are the general term for tools that compress or encrypt executable files. They are used to reduce the volume of programs for distribution or to prevent reverse engineering; however, some packers are often used for malware to avoid detection by anti-virus products so anti-virus products detect executable files packed by such packers as malware. Therefore, such executable files packed by packers are described as malware in this report. Figure 36: "Packed.Win32.Katusha.n" daily detection history Figure 36 shows that "Packed.Win32.Katusha.n" ceased after being detected 744 times on April 11 and 1,403 times on April 12. These s with malware were sent to approximately 900 unique addresses in a specific domain within a short period. This indicates that the attacker may have created a list using certain information. As it was described in 4.1, such attackers' sites tend to repeat relatively short lifecycles of emergence and disappearance, and this e- mail attached malware was not an exception. 21.The FNC Secure Internet Connection Service first checks for spam s, then checks those filtered s for viruses; therefore, it is possible that most malware attached s may have been removed as spam s. 34

36 4. Threats of Targeted Attacks Figure 37: Detected malware from s from the Internet Figure 37 shows detected malware in the same period. The aforementioned "Packed.Win32.Katusha.n" came top by occupying only approximately 10%. This suggests that a wide diversity of malware being detected. Figure 38: Types of detected malware from s via the Internet Figure 38 shows the malware shown in Figure 37 grouped into types. This pie chart presents different characteristics from the malware detected while accessing websites. Downloader made up approximately 50% of malware detected while accessing websites, whereas worm 22 and trojan 23 made up approximately 60% of malware attached to s. These are unchanged mainstream malware to be attached to still now. In order to avoid malware infection from s users should be aware of "deceiving" social engineering attacks in addition to general malware measures as they may apply to website browsing. In order to deal with social engineering attacks, it is important to effectively improve security awareness among employees through training and education. 22.A type of illegal programs. Its activities include destruction and self-replication via networks. 23.This type normally creates a back door to remotely control the infected PC or steals confidential information saved on the PC such as passwords. 35

37 Malware Measures in Organizations Installation of client anti-virus software is the general security measure on client PCs. According to the "Organizations Information Security Status Investigation 2011", 100% of organizations had anti-virus products installed. However, the same research found that approximately 30% of organizations have been infected by malware within the past year. Malware infection has been considered to be a result of not appropriately updating OSes and anti-virus definition files; however, there might be another reason. Let's examine detection rates of anti-virus products. Threats of Targeted Attacks Figure 39: Detection of malware in executable file format Figure 39 shows the result of our test using malware in executable file format collected between January and March 2012 and VirusTotal 24 on May 10, Despite the fact that Virus Total updates definition files for anti-virus products regularly, the result shows that some malware was not detected even by the definition file of May 10. The detection rate was only approximately 70% even for malware that had been around for a while. This suggests that we cannot rely totally on anti-virus products to accomplish PC security even if we update definition appropriate. Figure 40: Proportion of packed and non-packed malware in executable file format 24.A free web service provided by a Spanish security vendor Hispasec Sistemas. It offers a virus check using multiple anti-virus engines at once. 36

38 4. Next, we will focus on packers described in 4.2. Figure 40 shows the proportion of packed malware among those in executable file format we collected between January and March Malware creators use packers to avoid malware analysis and pattern matching by definition files. We can see that attackers were trying to evade detection by anti-virus products since approximately 30% of the collected malware was packed. Now we will focus on detection of attack targeting on unknown vulnerabilities. We have tried if anti-virus products that deploy pattern matching detection using definition files could detect malware that does not match the patterns in the definition file. The sample file (hereinafter test sample) was designed to imitate buffer overflow attacks. The test sample was created and tested in collaboration with Fourteenforty Research Institute, Inc 25. Threats of Targeted Attacks Figure 41: Detection rate of buffer overflow attacks (source: Fourteenforty Research Institute Inc.) Figure 41 shows the detection result of the test sample by PCs installed with anti-virus products with the latest definition files on April 3, We expected zero-detection by anti-virus products with pattern matching approach since the pattern did not exist in the definition file; however, some products detected the test sample. This indicate that some of anti-virus products with pattern matching approach using definition files are embedded with the function to detect the behavior of malware that exploit vulnerabilities. Nevertheless, the function was not sufficient to detect all attempts to exploit vulnerabilities. This experiment proved that a user could still be infected by malware even with an anti-virus product with the latest definition file if he relied on the pattern matching approach only. 25.Fourteenforty Research Institute, Inc. Specialists in the cutting-edge cyber security research such as security vulnerability, malware, and targeted attacks, and embedded security technologies. Also the developer and vendor of security products. 37

39 Impact of Social Media on Targeted Attacks Targeted attacks to defense-related organizations, the House of Representatives, and House of Councilors in Japan attracted much interest in September 2011 onwards. Attackers of targeted attacks create s which might be of the target recipients' interest, attach malware or include URLs to the attackers' site to infect with malware, and send them to targets as shown in Figure 42. Once the target recipient's device is infected, the attacker uses it as a stepping stone to steal information from the organization. Threats of Targeted Attacks Figure 42: Targeted attack Table 3 categorizes malicious s including these targeted s by the contents. Generally level 3 and above are considered targeted . The higher the level, the more likely the recipient would be deceived. Massive amount of level 1 s are being transmitted but most users would delete them without opening nowadays. However, majority of users may be deceived by level 5 s unless they can check the header information in detail. While a spam filter can mechanically detect and remove them if the contents are not user specific like level 1 and level 2, level 3 onwards will probably slip through. Table 3: Content levels of malicious s Recently, the increasing number of users are using social media such as Twitter and Facebook. Third parties can find employees of a specific organization easily especially with Facebook since many people register with their real names and disclose employer. Faking s equivalent to level 4 or level 5 in Table 3, as if they were written by concerned parties, is possible by combining trivial articles which employees may have carelessly posted without realizing the importance of the information. A targeted attack is still possible even without the employer information as long as private information of the employee is available; therefore, confidential information of the employer may eventually be leaked as a result. 38

40 4. 1) Search users in the same company on social media Threats of Targeted Attacks 2) View information on a specific user 3) Create a targeted based on the acquired information Figure 43: Targeted using social media information 39