In the last few weeks I’ve been talking to some of the corporations hit by famous Operation Aurora; the attack that triggered the
Google-China virtual war.
The CISOs of these companies are facing a daunting task. These incidents reached board-level attention, and left many questions unanswered. How good are the traditional defense mechanisms? What control do I have over what my employees do at work and at home?
What sort of data is stolen from the corporate? Is there anything that can be done to identify and seal all the gaps? And what exactly is the scale of the threat? Is it an industry-wide problem?
RSA’s latest whitepaper on Cybercrime (registration required) addresses the last question. To be more exact, it asks the following question:
how many Fortune 500 companies have compromised PCs running Trojans?
Take a guess.
10%?
20%?
Would you dare say 30%?
The correct answer is 88%, and truth be told, this is probably a conservative estimate. Virtually every company has employees that were infected with Trojans, and bring the problem into the office. These Trojans are busy moving terabytes of corporate data
to stealthy drop zones scattered around the
Dark Cloud of Cybercrime infrastructure.
After all, it’s a numbers game. Zeus, a highly popular Trojan kit,
runs on 3.6 million computers in the US, and that’s a conservative estimate.
Mariposa had 12.7 million PCs infected including those belonging to half of the fortune 1000 companies. If you have tens of millions of consumer PCs infected, you’re bound to have tens of thousands of fortune 500 resources infected.
Then there are targeted attacks. In Operation Aurora employees of 34 mega companies including Google, Intel, Adobe as well as giant defense contractors, utilities and media companies got emails containing a corrupt PDF document; when they opened it, a chain
of vulnerabilities led to the hijacking of their PCs, allowing the Cybercriminals access into the corporate network from the compromised machines.
In other types of Trojans such as Zeus, the employees are typically infected at home when they are not connected to the network (although some infection happens during work and behind the firewall). Most of these infections are on laptops – a phenomenon
I dubbed Curse of the Were-Laptop. It can also be a remote-access PC, i.e. a private computer that is allowed to establish a VPN connection to the network. And it can be a mobile device
such as a Smartphone.
You don’t have to be stupid to get infected.
Drive-by-Download infection happens automatically whenever you surf into a compromised site – the latest example is the
US Treasury website (don’t worry, you can click on the link) – and you happen to have an un-patched component (including basic Internet tools like Flash, Java or Acrobat Reader, not to mention browser or operating system). You can also be tricked to download
something – for example when a social network buddy sends you a link to a ‘cool video’.
Once infected, the Trojan will start recording all Internet related traffic, perform keylogging, grab emails, browser-stored passwords, and a long list of additional items. The Trojan doesn’t stop at online banking credentials and credit card data: it steals
your social network posts, your medical content, your private chats, your constituent letters, and all of your work related content: credentials for internal systems, emails you sent or received, corporate financial results, sensitive customer-related web
forms you completed in CRM systems.
If you see the corporate data floating around in Trojan motherships, you get goose bumps. It’s a hair splitting, nerve wracking experience.
All of this means one thing: the battlefield is changing. Employees, rather than networks, are now in the front. And the industry needs to build a new defense doctrine against these emerging threats.