Assessing the impact
The bigger picture enterprises have to look at includes worst case scenarios--what the impact would be if their business was hit by a hybrid attack.
AusCERT's McPherson said that there could be a financial impact if systems are taken offline, for example if the company is an e-commerce operator. There also may be the PR issue of having to explain what happened to partners and users.
However, it's not all doom-and-gloom. Although he admits that blended threats do pose quite a problem, McPherson doesn't see them as threatening as a hacker with a high-level skill set targeting a specific company. He said that often that a company which is hit by a hybrid attack may be a victim because its systems are vulnerable, which they can mitigate against by putting standards and approaches in place.
Michael Warrilow, senior consultant at industry analyst META Group, sees the growth of hybrid threats as an indication of the third generation of sophistication in technology attacks. Warrilow said that this meant that these attacks used everything that had gone before, and also incorporated newer techniques.
One new potential threat--which Warrilow believes illustrates the increasingly complexity of blended attacks are the Windows "shatter attacks".
According to META Group research this type of attack takes advantage of the lack of authentication of messages between Windows processes on the desktop, and the ability to trick the WM_TIMER service into executing an arbitrary memory address.
"This exploit is not easily automated, and so it will have some limited impact on users via viruses," the information from META Group states. "In addition, users that have up-to-date security programs--antivirus, firewall, intrusion detection/prevention--can further minimise the potential for damage."
Warrilow thinks that the greater the number of mechanisms which hackers use, the greater their chances for success.
Nor are any particular organisations exempt from potentially being the target of a hybrid attack. As the attacks become even more sophisticated it only increases the probability that they're going to get into more companies, warns Warrilow.
"The 80-20 rule of vulnerability management recognises that 80 percent of successful attacks utilise just 20 percent of a system's vulnerabilites," according to information provided by Symantec.
Are we coping?
It's all very well to know what the threats are enterprises are facing, but the question remains as to whether Australian businesses are adequately protecting themselves from the risks.
"In general, it's pretty standard procedure to protect yourself," said AusCERT's McPherson. He said it was about having a comprehensive security solution, with multiple layers of defence. "It's very hard to quantify how much you spend on prevention," he said.
He also suggested that IT departments needed to have a decent response procedure in place, which was both enforceable and practical. "If a problem occurs then [an enterprise] should have procedures in place to deal with it to minimise the damage," McPherson said.
But he admitted that it was very hard to quantify how much to spend on prevention, commenting that businesses might want to look at both worst and best case scenarios when making this decision. "What assets are you protecting and how do you mitigate that?," he asked.
META Group's Warrilow believes that enterprises can never have what can be described as perfect security, but that increasingly intelligent software was helping businesses deal with the threats which they faced.
"[Companies] need to have reasonable practices in place, and what can help them there are the relevant standards, and benchmarking themselves against the rest [of their] industry," he said.
Best practices, such as removing unneeded services, are among the suggestions from vendor Symantec on how to protect from blended threats.
"For services that are needed, software patches should be installed as soon as possible after discovery of a vulnerability," it states. "Recognising that services are an exposure because they are listening on a TCP port is important, and elimination of unneeded services can dramatically reduce system vulnerability from know exploits and future, undiscovered vulnerabilities and exploits."
Security evolves over time--it's not a set-and-forget environment--and companies need to take a common sense approach, rather than spreading this fear of doom and gloom, META Group's Warrilow said.
It's not always an easy task for IT departments to put the necessary security in place either. As the AusCERT and Deloitte Touche Tohmatsu computer crime survey points out, effectively managing computer and network security is a complex and challenging task, even for organisations which are appropriately equipped, experienced and resourced.
"IT managers and their staff have to work in an environment in which their organisations are becoming increasingly dependent on the network infrastructure to support critical business services and, therefore, must work under the pressure of higher expectations of uninterrupted availability and increased functionality," the report states.
According to the report, how access control lists, systems settings, firewall and IDS rules are configured and maintained can all potentially effect network security.
"System and network administrators must understand the plethora of rules and settings which exist and ensure all are set correctly at all times," it points out. "An incorrect configuration of the firewall rules, for example, may allow a hacker to transmit data to and from the network with minimal chance of detection."
Nor can technology alone thwart cyber attacks, warned Patrice Rapalus, director at the CSI in the US in a statement relating to the Computer Crime and Security Survey.
"There is much more illegal and unauthorised activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace," Rapalus argued.
How is your organisation protecting itself from hybrid security threats? Talkback below, or e-mail your comments to edit@zdnet.com.au
