Laura Mather and her Silvertail Systems colleagues have recorded two very fine webinars on Man in the Brower (MitB) attacks and the Zeus Trojan. A Man in the Browser attack is one in which a trojan program on a compromised computer is able to capture information a user types into browser forms and intercept then modify content a web server attempts to display to the user. Zeus is a particularly insidious trojan because it is allows attackers to customize MitB attacks against specific targets (largely financial institutions) and to defeat both two-factor authentication and machine ID authentication measures. Based on some statistics Laura presents during the Zeus Trojan webinar, you quickly appreciate why I call it insidious: as a result of customization, Zeus is not one but nearly 800 botnets spanning ~1.6 M bot hosts and attacking over 1100 brands, 85% of which are financial institutions.
Laura recently asked APWG colleagues to comment on the
suggestion that “trojans like Zeus are the biggest threat to small business in
the last decade”. I'd say that Zeus is the most recent but not nearly the last
biggest threat to small business. My experience is that small business
networking and security differ very little from residential broadband and
differ *dramatically* from medium to large enterprise. Common
attributes of small business networking and security I’ve encountered include:
- very little if any in-house networking or security expertise
- employees are not sophisticated users
- employees receive little or no training and have little or no security awareness beyond “I run antivirus so I’m safe from all that”.
- the security or professional services small businesses can afford are not as competent as medium/large enterprise IT staff or the consulting services medium/large enterprises can engage
- the
securitynetworking technology small businesses invest in is often residential quality, freeware, or a modest increment (i.e., from a $100 broadband firewall/router to a $300 UTM device) - default configurations are the rule rather than the exception; in fact, a fair number of small businesses use default configurations in complete ignorance or because they are afraid to alter configurations for fear of breaking something
My initial response to Laura was “You’re spot on when you say "something like Zeus can destroy a small business" but honestly, it doesn't take a Zeus in most cases.” Mulling the Zeus scenario a second time, particularly having watched the webinar, I think the threat is as worrisome as Laura suggests. Small businesses look like a sweet spot for financial abuse, having more capital than individual bank customers and less access to the types of detection and countermeasures larger organizations can acquire from companies like Silvertail Systems.
I also worry that the configuration agility Zeus introduces has broader applications than attacks financials. I’m thinking specifically of healthcare. If you really want a healthcare scare, run a security audit on your typical medical practice office network or NFP hospice. I have and they are not pretty. From experience, I’ll speculate that many of the attributes I mentioned earlier are commonplace among the typical physician, hospice, laboratory or diagnostic testing facilities you visit. I don't sleep well some nights thinking about the offices of physicians who manage my family’s care whose networks I haven't been invited to check. I’ll sleep even less now worrying that Zeus could be configured to target healthcare insurance providers.
yeah I would most probably agree. At work we've taken on a few new clients and GOD are their systems set up horribly. Antivirus out of date/not installed/admin rights for everyone/terminal servers not locked down.
All quite delicious for malware/viruses to work their magic. Sigh.
Oh well the recommendations are on the drawing board currently. Will make my life a lot easier :)
Posted by: Virus Removal | Thursday, 10 June 2010 at 08:48 AM