Moving from Vulnerable Code to Vulnerable Service: The IT Compliance Challenge
BY RON MEYRAN,
Product Manager Security, Radware

Complying with IT regulations such as PCI, SOX, HIPAA and others is one step closer to building a well-secured application environment. The motivation of hackers has changed. The "old" motivation—to gain fame—has switched to financially motivated hackers looking for unauthorized access to confidential information such as credit cards, patient records and the like. Cyber crime activities employ a new level of network attacks that go undetected by standard network security tools. IT managers must improve their security practices to deliver a true and effective IT compliance infrastructure.

Introduction
Hackers, discovering they can make money from cyber attacks, offer their services for sale. They offer a wide variety of "products" ranging from a bots-for-hire service that can put organizations under siege, up to sensitive information trading including credit cards, bank accounts, patient records, license keys and the like. You can buy "fresh dump" credit card numbers with PIN starting at $20 each and up to $100 for a platinum card.

IT regulations such as PCI, SOX and HIPAA were established to mandate security practices that eventually will reduce if not prevent malicious use of sensitive private data by cyber crime.

In March 2008, a highly covered breach to Hannaford Bros. Co., an east-coast US supermarket chain, emphasized the risks of exposed on-line organizations: 4.2 million account numbers were stolen . Hannaford was found to be PCI DSS compliant, a security standard required by the payment card industry, but this case demonstrated that IT managers must constantly improve their security practices to protect their business.

Building a secured IT infrastructure requires the use of best security practices for IT compliance. In the next sections we will discuss the key trends in network security and how they impact regulatory compliance.

From Vulnerable Code to Vulnerable Service
Traditional network security practices have focused upon the research of application software code, finding flaws in the code that could lead to a security breach which could be exploited by hackers, and patching it. These flaws are referred as a vulnerability. When hackers discover a vulnerability before the software and security vendors, they can launch a zero-minute attack, exploiting this newly discovered and unpatched vulnerability. In any case, the protection is about locating a vulnerable application code and issuing a patch for it. Software updates and patches, anti virus updates, Intrusion Prevention Systems signature updates—all are about protecting vulnerable code.

To bypass existing security technologies that focus on patching vulnerable codes, hackers are now switching from vulnerability-based attacks to "non vulnerability-based attacks". These new types of attacks do not exploit any flaw in a code and therefore patching will not help block them. These attacks are executed on Internet-connected services and on users unnoticed by existing protection technologies and can result in information theft, fraud activities and service disruption.

What are Non-Vulnerability Threats
Non-vulnerability-based threats aim to exploit weaknesses in server applications that cannot be defined as vulnerabilities, but rather as attempts to misappropriate software without a vulnerability. These attacks can be typified by a sequence of legitimate events, generally not associated with unusually large traffic volume. They are used in order to break authentication mechanisms and scan the application for hidden confidential files. More sophisticated non-vulnerability attack forms include well-chosen repeated sets of legitimate application requests that misuse server CPU and memory resources, thus creating a full or partial denial of service (DoS) condition in the application. This new attack method allows hackers to integrate well with legitimate forms of communications and comply with all application rules, so that in terms of traffic thresholds or known attack signatures, they will pass under the radar of existing network security technologies.

To emphasize the difference between the traditional vulnerability-based attack (known or zero-minute attack) and the non-vulnerability-based attack, we can say that for the first there is always the possibility to create a signature (sooner or later) that represents a malicious code and which can be used to block the attack, or to develop an application patch that fixes the associated application flaw. In the case of non-vulnerability attacks, this malicious code does not exist, and therefore there is no attack signature nor is there an application patch.

Non-vulnerability-based attacks can be executed unnoticed by today's protection technologies on server applications such as financial online transaction services, and thus can seriously impact their availability and credibility in the eyes of users.