Security and Risk Management Strategies Blog

Blogger: Dan Blum

In the eye of the hurricane, the helmsman rests; sun glitters through windswept clouds but the sea is deceptively calm as far as the eye can see. He shades his gaze from the glare and wonders from which point the storm will strike again…

Like the helmsman, security staff at a number of large companies we visited are wondering where the malware went. After years of battling spreading worms and viruses, the alarms are quiet, the infections relatively rare. What happened? Did firewalls, patch management and anti-virus tame the beast? Or has the nature of the beast changed?

A bit of both, we think. Countermeasures successfully block most self-propagating malware, especially (as we predicted) in large enterprise environments with locked down systems. And there are fewer propagating worms and viruses out there than there were in their heyday.

But malware isn’t going away, its just changing. McAfee told us the amount of samples they see has increased many fold over the last two years. According to the Internet Security Threat Report Volume XIII: April, 2008 Symantec saw 499,811 new malicious code threats in the second half of 2007, a 136% increase over the first half of the year. Symantec also measured over 61,000 active botnet machines per day, and Websense found thousands of legitimate websites infected with links to malicious sites.

There are a growing number of underground economy servers selling everything from financial information to increasingly sophisticated crimeware toolkits. Finjan predicts that in the future, the underground economy will mature to point where already-prevalent crimeware as a service (CaaS) style offerings will enable cybercriminals to tap straight into a data feed from victim machines belonging to an individual or organizational target of interest – no need to bother with much up front work. That’s a scary thought.

Its not just vendors hyping the stats to drum up business, we’ve heard many inklings of targeted malware from large enterprise customers (not that they like to talk about getting hit). Some of this showed up in my blog entry Financial Services Roundtable Promotes Information Sharing. I’ve also heard from an impeccable source that industrial espionage is rife in the aerospace and defense sector; DoD has told aerospace and defense companies the Chinese are eating their unclassified data lunch and hauled staff to Washington for meetings to consult on what new compliance requirements to put into future defense contracts. Information warfare isn’t science fiction anymore. We saw it in Serbia, we saw it in Iraq, and most recently there were denial of service attacks in Estonia.

When you’re in the eye of a hurricane, it’s hard to tell where the storm will hit next, but you know isn’t over. While financial services firms and defense/aerospace companies take the brunt of targeted attacks today, government is also under heavy attack and according to Symantec, yielded the lion’s share of identity data breaches in 2H 2007. ISPs get phished a lot, medical identity fraud is increasing, and any organization charged with safeguarding critical infrastructure is also under a cloud. No organization is immune to one of their employees randomly tripping across a malicious website and getting rooted, defrauded, and botted; possibly to its embarrassment, lawsuit, loss and potentially getting targeted for additional exploitation.

For organizations in some industries, the direct targeted attacks may not be a major concern, while the others I’ve identified that have a higher profile are more likely to attract the attention of disgruntled individuals or professional crackers looking for secrets or economic gain. Those organizations need to be wary and maintain high vigilance and counter-measures. Others can relax a bit more, but still need to run a tight ship and monitor the weather map, so to speak.

If you’re lucky enough to have calm skies, do as the wise mariner would: batten down the hatches, rest and feed the crew, then take out the charts. Make sure the basic stuff like anti-malware and patch management are working. Lock down the desktops, tighten up the security zones, track down and corral your critical data and then start thinking about additional architectural strategies to get ahead and stay ahead of the threat. We like inherent protections of the endpoint such as data execution protection (DEP), address space layout randomization (ASLR) and trusted platform modules (TPM) as well application whitelisting in addition to basic system hardening configuration measures. But that’s another post.

Blogger: Diana Kelley

At the end of the film "Harold and Kumar go to White Castle," Harold, emboldened by 30 sliders and an evening of raucous adventures in New Jersey, decides it is time for him to face his fears and declare his affection for Maria. He declares his intentions to his friend Kumar, who, perhaps made sleepy rather than energized by the sliders, responds, "still not getting it!"

Like Kumar, it appears that IT is also, "still not getting it!" when it comes to malware. Case in point, the recently published CIO Insight survey reports that while only 12% of respondents reported that money or property had been stolen through electronic means, a whopping 48% of companies reported penetration by viruses, worms, and Trojans in the past 12 months.

48%. Essentially HALF of all reporting enterprises were hit by some form of virus or worm last year. In most cases, 52% success equals failure. And maybe it is for AV - but maybe not. Another data point - 33% reported that their companies had been penetrated by spyware or other malware. Now contrast these numbers with the fact that 99% of the companies spent money on AV/spyware/malware detection in 2006 and 97% plan to spend on AV/spyware/malware in 2007.

Hmmmm, we spent money on AV, it didn't work and half of us were penetrated, so let's keep spending! More must be better, right? Not to mention that many security assessments will mark down an organization for not having AV, the PCI DSS explicitly states AV must be on Windows machines in the payment ecosystem, and the generally accepted rule is that we're better off with AV than without it.

But is that true? Are we better off? What's the real cost of deploying and managing traditional AV products versus their overall effectiveness? Is AV worth that cost? I'm not talking about the standard hand waving of "oh signatures won't work," but a real shift in thinking. If the 52% represents real dollar savings over and above the cost to purchase and deploy the AV and that also outbalances the costs associated with the 48% penetrations - then it could be success from a bottom line perspective. But it might not be.

We know that 99% of the companies in the survey spent on AV last year, and half of them got hit. What we don't know is if that money was well spent. What we need are metrics that study percentage of attack for companies that use mitigating controls (such as perimeter and host firewalls, intrusion prevention and white listing) in lieu of AV and in addition to AV. We need a quantitative survey of the effectiveness of various measures. As far as I know, we don't have these yet. Let me know if you know of any.

We have an industry that continues to throw money at technology with a high penetration rate. What we don't have are numbers that tell us whether that rate is acceptable or not. What we are is, "still not getting it."