by Rik Ferguson

Malice in Wonderland

Opinion
Mar 15, 2010
Security Software

Despite best efforts by enterprises and security vendors; recent news stories and the prevailing opinion of executives I talk with both indicate a growing concern over information theft from malicious activity. Is this concern justified? Data from the threat assessments we have carried out across the globe would certainly seem to indicate that it is. Based on 130 assessments worldwide, 100 per cent of enterprises had active malware infections of which they were not aware and over 70 per cent of those were bots or information stealing malware. It’s well-known that the criminal underground is geared up for the theft of valuable corporate and personal information, with form-grabbers, men in the browser, bot &  VNC capabilities, automated exploit modules and mature partner delivery platforms. So why are the security industry and the enterprise not facing up to the challenge effectively? Securing the enterprise environment is increasingly problematic as the environment itself is becomes ever more fragmented. Increased mobility, a more dynamic application landscape, cloud adoption and social networking all offer valuable opportunities to the enterprising criminal. Alongside this, IT professionals are struggling to deal with the unending tide of patches required to fend off critical vulnerabilities, vulnerabilities that are actively exploited as soon as, or often before, the patch is made available.  Lewis Carroll was way ahead of his time; I can only think he was talking about patching when he wrote; “Well, in our country,” said Alice, still panting a little, “you’d generally get to somewhere else — if you run very fast for a long time, as we’ve been doing.” “A slow sort of country!” said the Queen. “Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that!” Another factor that disadvantages the good guys is that we are mostly obliged to play with an open hand. Common operating environments are a known quantity to criminals, as is the common security and application portfolio. This means that they can focus their efforts on uncovering high value vulnerabilities that offer the most return on investment. Their own application environment though is much more closed and they can (and do) test their creations against all the known security vendors to make sure they are undetected. It’s not sufficient to base your layered security on the layers in your infrastructure or the layers of user behaviour. When considering security technologies, think about the layers on which modern threats operate; the exposure layer, the vulnerability layer, the infection layer and the execution layer.  Remember that malicious activity is not only inbound, deploy mechanisms that work on the assumption that the protected asset is already compromised, technologies that offer out-of-band monitoring and detection. We need to combat the complacency that sometimes prevails in our industry, the way that things have always been done may no longer be the *right* way to do things. Just because your incumbent security system tells you everything is rosy, it doesn’t mean you’re clean, as many corporations are discovering to their cost.