In an effort to educate people with a series of articles, in this very first article, author has clearly stated that technology alone can not do any magic, until and unless the user is updated and well educated in a continuous evolving security threat landscape.

—By: Andrew Lee CISSP, Chief Technology Officer, K7 Computing Private Ltd.

Welcome to the first in series of articles on computer security, with a particular focus on malicious software (malware)—things like viruses, spyware, Trojans and related issues. I have been in the computer anti-malware field for around ten years, first within a large government organization, and later working for anti-virus software vendors. I was previously chief research officer of the Slovakian anti-virus company ESET until mid 2008, when I joined the innovative Indian anti-virus company K7 Computing. I have an almost unique perspective as someone who has worked in both the public and private sectors, in several countries, and have had a very wide and practical experience of the security field in general. In this series I hope to provide a reasonably technical overview of the modern threat landscape, and an examination of the challenges that face organizations today as they attempt to defend against the highly organized and motivated criminals attempting to use malware against them, for fraud, extortion and industrial espionage.

Why Is India a Different Market?

India is one of the world’s most populous countries, containing within its borders a vast diversity of language and culture, its own musical and entertainment traditions, as well as a burgeoning IT industry, it is therefore to be expected that some of the malware threats will be somewhat unique to the region, although of course, on the Internet there are very few borders.  Because most of the popular anti-virus and anti malware products are created in North America or Europe, those products are less likely to be focused on the issues that directly affect Indian businesses and homes, nor will their researchers necessarily have the knowledge of the unique environment found here. In contrast with some other countries which have relatively ‘antiseptic’ environments—not much pirated software along with widely deployed and frequently updated security solutions and recent operating systems—India has a wider range, with a high level of piracy and legacy systems, that present unique challenges to anti-virus products, for instance, many systems will be pre-infected with malware before any anti-virus gets installed.

Even in the realms of social engineering (that is, using psychological methods to fool users into taking actions—say clicking on a link in a Phishing email because they’ve been told their bank account will be disabled), India is unique. For instance, the population that is likely to get excited about (or even know about) Paris Hilton (an American heiress, famous for little other than being famous) is far smaller than those who might click on attachment claiming to be pictures of say, Shilpa Shetty.

Is Technology Enough?

Technology alone is never a guarantee of security, and the human factor must always be taken into account. Deployment of technologies for security requires knowledge of correct implementation but importantly of enforcement, and reaction to alerts. A good example of what I mean can be found across the country in our hotels. Since the awful events in Mumbai last year, there has been a general increase in security measures throughout the country, with one of the most obvious being the deployment of ‘walk-through’ scanners at hotel entrances, sometimes supplemented by guards with hand-held metal detectors. These devices are recognizable to anyone who has been through security in an airport, and are known to be tried and tested – perhaps the major reason for their use. The unfortunate truth is that the deployment of these systems has, in most cases, been entirely useless because they are not used correctly. For instance, while people are asked to walk through the scanners, often no action is taken if the scanner activates, indeed, I’ve often remarked wryly to an acquaintance that if it didn’t beep, they wouldn’t know whether it’s working—likewise, if while using the hand-held detector wands, when the device activates, the guards do not check what activated it. At one hotel I was asked to carry my laptop-bag and suitcase through the walk-through scanner, which of course activated the beep, but no check was made subsequently—somehow I was magically secure by walking through the device. In another case, I was ‘wanded’ by a guard who clearly didn’t realise that the battery was flat on the wand. In almost every instance I have seen these measures taken at hotels here; they have either been completely or nearly worthless. Technology is not magic.

Think Beyond Technology, Think Education

These are classic failures, due to misunderstanding what security technologies are supposed to do. Correct implementation is essential to good security, but more important is the action taken (or the ability to take action) after an event has occurred. The technology is only something that will enable a solution dependent on the action taken. This is hardly surprising, I have read various reports that security agencies in many Indian cities have seen ten-fold increases in the number of daily calls asking for security staff; to think that such vast numbers of people (enough to supply two or more guards or to every major hotel in the country) could be trained well enough to do the job properly in such a short space of time is at best, naive.

A parallel to this in the anti-malware world is a problem that we often come across in our support department (and one that often pops up in conversations)—people install (often pirated) anti-virus programs, but then never (or can’t) update them. Because new malware appears on a daily basis, this is like running your metal detector with a flat battery. People sometimes criticise anti-malware software vendors for hooking people into‘addictive’ software that guarantees a consistent revenue stream for the vendor.  However, there are few other pieces of software in the world which are required to do what an anti-malware program must.

A huge percentage of malware is only active for a short time (days at most), a new variant may infect a very few or very many systems, but eventually it will all but disappear, and something else will appear to take its place. When I started out in this industry in 1997, there were probably something in the region of 1 lakh of viruses in the world; today anti-malware labs may see that many new samples a week and most labs will detect a sample base of at least a crore of malware files.

Although there have been tremendous steps forward in pro-active detection of these new malware variants, it is still not possible to detect all of them without updates, so most vendors will release several updates per  day. The hand held metal detecting ‘wand’ is a good analogy; imagine that each wand can scan 100 people before the battery requires changing. If you have 500 people visit your hotel in the day, you will have to change batteries 5 times to effectively scan them all. If you don’t, then 400 of those people could have been carrying a weapon, and you would not know.  So it is with anti-virus, without the updates, you can’t detect everything we know about.  Far from being a failure of our technology, this is testament to the efficiency and skill of the programming behind it.

Not only that, but because anti-virus programs exist at a very low level in the system, so that they can intercept all the file operations and so on, they must be tested to a very high quality standard to avoid problems like blue-screens and false positives (where an innocent file is detected wrongly). A friend of mine once told me that if you make a mistake in your software, your support department will fix it one customer at a time. If you have several millions of customers, then that’s a lot of fixes—having to release an update every hour certainly increases the chances of something going wrong if you don’t have good processes in place.

he clincher is the fact that most of the malware authors routinely test their creations against anti-virus software to try to avoid detection; a recipe for a constant cat and mouse battle between the ‘good guys’ and the ‘bad guys’. Because of this, our technology is constantly evolving; we are always looking for new ways to detect more and protect customers more effectively.

Conclusion

As should be clear from the examples I’ve given here, one of the keys to good security is education, and I hope that with this series I will be able to share some of my knowledge with you to help you to increase your security.